Vendor Management Professional


Vendor Management Professional
Certified Community Banking
Vendor Management Professional™
Class Description
The Certified Community Banking Vendor
Management Professional™ is a hands-on certification
course that provides students with a unique
combination of lecture and lab activities, leading to a
truly engaging learning experience. The lectures and
labs are organized in an easy-to-understand format
and presented in a concise, logical structure that
helps to reinforce the lesson. Each lecture includes
a live demonstration and concludes with a hands-on
Although the pace of the course is quick, no prior
third-party management experience is necessary.
The Certified Community Banking Vendor
Management Professional™ provides attendees with
a solid foundation of theory and understanding of the
third party management process, as well as plenty
of hands-on experience in selecting and managing
vendor relationships, reviewing documentation,
asking the right questions, and helping attendees
make decisions regarding the risk of third party
vendors, service providers, and outsourced business
Course Topics
Vendor Breaches, Laws, and Regulation
• Why do all this vendor management?
• Trends
□ Technology trends
□ Increase in outsourcing
□ Breaches
• Legal & Regulatory Overview
Information Security Program & Risk Assessment
• What does an ISP look like?
□High-Level Components of an ISP
• Risk Assessment
□How to tie Vendors to IT Asset Risk
□Incorporate Risk Assessment into the Vendor
Selection process
□Incorporate Risk Assessment into the Ongoing
Management process
Course Topics Continued...
Selection of Vendors
• Types of Vendors
□ Vendors (hard/software)
□Technology Service Providers (hosted stuff)
□ Business partners
□Down-stream partners (retailers)
• Models to Manage 3PM Risk
• Processes
□ Risk Assessment
□ Contracts Reviews
□ Identify Costs
□ Check References
□ Categories of Industry
□ Cost/Benefit Analysis
Ongoing Vendor Management
• Risk-rating vendor levels
•Tie Ongoing Vendor Management to IT Risk
• Ongoing Due Diligence
• Contract Review
• Final Risk Rating
Creating a Vendor Management Program
• Policy and Procedure
• Roles & Responsibilities
• Reporting
• Tie it into the ISP
•Tie to Emergency Preparedness
• Tie it into ERM
• Measuring the Program
Contract Structuring
•What should you look for in contracts?
•What to do if something isn’t in a contract that
should be?
Audit & Exam Prep
•How do you assess your Third Party Management
• Internal IT Audit
• External IT Audit
•Preparing for IT Examination or External IT Audit
The course requires a basic understanding of
computers. Please be sure to bring along a laptop or
tablet, so that you may interact with the hands-on
labs. Additionally, please bring along a sample thirdparty contract, as well as an example of an audited
financial document (External Audit or SSAE-16
Report). You will be provided with sanitized sample
copies of these reports, should you wish to forego
brining your own documentation, but if you do choose
to bring sample documentation from your institution,
you can use these hands-on labs to perform actual
Third Party Management on one of your own vendors.
Who Should Attend
As more and more technologies, applications,
and data is outsourced, additional third party
management requirements have been outlined by
regulators, and the detail and frequency of third party
management has seemingly increased every year.
More and more data is being stored, transmitted,
and processed outside of the financial institution, and
while institutions can outsource the work, they cannot
outsource the responsibility for protecting confidential
customer information.
Anyone that lives and breathes Compliance or
Information Technology at small to medium-sized
financial institutions will benefit from this course,
particularly those who have gone through the Third
Party Management process and have struggled to
build a comprehensive and valuable program, or
professionals who are new to vendor management
and are looking to learn about the process. Because
this course requires very few prerequisites, it is ideal
for beginners. However the course pace is fast, and
the knowledge is cumulative. Upon the completion
of this course, attendees will have fundamental
and practical understanding of how to select and
manage third parties at their institution that not
only provides real value to the institution and helps
to make decisions, but also builds the foundation
for a repeatable and comprehensive Third Party
Management process going forward.
Hardware/Software Requirements
• Your laptop
• Your favorite Internet browser
• Sample third party contract
•Sample third party audit documentation
(External IT Audit or SSAE-16 Report)
How the Course is Delivered
Consumers will complete courses by watching online
video/audio presentations. There will be a series of
7 modules to complete. Each module will contain a
presentation, quiz, and a homework assignment.
Once all 7 modules have been completed there will be
a final exam that will need to be completed to earn
the certification.
Instructor - Jon Waldman
Jon Waldman, Partner and Senior
Information Security Consultant
for Secure Banking Solutions, LLC,
is a Certified Information Systems
Auditor (CISA) and Certified in Risk
and Information Systems Control
(CRISC) who received his Bachelor
of Science in Computer Information
Systems with a minor in Business Administration
from Dakota State University and his Master of
Science in Information Assurance with an emphasis
in Banking and Finance Security from Dakota State
University. Jon is also a co-founder of SBS, and
over the last eight years, has helped hundreds
community banks across the country create and
implement comprehensive, valuable, and manageable
Information Security Programs. It's his goal to save
the world, one community bank at a time!
Contact the SBS Institute for more information.
(605) 923-8722 