Philadelphia Third Party Risk Management 2011

CISO EXECUTIVE NETWORK

Third Party Risk Management Breakfast Roundtable

Thursday, March 10, 2011

8:00 am - 12:00 noon

Reed Smith

Speakers

Steven Roosa  Reed Smith

Peter Stern  IBM

Angie Singer Keating  Reclamere

John Verry  PivotPoint Security

Member Discussion Leader

Chet Davis  Campbell Soup Company

Philadelphia Chapter Member Chet Davis on Third Party Risk Management

Campbell Soup Company works with approximately 75 vendors, the majority of which provide Software as a Service (SaaS).

Chet Davis, Chief Information Security Officer, says that every third party that is hosting service or that is managing the company’s data outside of the corporate environment has to go through a series of risk management processes.

“The first step is the completion of a ‘vendor hosting questionnaire.’ The VHQ contains six pages of questions to help us understand the control processes that they have in place over our data,” Chet explains.

Step two is to request a copy of the type 2 SAS70 that was preformed on the hosting provider. Step three is a meeting with the third party to discuss the responses on the questionnaire. Step four is an on-site review and done only for those companies who will be hosting Personal Identifiable Information. Finally, step five is to attach the responses to the contract.

Chet works with the company’s IT, Vendor Management, Procurement and Legal when it comes to risk management of third parties.  Currently, he says, the only tools he uses are those that his team has created.

Even with the thorough process, Chet says there are still challenges to effective risk management policy.

“One of the challenges is being engaged in the vendor selection early enough in the process,” he says. “Two or three years ago, we were rarely involved until after a vendor had been selected or sometimes even after a contract had been signed. That has improved, however, and we are now involved many times when a set of vendors is being evaluated. Getting the business function who owns these relationships to be engaged in the process and having enough resources are other challenges we face.”

So what advice does Chet have for other CISO Executive Network members?

“Make sure you get the business function that owns the relationship with the vendors involved with your process,” he says. “This helps to ensure that they have involvement with the evaluation and that it isn’t just your group making the final decision on whether to proceed or not proceed.”

Chet Davis is Chief Information Security Officer with the Campbell Soup Company.  He has more than 9 years of IT security management experience and over 15 years in Audit and Control experience in a variety of industries including insurance and financial services. Before joining Campbell, he was Manager of IT Audit for Commonwealth Land/Title Insurance Company.