What are the key parts of privacy and security vendor management? What role does a privacy office, a security office, a procurement office, and counsel play in the process? What level of vendor oversight is the government looking for, what level is best practice, and how does an organization focus limited resources to best reduce risk in this area? How important is a right to audit to obtain in contract? How important is it to actually audit vendors (especially with limited resources)? How much credence should be given to independent assessments, such as a SOC 2 report? Should vendors provide documents such as a risk analysis or internal policies to their customers, or does that actually raise more information security concerns than it addresses?

Rebecca Herold, CEO, The Privacy Professor® and CVO & Co-Founder, SIMBUS360
Andrew YsasiExecutive Director, Kent Record Management, Inc.
Stacey Halota, Vice President, Information Security and Privacy at Graham Holdings

Room 301


Q&A: Marcus Ranum chats with Privacy Professor CEO Rebecca Herold: Organizations will be judged by the company they keep, warns Herold. Don’t let third parties skate, when your data security is at risk.


Hiring contractors? 5 areas to check information security practices


ISACA Webinar: An Effective Framework for Third-party Information Security and Privacy Oversight & Risk Management


ITGRC Forum Webinar: “How to Identify and Reduce the Risks of 3rd Party Vendors”


Conference Materials
Stacey Halota
Stacey Halota

Vice President, Information Security and Privacy
Graham Holdings

Rebecca Herold
Rebecca Herold

CEO, The Privacy Professor®
President & Co-Founder, SIMBUS360

Andrew Yassi
Andrew Ysasi

Executive Director
Kent Record Management, Inc.