CSV Working Party Update 1 PRISME MEETING 23rd May 2012 Richard F Shakour – Merck Frank Gorski - Pfizer Agenda – CSV Working Party 2 • CSV Working Party • Vendor Assessment • Vendor Assessment/Audit Framework • Inefficiencies/Problems • Potential Solutions • Vendor Compliance Assessment Service (VCAS) • Overview of VCAS Phases • Benefits & Potential Return On Investment • Proposal & Next Steps PRISME CSV Working Party 3 Background: CSV Working Party formed during last PRISME Meeting in Cambridge, Massachusetts at BiogenIdec Oct 2011. CSV Working Party: Various industry SMEs in attendance: PRISME CSV Working Party Name Sid Senroy Bernd Doetzkies Ron Fitzmartin Jonathan Helfgott Uwe Trinks Glyn Williams Richard Shakour Volker Erat Ulrik Jørgensen Alan Polack Cynthia Senerchia Frank Gorski Christopher John McElroy Rocco. B .Timpano John Wise Susan Marino Susan Fantoni Company BiogenIdec Daiichi Sankyo Decision Analytics (Now with FDA) FDA Foresight Group IDBS Merck Novartis Novo Nordisk Oracle Oracle Pfizer Pfizer Pfizer PRISME Forum Roche Sanofi-Aventis PRISME CSV Working Party 4 Objective: Objective: To streamline and optimize (and where feasible harmonize) the vendor audit/assessment process across industry and vendor community thereby reducing cycle time, decreasing unit cost and increasing coverage. Frequency: Bi-weekly meetings. Obstacles: There was a delay in folks obtaining local approval (legal) to share specific vendor assessment details and in some cases even to attend the CSV working party meetings. Name Sid Senroy Bernd Doetzkies Uwe Trinks Glyn Williams Richard Shakour Volker Erat Ulrik Jørgensen Alan Polack Frank Gorski Company BiogenIdec Daiichi Sankyo Foresight Group IDBS Merck Novartis Novo Nordisk Oracle Pfizer Status In Providing Vendor Assessment/Attendance Not provided/ Did not attend Presented Provided Provided Presented Not provided/Did not attend Presented Not provided/Did not attend (Conflict Meeting) Presented Susan Marino Roche Not provided/Did not attend Susan Fantoni Sanofi-Aventis Presented Some membership concerns Harmonization Of Vendor Assessments 5 As part of the bi-weekly CSV Working Party Meeting - various companies provided information and/or presented around vendor assessment processes. Vendor Assessments Common Categories Security/Access Controls • Vendor assessment questions seem to be very similar between various Compliance companies. Infrastructure • The questionnaires can be potentially harmonized. Data Integrity Privacy/Confidentiality Availability of information/procedures/policies/training Common Vendor Assessment Framework 6 Problem: • Extensive Questionnaires/Assessments places burden on both vendor and auditing groups. • Expectations are not defined on completing vendor assessment. *Proposed Solution(s): • Establishing vendor assessment harmonization and defined expectations/criteria. • Establishing Vendor Risk Management/ Vendor Profiling. Vendor Assessment Sent to Vendor Evaluation Of Results From Vendor Assessment (High-Medium Risk) Audit Required Audit Approved (Major/Minor/ Improvement) Audit Not Approved Problem: • Culture based vs. risk based approach to conducting vendor audits. • Onsite audits are frequently conducted that have high associated costs and effort. *Proposed Solution(s): • Establishing robust vendor data collection, vendor risk profiling, leveraging vendor desktop/remote reviews vs. onsite. Audit Is Not Required/Optional (Low/No Risk) Follow Up Action/Re-Audit * PRISME CSV Working Party discovered Pfizer/PWC VCAS Tool (or similar) could be utilized to implement solutions detailed above. VCAS tool and potential ROI will be discussed in the following slides. Contents Vendor Compliance Assessment Service Introduction Vendor Audit Methods Process Overview Benefits <Insert HSI Classification> 7 Problem Statement–Vendor Environment at Pfizer Problem: Pfizer operates a complex business which requires the use of vendor services. Outsourcing and Information Security have been identified as the top concerns within the industry. Quantity & Diversity of Vendors • • • BT 500+ Pan Pfizer: 50,000+ Diverse range of services provided Increased Outsourcing • ‘In house’ tasks now being performed by outside companies Rapid Pace of Delivery • Timescales for project/service implementation reduced Information Security • Increasing sensitivity of the information or data processed/held by business partners Global Interdependence Solution: Conduct vendor audits & assessments to understand, mitigate or accept risks from vendors <Insert HSI Classification> 8 Prior Vendor Audit Methods Old Method: Onsite vendor audits were conducted to mitigate risks from utilizing vendor services or business partners. Traditional onsite audits required: 2 - 3 days onsite & 5 - 6 days of offsite activity therefore 500 vendors = 1000 man days of audit = 3+ years of a full time team 5,000 vendors = 10,000 man days of effort = 30+ years of efforts (team of 20+ for 3 to 5 years!) Old vendor audit method = $20K - $25K/audit plus travel costs* Approximately 50 audits/year = > $1M Annual spend 500 audits >10million $/year Due to the volume and diversity of Pfizer’s vendors, this traditional method is no longer sustainable from a workload and cost perspective * (Illustrative example, not meant to represent actual Pfizer cost) <Insert HSI Classification> 9 New Vendor Audit/Assessment Methods New Method: Risk assessments or evaluations of vendors are conducted using a spectrum of review based on the entity’s estimated risk. This method is a more efficient use of resources and will provide an appropriate risk assessment. 100% 79% VDR - Remote assessments (telephone/webex) VDR - Remote assessments (documentation reviews with vendor) VDR - Reviews of existing reports (e.g. SAS 70, SSAE 16) 2% VCA -Selfassessments 15% Amount of Effort & Cost Review Method Quantities VOA - Onsite audits No Action 0% 10 3% Spectrum of Review <Insert HSI Classification> 10 VCAS Scope Who We Look At Types of Audits Software Data Centres IT hardware Suppliers hosting Pfizer data Suppliers accessing Pfizer data Outsourced services e.g. Helpdesks ( usually processing or holding Pfizer data including Non BT activity) Mixed scenarios e.g. Where supplier uses Pfizer processes and their own processes outside the Pfizer environment What We Look For Risk or Regulatory Areas Covered GMP, GLP, GCP, GDP ERES ( Part 11) Sarbanes Oxley Privacy – general not country specific IT security (Logical) Physical Security PDMA HiPAA PCI Others (by request) VCAS Does Not Test functionality of software Perform intrusive technical testing e.g. penetration testing Install any software into supplier environments Review vendor financials <Insert HSI Classification> 11 VCAS Phases VCAS process consists of 3 phases: VCAS Profile: Information is collected from the requestor to develop a vendor profile Assess: Information provided by the vendor (questionnaires or documents) is analyzed against expectations and level of compliance is reported back to requestor Review & Decide: Business group leverages the VCAS assessment to determine next steps Profile Review & Decide (Business) Assess Next we will look at each phase in detail…… <Insert HSI Classification> 12 Phases 1. Profile Vendor Data Collection • Business Sponsor • Previous Assessments • Vendor contacts • Contracts 2. Assess Preliminary Entity Profiling Preliminary Service Profiling Output: • Assessment Type • Assessment Scope 3. Review and Decide Periodic Review VCAS Processes Preliminary Vendor Risk Profile and Rating Residual Risk Rating and Score Business Action: • Accept • Share / Transfer • Reduce •VOA •VCA •VDR Technical Security Assessment Assessment Report Remediation and Re-assessment VCAS Report • Inherent Risk Rating and Score <Insert HSI Classification> 13 Components of the Vendor Risk Profile Profile Phase: Categories Vendor Risk Profile Entity Profile Service Profile (Max Score 100) Experience & size etc. (20%) Familiarity to Pfizer (Includes contract status) (40%) Prior Reviews (40%) Depicts approximate category weighting Service Operation Service Scope (15%) Service Type (15%) Regulatory / Legal Data & Information Data Access (10%) Data Sensitivity (20%) Availability Impact (10%) Uptime Req. (5%) SOX GxP PCI SPI HIPAA (25%) <Insert HSI Classification> 14 Profile Phase: Output (example 1) 100 Entity Profile 80 60 40 Vendor A & Service Z Vendor A & Service Y 20 20 40 60 80 100 Service Profile <Insert HSI Classification> 15 Benefits of VCAS Cost Benefits of VCAS Annual Budget* $X $X+10% $X+10% $X *Excludes PWC investment to build VCAS framework <Insert HSI Classification> 16 General Benefits of VCAS Program Enhanced Selection and Management of BT Suppliers - provides awareness of the compliance status of vendors BT visibility into the state of compliance of vendors – allows BT to see reports & responses with quantitative analysis within an Automated Risk Tool Periodic Vendor Monitoring - initiated throughout the engagement of BT suppliers based on vendor service or risk. A Variety of Methods for Vendor Evaluation - via vendor self-assessment, remote assessment (audit) which are appropriate to the services and risks present by engagement of those vendors Establishment of a Preferred List of Vendors - aligned to Pfizer IT control domains, thus further reducing administrative costs associated with numerous vendor engagements <Insert HSI Classification> 17 Proposal & Next Steps 1. CSV Working Party will meet post PRISME Members meeting (23rd May) to review minutes/feedback received (~June 2012) 2. CSV Working Party is recommending the PRISME Members/Delegates attend a presentation on the VCAS model provided by PwC and Pfizer (~June 2012) 3. PRISME Members to decide whether to pursue local adoption of the VCAS model or similar. If favorable the CSV Working Party (or delegates) will work independently to obtain local stakeholder approval and support (~June – July) 4. CSV Working Party will meet to discuss progress on potential local adoption of VCAS model (~JulAug) 5. Review progress on the adoption of the VCAS model or similar at the PRISME Member’s Meeting ~ (~Oct 2012, US) 6. Post Oct 2012 – leveraging potentially shared vendor profiles/assessments (across industry) (dependent on steps 3 -5)