Blog
Prevalent-Blog-Logo

Great yet another blog talking about the need to get ready for the European Union’s General Data Protection Regulation (GDPR).  Wouldn’t it be nice if just once someone really helped me deal with GDPR instead of reminding me of all the work I must do?  Well folks I’m here to do just that.

Determining vendor compliance with GDPR requires a fairly rigorous process.  It starts with determining what data you provide or share with your vendors, whether it is data that is covered by GDPR and if so what requirements are associated with that type of data. Vendor contracts must be modified to include new language to define the vendors role.  Since most vendors will fall under the definition of a Data Processor their responsibilities will be defined by Article 28 of GDPR (however, it is possible to be both a Data Processor and a Data Controller).  I could continue with a litany of issues you’ll be faced, but that would just add to your problems not help you solve them.

Read More

Prevalent-Blog-Logo

As I type the words of my very first blog, the weight of writing a blog worthy of your reading is heavy on my mind. You may have seen my name or watched one of my presentations where I hoped to influence companies to move away from compliance checklists to adopting shareable third-party assessment techniques.

Yet this blog isn’t about me. It’s about how third-party risk continues to crawl towards an economic approach across all industries.
My passion in life and career is to help companies resolve the snail pace of evolution from the vast frameworks and methodologies used across the globe to a standardized third-party risk governance using a flexible model for all companies, large and small. We all know that third-party governance is supposed to minimize risk in a fast-paced changing cyber landscape. It is beyond my comprehension why companies fail to understand that identifying and managing risk is necessary to minimize risk. Especially when we allow third-parties to handle our most sensitive data.

Read More

Prevalent-Blog-Logo

We are continuing to learn more about the breach at Larson Studios which resulted in the release of 10 episodes of Orange Is The New Black (OITNB) as well as other titles from Netflix, ABC, CBS, and Disney.  While the analysis of the event in Variety provides insight into the devastating effects of a ransomware event, it fails to provide insight into how this could have been prevented.

Until most recently only banks really focused on third party risk issues due to regulatory requirements.  They were then joined by healthcare providers as their regulators began to require robust third party practices as well.  Most recently insurance companies have joined the ranks of the third party risk conscious along with other firms whose boards and senior management recognize the risks that third party service providers create from the unauthorized access to customer data and company networks.  However, the Larson Studios incident reinforces the fact that assessing data protection and IT security controls at vendors isn’t just for industries whose regulators require such programs.

Read More

Prevalent-Blog-Logo

On June 7th, the OCC issued a welcomed update to the 2013 Guidance on how to manage third party relationships (OCC Bulletin 2017-21). While much of the guidance provides insight into how to address issues related to fintech companies, there are several key areas that have received little, if any, previous formal comment by the OCC.  This first in a series of blogs will address an area of the Guidance that will substantially improve the TPRM process.

Read More

Prevalent-Blog-Logo

Security professionals are a smart, resilient group.  Whether it is dealing with the constant barrage of threats from hackers, software vulnerabilities, privacy concerns, and compliance activities, security professionals are generally in a constant state of learning from on the job experience, technical books, journals, and conferences.  However, I have often wondered how many security professionals have an opportunity to reach the C Suite.  Certainly, the CISO position has increased in importance and relevance over the last several years, but I am not sure it is a path to the CEO role.  There is also no generally accepted reporting structure for the CISO – is this a technical position reporting to the CIO, a financial position reporting to the CFO, or a strategic position with a line to the Board?

Read More