Third Party Vendor Risk Management

In this presentation, John Verry (Principal Consultant and ISO 27001 Certified Lead Auditor at Pivot Point Security) offers thought provoking and challenging presentation originally made before an audience of experienced and senior Information Security professionals from a variety of markets at the CISO Executive Network’s Philadelphia and New York City chapter events on Third Party Vendor Risk Management

Outsourcing provides notable rewards but they don’t come without risk.

The use of cloud computing and outsourced services like suppliers, hosting and consultants are becoming a common dependency in companies from small to large businesses. How do you know if shared information is safe?

“Responsibility isn’t always obvious”

John offers key questions to ask when managing third party vendor risk:

  • What form of testing is suitable for the risks defined?
  • What form of assurance/attestation is best?
  • What direct access/testing is required for incident response/monitoring?
  • What reporting and service level agreements do we need to monitor?