Developing a Risk-Based Approach to Managing 3rd-Party Service Providers with John Coleman, AuditOne

Financial Services Cybersecurity Roundtable

Speaker: John Coleman, is Senior Associate with AuditOne LLC, a firm that provides audit and consulting services to U.S.-based financial institutions. He also provides independent consulting services through his own practice. John has over 30 years of experience as CIO, CISO, IT Director, and Audit Manager for financial services companies in the Los Angeles area. John graduated from The Ohio State University and earned designations as a Certified Information Security Manager (CISM) and Certified Internal Auditor (CIA). John serves on the board of directors of SecureTheVillage and Crystal Stairs, Inc., both nonprofit organizations in Los Angeles. John is passionately committed to promoting cybersecurity awareness and is active as an organizer and speaker for industry events.


Financial institutions and businesses of all sizes are now heavily reliant on outsourcing and third-party vendors to offer world-class services at competitive prices. At the same time, the increased use of third-party services has dramatically altered the cybersecurity landscape and given rise to heightened scrutiny by regulators and the passage of privacy laws to protect consumers. Against this backdrop, it is now essential for banks and other businesses to implement a vendor management program based on the identification and evaluation of third-party risks. Using a risk-based approach, it is possible for banks and other businesses to easily implement a sound, cost-effective vendor management program that is tailored to the budget and risk profile of the business.

What You’ll Learn:

— How to evaluate existing vendors and prioritize management oversight based on the risk profile of each vendor
— How to assess the adequacy of existing risk mitigation controls and determine if controls need to be strengthened
— How to avoid complexity and unnecessary costs in assessing vendor risk
— How to tailor a vendor management program based on assessed risk and the needs of the business
— How to define reasonable requirements for managing third-parties throughout the vendor life cycle