SlideShare ist ein Scribd-Unternehmen logo

Managing Third-Party Risk Effectively

Evan Francen
Evan Francen

Presentation on third-party information security risk management delivered to the Minnesota Cloud Security Alliance membership.

Business
1 von 38
Managing Third Party Risk Effectively How to Conduct a 3rd Party Vendor Risk Assessment Prior to Signing your Cloud Hosting Contract Evan Francen, CEO & Founder of FRSecure evan@frsecure.com (877) 960-1814 Thank you to our sponsor! Sponsor logo
Speaker Bio: Evan Francen CONFIDENTIAL | ©2019 CSA MN Chapter 2 • Speaker: CEO & Founder of FRSecure and SecurityStudio (https://www.linkedin.com/in/evanfrancen/) • Co-inventor of SecurityStudio®, FISA™, FISASCORE® and Vendefense® • 25+ years of “practical” information security experience (started as a Cisco Engineer in the early 90s) Author of UNSECURITY • Developed the FRSecure Mentor Program; six students in 2010/497 in 2019 • Dozens of television and radio appearances; numerous topics • Advised legal counsel in very public breaches (Target, Blue Cross/Blue Shield, etc.)
• Why should you care about your vendors? • Four approaches to VRM • Standardize • Defensible • Learning Takeaways: • Driven by Risk Management Program • Part of Contracts & Administration • Use SIG LITE or Equivalent • Review the MSA Contract for Liabilities • Align Risk Accordingly CONFIDENTIAL | ©2019 CSA MN Chapter 3 Agenda NOTE: I’m a literal person. If you are too, you might notice “VRM”. Vendor Risk Management (VRM) is not the same as third-party information security risk management (TPISRM). One sort of fits into the other. We’re talking about TPISRM, but for the sake of brevity, we sometimes use VRM and TPISRM synonymously.
CONFIDENTIAL | ©2019 CSA MN Chapter 4 BEFORE WEGO MUCH FURTHER… Why should you care about your vendors?
CONFIDENTIAL | ©2019 CSA MN Chapter 5 Most of us have seen the stats… • 69% of respondents say they definitely or possibly suffered a security breach resulting from vendor access within the last year. • On average, organizations spent $10 million responding to third-party breaches over a 12-month period in 2016. • 63% of all cyber attacks could be traced either directly or indirectly to third parties. • Nearly 97% of respondents said that cyber risk affecting third parties is a major issue. • Nearly 80% of respondents said they have terminated or would decline a business relationship due to a vendor's cyber security performance. Sources: Bomgar survey, PwC, Soha Systems, CSO Online
CONFIDENTIAL | ©2019 CSA MN Chapter 6 But… • Only 35% of enterprise security professionals are very confident in knowing the actual number of vendors accessing their systems. • Only 52% of companies have security standards for third-parties. • Just 34% know the number of individual log-ins that can be attributed to vendors. • 1 in 10 organizations has a role specifically dedicated to vendor, third-party or supplier risk • No sector reported more than 50% of respondents at a mature level with regard to managing vendor risk Sources: Bomgar survey, PwC, Soha Systems, CSO Online
CONFIDENTIAL | ©2019 CSA MN Chapter 7 The reality is… • We’re all tired of statistics and studies. • Most statistics and studies are commissioned by someone who wants to sell us something. • There’s a thing called “confirmation bias”. • We’ve all got 1,000 things on our plate. • You won’t do anything (significant) about third-party security risk management unless you want to or you’ve been told you have to. • You might want to because you understand risk and this is your next significant unacceptable risk. (could be other reasons) • You have to because it’s the law (or the interpretation of the law). You should care, right? Yes, you should. You should care enough to understand the problem (assuming you have one) and make an educated decision on what, if anything you plan to do about it. Figure out your “WHY”. Doing nothing will imply risk acceptance.
CONFIDENTIAL | ©2019 CSA MN Chapter 8 FOUR APPROACHES TO VRM Where do you fall?
CONFIDENTIAL | ©2019 CSA MN Chapter 9 FOUR CATEGORIES OF ORGANIZATIONS Common issues: • Several people having to work on VRM • Knowing who all your vendors are • Categorizing 'high risk’ vendors • Gathering accurate vendor information • Tracking and acting on results • Keeping up with scheduling _______ GOOD PARTIAL PAINFUL NONE A third-party information risk management program that efficiently manages information security risk. Doing something, but missing one or more parts of “information security risk”. Doing the best they can with manual processes. Think spreadsheets. Not managing third-party information security risk at all.
CONFIDENTIAL | ©2019 CSA MN Chapter 10 WHERE DO YOU FALL? NONE Several reasons, including: • You just didn’t/don’t know any better. • You don’t know where to start. • You’ve tried before and gave up due to complexity or shifting priorities. • You don’t see the value in establishing a good third-party information security risk management program. • You don’t have the time or money • Executive Leadership do not feel it is a priority • Other? _______ GOOD PARTIAL PAINFUL NONE
CONFIDENTIAL | ©2019 CSA MN Chapter 11 WHERE DO YOU FALL? _______ PAINFUL • Trying to do VRM, but it’s painful • Want to do the right thing. • Forced to do it. • Usually manual, difficult to manage, disruptive and subjective • Overall ineffective at managing risk and defensibility is variable. • The painful approach is expensive and a waste of valuable resources. GOOD PARTIAL PAINFUL NONE
CONFIDENTIAL | ©2019 CSA MN Chapter 12 WHERE DO YOU FALL? _______ PARTIAL • Only covers part of “information security” • Information security is managing risk to information confidentiality, integrity, and availability considering administrative, physical, and technical controls. • Typically focused on technical controls because they’re easy; however, aren’t people the greatest risk? • Good at partial, but not likely to address how breaches will occur; partially defensible. • The partial approach is incomplete and leads to a false sense of security (sometime worse than no security at all). GOOD PARTIAL PAINFUL NONE
CONFIDENTIAL | ©2019 CSA MN Chapter 13 WHERE DO YOU FALL? _______ GOOD • Rare, but effective and streamlined. • Doesn’t compromise on our definition of “information security”. • Simplified – no unnecessary steps; easy-to-follow. • Standardized – objective, same processes for all third-parties. • Defensible – logical, organized, objective, auditable and completely effective. GOOD PARTIAL PAINFUL NONE
CONFIDENTIAL | ©2019 CSA MN Chapter 14 SIMPLIFY Don’t over-complicate the matter, there are only four steps… 1. Inventory (and inventory management) • You’re paying them; existing third-parties. • You’re engaging them; new third-parties, procurement. 2. Classify (inherent risk) • Risk without control. • High, Medium, Low is fine. Don’t waste your time with the low-risk vendors, just cycle them. If you’re doing it right, the ratios (with exceptions) are typically 5/10/85. 3. Assess (residual risk) 4. Decide (risk decisions) • Scores and thresholds work best • Accept/Mitigate/Transfer(unlikely)/Avoid
CONFIDENTIAL | ©2019 CSA MN Chapter 15 SIMPLIFY Inventory Classify Assess Decide Low Medium High 1 2 3 4
CONFIDENTIAL | ©2019 CSA MN Chapter 16 STANDARDIZE One-Offs Hurt
CONFIDENTIAL | ©2019 CSA MN Chapter 17 STANDARDIZE • Once we’ve established the standard process, don’t deviate unless it’s absolutely necessary. _______ • Each deviation from the standard process erodes defensibility. • If deviations from the standard process must be done, make sure they’re justified, documented and signed off on.
CONFIDENTIAL | ©2019 CSA MN Chapter 18 STANDARDIZE _______ • Big vendors (Microsoft, Google, Amazon, etc.) may not participate in our process; these are common deviations and are exceptions that can easily be explained away should something bad happen. • Standardization comes through documentation, training, and automation. Every step in the process that can be automated should be automated.
CONFIDENTIAL | ©2019 CSA MN Chapter 19 DEFENSIBLE The True Motivator Full Transparency: This would be my motivator.
CONFIDENTIAL | ©2019 CSA MN Chapter 20 The True Motivation: Defensibility _______ • Defensibility in your VRM practices is arguably the most significant “why” for doing it in the first place. • If/when something bad happens, attackers become customers, regulators, opposing counsel, etc.
CONFIDENTIAL | ©2019 CSA MN Chapter 21 The True Motivation: Defensibility _______ • If defensibility is your “why”, ensure that it’s carried out in your “how” and “what”. Do you have answers to these questions? • How many vendors do we have? Defensible? • How many high-risk vendors do we have? Defensible? • Have you vetted all high-risk vendors? Defensible? • Non-definitive answers (assumptions, guesses, etc.) are more likely to be indefensible.
CONFIDENTIAL | ©2019 CSA MN Chapter 22 Learning Takeways Driven by the Risk Management Program. • You have a risk management program, right? • Where does third-party information security risk management fit into risk management? • No two risk management programs are the same, but in general: • Third-party information security risk is a subset of: • Third-party risk management (in procurement or other), which is a subset of: • Supply chain, operational, and/or financial risk management. • Information security risk management, which is a subset of: • Corporate risk management
Information Security Risk CONFIDENTIAL | ©2019 CSA MN Chapter 23 Learning Takeways Driven by the Risk Management Program. Corporate Risk Management Financial RiskStrategic RiskEconomic Risk Technology Risk Regulatory Risk Operational Risk Third-Party Risk Management Third-Party Information Security Risk Management
CONFIDENTIAL | ©2019 CSA MN Chapter 24 Learning Takeways What about the assessing 3rd-party cloud providers? • Inventory and inherent risk questions and ratings don’t change (usually). • Residual risk is where things change, because it’s where controls change. • The Cloud Security Alliance Consensus Assessments Initiative (CAI) • Launched to perform research, create tools, and develop industry partnerships • Enable cloud computing assessments • Developed the Consensus Assessments Initiative Questionnaire (CAIQ), often pronounced “CAKE”. • Do residual risk assessment and make decisions before signing contracts or agreements (unless there are stipulation). This is CSA after all?!
CONFIDENTIAL | ©2019 CSA MN Chapter 25 Learning Takeways One way to assess cloud providers (High/Medium Risk) • Check the STAR Registry (https://cloudsecurityalliance.org/star/registry) • Based on CAIQv3.01 • Self-Assessment, Certification, or C-Star (a little more to it than this) • Create a scoring methodology or review for KRIs. • Not acceptable or not present… • Use the CSA CAIQ as is or customize: • https://cloudsecurityalliance.org/articles/consensus-assessments-initiative- questionnaire-caiq-v-3-review/ • https://cloudsecurityalliance.org/artifacts/consensus-assessments- initiative-questionnaire-v3-0-1/ • Develop scoring methodology and/or identify KRIs. More information about STAR: https://cloudsecurityalliance.org/star/#_overview
CONFIDENTIAL | ©2019 CSA MN Chapter 26 SIMPLIFY Inventory Classify Assess Decide Low Medium High 1 2 3 4 What’s potentially different for a cloud provider?
CONFIDENTIAL | ©2019 CSA MN Chapter 27 SIMPLIFY Inventory Classify Assess Decide Low Medium High 1 2 3 4 Cloud Cloud
CONFIDENTIAL | ©2019 CSA MN Chapter 28 SIMPLIFY Classify Assess Low Medium High 2 3 STAR Registry Cloud Cloud CAIQ or Custom SCORING
CONFIDENTIAL | ©2019 CSA MN Chapter 29 Learning Takeways Part of Contracts & Administration • How will you enforce/demand/request that a third-party comply with your requirements? • No third-party access/use until contract negotiation is complete. • Must haves: • Risk assessment • Right to audit (try exercising it sometime, build the process 1st) • Incident notification and process
CONFIDENTIAL | ©2019 CSA MN Chapter 30 Learning Takeaways Use SIG LITE or Equivalent • For assessing residual risk. • 71% of organizations use a custom risk assessment methodology and/or assessment. • SIG – Shared Assessments - https://sharedassessments.org/sig-faq/ • Not free. Designed to provide a broad but high-level understanding about an Assessee’s internal information security controls. This level is for Assessees that need a basic level of due diligence. It can also be used as a preliminary assessment before a more detailed review. – Santa Fe Group
CONFIDENTIAL | ©2019 CSA MN Chapter 31 Learning Takeways Use SIG LITE or Equivalent • For assessing residual risk. • 71% of organizations use a custom risk assessment methodology and/or assessment. • SIG – Shared Assessments - https://sharedassessments.org/sig-faq/ • Not free. Designed to provide a broad but high-level understanding about an Assessee’s internal information security controls. This level is for Assessees that need a basic level of due diligence. It can also be used as a preliminary assessment before a more detailed review. – Santa Fe Group
CONFIDENTIAL | ©2019 CSA MN Chapter 32 Learning Takeaways Use SIG LITE or Equivalent • 1000’s of different methodologies and questionnaires. • Choose one that fits with: • Your understanding of risk • Your organization’s understanding of risk (risk management program) • Efficiency goals • Your own due diligence requirements • Your regulators requirements. • ISO Certification, SOC 2, HITRUST, etc. are all common. • We use the FISASCORE®, now used by more than 1,000 organizations. • Security Trust Assurance and Risk (STAR) Program https://cloudsecurityalliance.org/star/#_overview
CONFIDENTIAL | ©2019 CSA MN Chapter 33 Learning Takeaways Use SIG LITE or Equivalent • 1000’s of different methodologies and questionnaires. • Choose one that fits with: • Your understanding of risk • Your organization’s understanding of risk (risk management program) • Efficiency goals • Your own due diligence requirements • Your regulators requirements. • ISO Certification, SOC 2, HITRUST, etc. are all common. • Security Trust Assurance and Risk (STAR) Program https://cloudsecurityalliance.org/star/#_overview
CONFIDENTIAL | ©2019 CSA MN Chapter 34 Learning Takeaways Review the MSA Contract for Liabilities • Your Master Service Agreement must be reviewed and squared away prior to using a third-party. • If you don’t review, make sure someone who’s qualified does. Someone in Legal/Legal Counsel.
CONFIDENTIAL | ©2019 CSA MN Chapter 35 Download the Presentation For a copy of these slides, visit: https://info.frsecure.com/csa2019
CONFIDENTIAL | ©2019 CSA MN Chapter 36 Quick Recap Covered a lot, but it was all simple. 1. Figure out your WHY. – If you don’t have one, then don’t do anything. 2. Figure out the WHAT. • The type of program you build depends on your WHY; Painful, Partial, or Good. • Make it SIMPLE. • Make it STANDARD. • Make it DEFENSIBLE. 3. Figure out the HOW. • Details like the specific contract language, questionnaires, scoring, etc. • This is also a feedback into #2 and #1 above. Thank you! @evanfrancen https://www.linkedin.com/in/evanfrancen/
CONFIDENTIAL | ©2019 CSA MN Chapter 37 Thank You for Participating in Today’s Event! Sponsor Logo
CONFIDENTIAL | ©2019 CSA MN Chapter 38 Heads Up! Next Month’s Event is on… Solving the Data at Rest Confidentiality Problem: Encryption vs. Block-Chain for Cloud Solutions Next Month’s Curriculum Topic – Provided by CSA Board Member Learning objectives from Curriculum – Provided by CSA Board Member

Empfohlen

Does it pay to be cyber-insured
Does it pay to be cyber-insuredDoes it pay to be cyber-insured
Does it pay to be cyber-insuredMarie Elisabeth Gaup Moe
 
[CB19] Integration of Cyber Insurance Into A Risk Management Program by Jake ...
[CB19] Integration of Cyber Insurance Into A Risk Management Program by Jake ...[CB19] Integration of Cyber Insurance Into A Risk Management Program by Jake ...
[CB19] Integration of Cyber Insurance Into A Risk Management Program by Jake ...CODE BLUE
 
MasterSnacks: Cybersecurity - Playing Offense: A Proactive Approach to Cybers...
MasterSnacks: Cybersecurity - Playing Offense: A Proactive Approach to Cybers...MasterSnacks: Cybersecurity - Playing Offense: A Proactive Approach to Cybers...
MasterSnacks: Cybersecurity - Playing Offense: A Proactive Approach to Cybers...Citrin Cooperman
 
Cybersecurity Disrupters and Cybersecurity Insurance in the COVID-19 Era – Is...
Cybersecurity Disrupters and Cybersecurity Insurance in the COVID-19 Era – Is...Cybersecurity Disrupters and Cybersecurity Insurance in the COVID-19 Era – Is...
Cybersecurity Disrupters and Cybersecurity Insurance in the COVID-19 Era – Is...Citrin Cooperman
 
Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...
Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...
Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...Hewlett Packard Enterprise Business Value Exchange
 
BLACKOPS_USCS CyberSecurity Literacy
BLACKOPS_USCS CyberSecurity LiteracyBLACKOPS_USCS CyberSecurity Literacy
BLACKOPS_USCS CyberSecurity LiteracyCasey Fleming
 
Managing Risk or Reacting to Compliance
Managing Risk or Reacting to ComplianceManaging Risk or Reacting to Compliance
Managing Risk or Reacting to ComplianceEvan Francen
 
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)Sarah Jarvis
 

Empfohlen

Does it pay to be cyber-insured
Does it pay to be cyber-insuredDoes it pay to be cyber-insured
Does it pay to be cyber-insuredMarie Elisabeth Gaup Moe
 
[CB19] Integration of Cyber Insurance Into A Risk Management Program by Jake ...
[CB19] Integration of Cyber Insurance Into A Risk Management Program by Jake ...[CB19] Integration of Cyber Insurance Into A Risk Management Program by Jake ...
[CB19] Integration of Cyber Insurance Into A Risk Management Program by Jake ...CODE BLUE
 
MasterSnacks: Cybersecurity - Playing Offense: A Proactive Approach to Cybers...
MasterSnacks: Cybersecurity - Playing Offense: A Proactive Approach to Cybers...MasterSnacks: Cybersecurity - Playing Offense: A Proactive Approach to Cybers...
MasterSnacks: Cybersecurity - Playing Offense: A Proactive Approach to Cybers...Citrin Cooperman
 
Cybersecurity Disrupters and Cybersecurity Insurance in the COVID-19 Era – Is...
Cybersecurity Disrupters and Cybersecurity Insurance in the COVID-19 Era – Is...Cybersecurity Disrupters and Cybersecurity Insurance in the COVID-19 Era – Is...
Cybersecurity Disrupters and Cybersecurity Insurance in the COVID-19 Era – Is...Citrin Cooperman
 
Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...
Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...
Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...Hewlett Packard Enterprise Business Value Exchange
 
BLACKOPS_USCS CyberSecurity Literacy
BLACKOPS_USCS CyberSecurity LiteracyBLACKOPS_USCS CyberSecurity Literacy
BLACKOPS_USCS CyberSecurity LiteracyCasey Fleming
 
Managing Risk or Reacting to Compliance
Managing Risk or Reacting to ComplianceManaging Risk or Reacting to Compliance
Managing Risk or Reacting to ComplianceEvan Francen
 
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)Sarah Jarvis
 
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...SurfWatch Labs
 
Vendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskVendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskSarah Clarke
 
Security Awareness: The Best Defence
Security Awareness: The Best DefenceSecurity Awareness: The Best Defence
Security Awareness: The Best DefenceShawn Brown
 
Not-For-Profit Cybersecurity and Privacy Disrupters During COVID-19
Not-For-Profit Cybersecurity and Privacy Disrupters During COVID-19Not-For-Profit Cybersecurity and Privacy Disrupters During COVID-19
Not-For-Profit Cybersecurity and Privacy Disrupters During COVID-19Citrin Cooperman
 
C-Suite Snacks Webinar Series : Under Attack - Preparing Your Company in the ...
C-Suite Snacks Webinar Series : Under Attack - Preparing Your Company in the ...C-Suite Snacks Webinar Series : Under Attack - Preparing Your Company in the ...
C-Suite Snacks Webinar Series : Under Attack - Preparing Your Company in the ...Citrin Cooperman
 
Technologies and Policies for a Defensible Cyberspace
Technologies and Policies for a Defensible CyberspaceTechnologies and Policies for a Defensible Cyberspace
Technologies and Policies for a Defensible Cyberspacemark-smith
 
The 10 Secret Codes of Security
The 10 Secret Codes of SecurityThe 10 Secret Codes of Security
The 10 Secret Codes of SecurityKarina Elise
 
Breach Fixation: How Breaches Distort Reality And How We Should Respond- John...
Breach Fixation: How Breaches Distort Reality And How We Should Respond- John...Breach Fixation: How Breaches Distort Reality And How We Should Respond- John...
Breach Fixation: How Breaches Distort Reality And How We Should Respond- John...EC-Council
 
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezThe Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezEC-Council
 
New York Cybersecurity Requirements for Financial Services Companies
New York Cybersecurity Requirements for Financial Services CompaniesNew York Cybersecurity Requirements for Financial Services Companies
New York Cybersecurity Requirements for Financial Services CompaniesCitrin Cooperman
 
Strategies for cyber resilience - Everyone has a Role
Strategies for cyber resilience - Everyone has a RoleStrategies for cyber resilience - Everyone has a Role
Strategies for cyber resilience - Everyone has a RoleKevin Duffey
 
Windstream Cloud Security Checklist
Windstream Cloud Security Checklist Windstream Cloud Security Checklist
Windstream Cloud Security Checklist Ideba
 
EVOLVE to demand. demand to evolve by Igor Volovich
EVOLVE to demand. demand to evolve by Igor VolovichEVOLVE to demand. demand to evolve by Igor Volovich
EVOLVE to demand. demand to evolve by Igor VolovichEC-Council
 
Cybersecurity in the Boardroom
Cybersecurity in the BoardroomCybersecurity in the Boardroom
Cybersecurity in the BoardroomMarko Suswanto
 
CyberSecurity Insurance - The Ugly Truth!
CyberSecurity Insurance - The Ugly Truth!CyberSecurity Insurance - The Ugly Truth!
CyberSecurity Insurance - The Ugly Truth!topseowebmaster
 
Linked in misti_rs_1.0
Linked in misti_rs_1.0Linked in misti_rs_1.0
Linked in misti_rs_1.0Vincent Toms
 
Gartner Security & Risk Management Summit Brochure
Gartner Security & Risk Management Summit BrochureGartner Security & Risk Management Summit Brochure
Gartner Security & Risk Management Summit Brochuretrunko
 
From checkboxes to frameworks
From checkboxes to frameworksFrom checkboxes to frameworks
From checkboxes to frameworksAndréanne Clarke
 
EXTERNAL - Whitepaper - 5 Steps to Weather the Zero Hour
EXTERNAL - Whitepaper - 5 Steps to Weather the Zero HourEXTERNAL - Whitepaper - 5 Steps to Weather the Zero Hour
EXTERNAL - Whitepaper - 5 Steps to Weather the Zero HourYasser Mohammed
 
TRU Snacks Webinar Series - Navigating Cybersecurity Risk in the Age of COVID-19
TRU Snacks Webinar Series - Navigating Cybersecurity Risk in the Age of COVID-19TRU Snacks Webinar Series - Navigating Cybersecurity Risk in the Age of COVID-19
TRU Snacks Webinar Series - Navigating Cybersecurity Risk in the Age of COVID-19Citrin Cooperman
 
Common and Concerning Risks In IT
Common and Concerning Risks In ITCommon and Concerning Risks In IT
Common and Concerning Risks In ITpbhugenberg3
 
Cyber Security - Things you need to know
Cyber Security - Things you need to knowCyber Security - Things you need to know
Cyber Security - Things you need to knowNathan Desfontaines
 

Weitere ähnliche Inhalte

Was ist angesagt?

Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...SurfWatch Labs
 
Vendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskVendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskSarah Clarke
 
Security Awareness: The Best Defence
Security Awareness: The Best DefenceSecurity Awareness: The Best Defence
Security Awareness: The Best DefenceShawn Brown
 
Not-For-Profit Cybersecurity and Privacy Disrupters During COVID-19
Not-For-Profit Cybersecurity and Privacy Disrupters During COVID-19Not-For-Profit Cybersecurity and Privacy Disrupters During COVID-19
Not-For-Profit Cybersecurity and Privacy Disrupters During COVID-19Citrin Cooperman
 
C-Suite Snacks Webinar Series : Under Attack - Preparing Your Company in the ...
C-Suite Snacks Webinar Series : Under Attack - Preparing Your Company in the ...C-Suite Snacks Webinar Series : Under Attack - Preparing Your Company in the ...
C-Suite Snacks Webinar Series : Under Attack - Preparing Your Company in the ...Citrin Cooperman
 
Technologies and Policies for a Defensible Cyberspace
Technologies and Policies for a Defensible CyberspaceTechnologies and Policies for a Defensible Cyberspace
Technologies and Policies for a Defensible Cyberspacemark-smith
 
The 10 Secret Codes of Security
The 10 Secret Codes of SecurityThe 10 Secret Codes of Security
The 10 Secret Codes of SecurityKarina Elise
 
Breach Fixation: How Breaches Distort Reality And How We Should Respond- John...
Breach Fixation: How Breaches Distort Reality And How We Should Respond- John...Breach Fixation: How Breaches Distort Reality And How We Should Respond- John...
Breach Fixation: How Breaches Distort Reality And How We Should Respond- John...EC-Council
 
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezThe Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezEC-Council
 
New York Cybersecurity Requirements for Financial Services Companies
New York Cybersecurity Requirements for Financial Services CompaniesNew York Cybersecurity Requirements for Financial Services Companies
New York Cybersecurity Requirements for Financial Services CompaniesCitrin Cooperman
 
Strategies for cyber resilience - Everyone has a Role
Strategies for cyber resilience - Everyone has a RoleStrategies for cyber resilience - Everyone has a Role
Strategies for cyber resilience - Everyone has a RoleKevin Duffey
 
Windstream Cloud Security Checklist
Windstream Cloud Security Checklist Windstream Cloud Security Checklist
Windstream Cloud Security Checklist Ideba
 
EVOLVE to demand. demand to evolve by Igor Volovich
EVOLVE to demand. demand to evolve by Igor VolovichEVOLVE to demand. demand to evolve by Igor Volovich
EVOLVE to demand. demand to evolve by Igor VolovichEC-Council
 
Cybersecurity in the Boardroom
Cybersecurity in the BoardroomCybersecurity in the Boardroom
Cybersecurity in the BoardroomMarko Suswanto
 
CyberSecurity Insurance - The Ugly Truth!
CyberSecurity Insurance - The Ugly Truth!CyberSecurity Insurance - The Ugly Truth!
CyberSecurity Insurance - The Ugly Truth!topseowebmaster
 
Linked in misti_rs_1.0
Linked in misti_rs_1.0Linked in misti_rs_1.0
Linked in misti_rs_1.0Vincent Toms
 
Gartner Security & Risk Management Summit Brochure
Gartner Security & Risk Management Summit BrochureGartner Security & Risk Management Summit Brochure
Gartner Security & Risk Management Summit Brochuretrunko
 
From checkboxes to frameworks
From checkboxes to frameworksFrom checkboxes to frameworks
From checkboxes to frameworksAndréanne Clarke
 
EXTERNAL - Whitepaper - 5 Steps to Weather the Zero Hour
EXTERNAL - Whitepaper - 5 Steps to Weather the Zero HourEXTERNAL - Whitepaper - 5 Steps to Weather the Zero Hour
EXTERNAL - Whitepaper - 5 Steps to Weather the Zero HourYasser Mohammed
 
TRU Snacks Webinar Series - Navigating Cybersecurity Risk in the Age of COVID-19
TRU Snacks Webinar Series - Navigating Cybersecurity Risk in the Age of COVID-19TRU Snacks Webinar Series - Navigating Cybersecurity Risk in the Age of COVID-19
TRU Snacks Webinar Series - Navigating Cybersecurity Risk in the Age of COVID-19Citrin Cooperman
 

Was ist angesagt? (20)

Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
 
Vendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskVendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the risk
 
Security Awareness: The Best Defence
Security Awareness: The Best DefenceSecurity Awareness: The Best Defence
Security Awareness: The Best Defence
 
Not-For-Profit Cybersecurity and Privacy Disrupters During COVID-19
Not-For-Profit Cybersecurity and Privacy Disrupters During COVID-19Not-For-Profit Cybersecurity and Privacy Disrupters During COVID-19
Not-For-Profit Cybersecurity and Privacy Disrupters During COVID-19
 
C-Suite Snacks Webinar Series : Under Attack - Preparing Your Company in the ...
C-Suite Snacks Webinar Series : Under Attack - Preparing Your Company in the ...C-Suite Snacks Webinar Series : Under Attack - Preparing Your Company in the ...
C-Suite Snacks Webinar Series : Under Attack - Preparing Your Company in the ...
 
Technologies and Policies for a Defensible Cyberspace
Technologies and Policies for a Defensible CyberspaceTechnologies and Policies for a Defensible Cyberspace
Technologies and Policies for a Defensible Cyberspace
 
The 10 Secret Codes of Security
The 10 Secret Codes of SecurityThe 10 Secret Codes of Security
The 10 Secret Codes of Security
 
Breach Fixation: How Breaches Distort Reality And How We Should Respond- John...
Breach Fixation: How Breaches Distort Reality And How We Should Respond- John...Breach Fixation: How Breaches Distort Reality And How We Should Respond- John...
Breach Fixation: How Breaches Distort Reality And How We Should Respond- John...
 
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezThe Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
 
New York Cybersecurity Requirements for Financial Services Companies
New York Cybersecurity Requirements for Financial Services CompaniesNew York Cybersecurity Requirements for Financial Services Companies
New York Cybersecurity Requirements for Financial Services Companies
 
Strategies for cyber resilience - Everyone has a Role
Strategies for cyber resilience - Everyone has a RoleStrategies for cyber resilience - Everyone has a Role
Strategies for cyber resilience - Everyone has a Role
 
Windstream Cloud Security Checklist
Windstream Cloud Security Checklist Windstream Cloud Security Checklist
Windstream Cloud Security Checklist
 
EVOLVE to demand. demand to evolve by Igor Volovich
EVOLVE to demand. demand to evolve by Igor VolovichEVOLVE to demand. demand to evolve by Igor Volovich
EVOLVE to demand. demand to evolve by Igor Volovich
 
Cybersecurity in the Boardroom
Cybersecurity in the BoardroomCybersecurity in the Boardroom
Cybersecurity in the Boardroom
 
CyberSecurity Insurance - The Ugly Truth!
CyberSecurity Insurance - The Ugly Truth!CyberSecurity Insurance - The Ugly Truth!
CyberSecurity Insurance - The Ugly Truth!
 
Linked in misti_rs_1.0
Linked in misti_rs_1.0Linked in misti_rs_1.0
Linked in misti_rs_1.0
 
Gartner Security & Risk Management Summit Brochure
Gartner Security & Risk Management Summit BrochureGartner Security & Risk Management Summit Brochure
Gartner Security & Risk Management Summit Brochure
 
From checkboxes to frameworks
From checkboxes to frameworksFrom checkboxes to frameworks
From checkboxes to frameworks
 
EXTERNAL - Whitepaper - 5 Steps to Weather the Zero Hour
EXTERNAL - Whitepaper - 5 Steps to Weather the Zero HourEXTERNAL - Whitepaper - 5 Steps to Weather the Zero Hour
EXTERNAL - Whitepaper - 5 Steps to Weather the Zero Hour
 
TRU Snacks Webinar Series - Navigating Cybersecurity Risk in the Age of COVID-19
TRU Snacks Webinar Series - Navigating Cybersecurity Risk in the Age of COVID-19TRU Snacks Webinar Series - Navigating Cybersecurity Risk in the Age of COVID-19
TRU Snacks Webinar Series - Navigating Cybersecurity Risk in the Age of COVID-19
 

Ähnlich wie Managing Third-Party Risk Effectively

Common and Concerning Risks In IT
Common and Concerning Risks In ITCommon and Concerning Risks In IT
Common and Concerning Risks In ITpbhugenberg3
 
Cyber Security - Things you need to know
Cyber Security - Things you need to knowCyber Security - Things you need to know
Cyber Security - Things you need to knowNathan Desfontaines
 
Netwealth educational webinar: Peace of mind in a digital world
Netwealth educational webinar: Peace of mind in a digital worldNetwealth educational webinar: Peace of mind in a digital world
Netwealth educational webinar: Peace of mind in a digital worldnetwealthInvest
 
A Look at Cyber Insurance -- A Corporate Perspective
A Look at Cyber Insurance -- A Corporate PerspectiveA Look at Cyber Insurance -- A Corporate Perspective
A Look at Cyber Insurance -- A Corporate PerspectiveDawn Yankeelov
 
Credit Union Cyber Security
Credit Union Cyber SecurityCredit Union Cyber Security
Credit Union Cyber SecurityStacy Willis
 
Cybersecurity Best Practices in Financial Services
Cybersecurity Best Practices in Financial ServicesCybersecurity Best Practices in Financial Services
Cybersecurity Best Practices in Financial ServicesJohn Rapa
 
Digital economy and its effect on cyber risk
Digital economy and its effect on cyber riskDigital economy and its effect on cyber risk
Digital economy and its effect on cyber riskaakash malhotra
 
Responding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for MerchantsResponding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for Merchants- Mark - Fullbright
 
Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity EssayMichael Solomon
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementDaren Dunkel
 
Audit and Compliance BDR Knowledge Training
Audit and Compliance BDR Knowledge TrainingAudit and Compliance BDR Knowledge Training
Audit and Compliance BDR Knowledge TrainingTory Quinton
 
Riskpro SCRAY whitepaper
Riskpro SCRAY whitepaperRiskpro SCRAY whitepaper
Riskpro SCRAY whitepaperEdgevalue
 
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...Wendy Knox Everette
 
What CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityWhat CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityKaryl Scott
 
How to assess your Cybersecurity Vulnerability_.pdf
How to assess your Cybersecurity Vulnerability_.pdfHow to assess your Cybersecurity Vulnerability_.pdf
How to assess your Cybersecurity Vulnerability_.pdfMetaorange
 
How to assess your Cybersecurity Vulnerability_.pptx
How to assess your Cybersecurity Vulnerability_.pptxHow to assess your Cybersecurity Vulnerability_.pptx
How to assess your Cybersecurity Vulnerability_.pptxMetaorange
 
Supply Chain and Third-Party Risks During COVID-19
Supply Chain and Third-Party Risks During COVID-19Supply Chain and Third-Party Risks During COVID-19
Supply Chain and Third-Party Risks During COVID-19Sophia Price
 
Stop occupational fraud - Three simple steps to help stop fraud
Stop occupational fraud - Three simple steps to help stop fraudStop occupational fraud - Three simple steps to help stop fraud
Stop occupational fraud - Three simple steps to help stop fraudWynyard Group
 
10 Questions Every Company Should Be Asking Itself About its Business Resilience
10 Questions Every Company Should Be Asking Itself About its Business Resilience10 Questions Every Company Should Be Asking Itself About its Business Resilience
10 Questions Every Company Should Be Asking Itself About its Business ResilienceMichael Bowers
 

Ähnlich wie Managing Third-Party Risk Effectively (20)

Common and Concerning Risks In IT
Common and Concerning Risks In ITCommon and Concerning Risks In IT
Common and Concerning Risks In IT
 
Cyber Security - Things you need to know
Cyber Security - Things you need to knowCyber Security - Things you need to know
Cyber Security - Things you need to know
 
Netwealth educational webinar: Peace of mind in a digital world
Netwealth educational webinar: Peace of mind in a digital worldNetwealth educational webinar: Peace of mind in a digital world
Netwealth educational webinar: Peace of mind in a digital world
 
A Look at Cyber Insurance -- A Corporate Perspective
A Look at Cyber Insurance -- A Corporate PerspectiveA Look at Cyber Insurance -- A Corporate Perspective
A Look at Cyber Insurance -- A Corporate Perspective
 
Credit Union Cyber Security
Credit Union Cyber SecurityCredit Union Cyber Security
Credit Union Cyber Security
 
Cybersecurity Best Practices in Financial Services
Cybersecurity Best Practices in Financial ServicesCybersecurity Best Practices in Financial Services
Cybersecurity Best Practices in Financial Services
 
Digital economy and its effect on cyber risk
Digital economy and its effect on cyber riskDigital economy and its effect on cyber risk
Digital economy and its effect on cyber risk
 
Wisegate_GeekSpeak_LG
Wisegate_GeekSpeak_LGWisegate_GeekSpeak_LG
Wisegate_GeekSpeak_LG
 
Responding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for MerchantsResponding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for Merchants
 
Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity Essay
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk Management
 
Audit and Compliance BDR Knowledge Training
Audit and Compliance BDR Knowledge TrainingAudit and Compliance BDR Knowledge Training
Audit and Compliance BDR Knowledge Training
 
Riskpro SCRAY whitepaper
Riskpro SCRAY whitepaperRiskpro SCRAY whitepaper
Riskpro SCRAY whitepaper
 
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
 
What CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityWhat CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber Security
 
How to assess your Cybersecurity Vulnerability_.pdf
How to assess your Cybersecurity Vulnerability_.pdfHow to assess your Cybersecurity Vulnerability_.pdf
How to assess your Cybersecurity Vulnerability_.pdf
 
How to assess your Cybersecurity Vulnerability_.pptx
How to assess your Cybersecurity Vulnerability_.pptxHow to assess your Cybersecurity Vulnerability_.pptx
How to assess your Cybersecurity Vulnerability_.pptx
 
Supply Chain and Third-Party Risks During COVID-19
Supply Chain and Third-Party Risks During COVID-19Supply Chain and Third-Party Risks During COVID-19
Supply Chain and Third-Party Risks During COVID-19
 
Stop occupational fraud - Three simple steps to help stop fraud
Stop occupational fraud - Three simple steps to help stop fraudStop occupational fraud - Three simple steps to help stop fraud
Stop occupational fraud - Three simple steps to help stop fraud
 
10 Questions Every Company Should Be Asking Itself About its Business Resilience
10 Questions Every Company Should Be Asking Itself About its Business Resilience10 Questions Every Company Should Be Asking Itself About its Business Resilience
10 Questions Every Company Should Be Asking Itself About its Business Resilience
 

Mehr von Evan Francen

WANTED - People Committed to Solving Our Information Security Language Problem
WANTED - People Committed to Solving Our Information Security Language ProblemWANTED - People Committed to Solving Our Information Security Language Problem
WANTED - People Committed to Solving Our Information Security Language ProblemEvan Francen
 
Keynote @ ISC2 Cyber Aware Dallas
Keynote @ ISC2 Cyber Aware DallasKeynote @ ISC2 Cyber Aware Dallas
Keynote @ ISC2 Cyber Aware DallasEvan Francen
 
WANTED – People Committed to Solving our Information Security Language Problem
WANTED – People Committed to Solving our Information Security Language ProblemWANTED – People Committed to Solving our Information Security Language Problem
WANTED – People Committed to Solving our Information Security Language ProblemEvan Francen
 
Harrisburg BSides Presentation - 100219
Harrisburg BSides Presentation - 100219Harrisburg BSides Presentation - 100219
Harrisburg BSides Presentation - 100219Evan Francen
 
Step Up Your Data Security Against Third-Party Risks
Step Up Your Data Security Against Third-Party RisksStep Up Your Data Security Against Third-Party Risks
Step Up Your Data Security Against Third-Party RisksEvan Francen
 
Information Security & Manufacturing
Information Security & ManufacturingInformation Security & Manufacturing
Information Security & ManufacturingEvan Francen
 
Simple Training for Information Security and Payment Fraud
Simple Training for Information Security and Payment FraudSimple Training for Information Security and Payment Fraud
Simple Training for Information Security and Payment FraudEvan Francen
 
MHTA Social Engineering Presentation - 050917
MHTA Social Engineering Presentation - 050917MHTA Social Engineering Presentation - 050917
MHTA Social Engineering Presentation - 050917Evan Francen
 
People. The Social Engineer's Dream - TechPulse 2017
People. The Social Engineer's Dream - TechPulse 2017People. The Social Engineer's Dream - TechPulse 2017
People. The Social Engineer's Dream - TechPulse 2017Evan Francen
 
AFCOM - Information Security State of the Union
AFCOM - Information Security State of the UnionAFCOM - Information Security State of the Union
AFCOM - Information Security State of the UnionEvan Francen
 
TIES 2013 Education Technology Conference
TIES 2013 Education Technology ConferenceTIES 2013 Education Technology Conference
TIES 2013 Education Technology ConferenceEvan Francen
 
Mobile Information Security
Mobile Information SecurityMobile Information Security
Mobile Information SecurityEvan Francen
 
Information security challenges in today’s banking environment
Information security challenges in today’s banking environmentInformation security challenges in today’s banking environment
Information security challenges in today’s banking environmentEvan Francen
 
Information Security in a Compliance World
Information Security in a Compliance WorldInformation Security in a Compliance World
Information Security in a Compliance WorldEvan Francen
 
Information Security For Leaders, By a Leader
Information Security For Leaders, By a LeaderInformation Security For Leaders, By a Leader
Information Security For Leaders, By a LeaderEvan Francen
 
Information Security is NOT an IT Issue
Information Security is NOT an IT IssueInformation Security is NOT an IT Issue
Information Security is NOT an IT IssueEvan Francen
 
People are the biggest risk
People are the biggest riskPeople are the biggest risk
People are the biggest riskEvan Francen
 
FRSecure's Ten Security Principles to Live (or die) By
FRSecure's Ten Security Principles to Live (or die) ByFRSecure's Ten Security Principles to Live (or die) By
FRSecure's Ten Security Principles to Live (or die) ByEvan Francen
 
Meaningful Use and Security Risk Analysis
Meaningful Use and Security Risk AnalysisMeaningful Use and Security Risk Analysis
Meaningful Use and Security Risk AnalysisEvan Francen
 
An Introduction to Information Security
An Introduction to Information SecurityAn Introduction to Information Security
An Introduction to Information SecurityEvan Francen
 

Mehr von Evan Francen (20)

WANTED - People Committed to Solving Our Information Security Language Problem
WANTED - People Committed to Solving Our Information Security Language ProblemWANTED - People Committed to Solving Our Information Security Language Problem
WANTED - People Committed to Solving Our Information Security Language Problem
 
Keynote @ ISC2 Cyber Aware Dallas
Keynote @ ISC2 Cyber Aware DallasKeynote @ ISC2 Cyber Aware Dallas
Keynote @ ISC2 Cyber Aware Dallas
 
WANTED – People Committed to Solving our Information Security Language Problem
WANTED – People Committed to Solving our Information Security Language ProblemWANTED – People Committed to Solving our Information Security Language Problem
WANTED – People Committed to Solving our Information Security Language Problem
 
Harrisburg BSides Presentation - 100219
Harrisburg BSides Presentation - 100219Harrisburg BSides Presentation - 100219
Harrisburg BSides Presentation - 100219
 
Step Up Your Data Security Against Third-Party Risks
Step Up Your Data Security Against Third-Party RisksStep Up Your Data Security Against Third-Party Risks
Step Up Your Data Security Against Third-Party Risks
 
Information Security & Manufacturing
Information Security & ManufacturingInformation Security & Manufacturing
Information Security & Manufacturing
 
Simple Training for Information Security and Payment Fraud
Simple Training for Information Security and Payment FraudSimple Training for Information Security and Payment Fraud
Simple Training for Information Security and Payment Fraud
 
MHTA Social Engineering Presentation - 050917
MHTA Social Engineering Presentation - 050917MHTA Social Engineering Presentation - 050917
MHTA Social Engineering Presentation - 050917
 
People. The Social Engineer's Dream - TechPulse 2017
People. The Social Engineer's Dream - TechPulse 2017People. The Social Engineer's Dream - TechPulse 2017
People. The Social Engineer's Dream - TechPulse 2017
 
AFCOM - Information Security State of the Union
AFCOM - Information Security State of the UnionAFCOM - Information Security State of the Union
AFCOM - Information Security State of the Union
 
TIES 2013 Education Technology Conference
TIES 2013 Education Technology ConferenceTIES 2013 Education Technology Conference
TIES 2013 Education Technology Conference
 
Mobile Information Security
Mobile Information SecurityMobile Information Security
Mobile Information Security
 
Information security challenges in today’s banking environment
Information security challenges in today’s banking environmentInformation security challenges in today’s banking environment
Information security challenges in today’s banking environment
 
Information Security in a Compliance World
Information Security in a Compliance WorldInformation Security in a Compliance World
Information Security in a Compliance World
 
Information Security For Leaders, By a Leader
Information Security For Leaders, By a LeaderInformation Security For Leaders, By a Leader
Information Security For Leaders, By a Leader
 
Information Security is NOT an IT Issue
Information Security is NOT an IT IssueInformation Security is NOT an IT Issue
Information Security is NOT an IT Issue
 
People are the biggest risk
People are the biggest riskPeople are the biggest risk
People are the biggest risk
 
FRSecure's Ten Security Principles to Live (or die) By
FRSecure's Ten Security Principles to Live (or die) ByFRSecure's Ten Security Principles to Live (or die) By
FRSecure's Ten Security Principles to Live (or die) By
 
Meaningful Use and Security Risk Analysis
Meaningful Use and Security Risk AnalysisMeaningful Use and Security Risk Analysis
Meaningful Use and Security Risk Analysis
 
An Introduction to Information Security
An Introduction to Information SecurityAn Introduction to Information Security
An Introduction to Information Security
 

Kürzlich hochgeladen

RSA Conference Exhibitor List 2024 - Exhibitors Data
RSA Conference Exhibitor List 2024 - Exhibitors DataRSA Conference Exhibitor List 2024 - Exhibitors Data
RSA Conference Exhibitor List 2024 - Exhibitors DataExhibitors Data
 
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesMysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesDipal Arora
 
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756dollysharma2066
 
Cheap Rate Call Girls In Noida Sector 62 Metro 959961乂3876
Cheap Rate Call Girls In Noida Sector 62 Metro 959961乂3876Cheap Rate Call Girls In Noida Sector 62 Metro 959961乂3876
Cheap Rate Call Girls In Noida Sector 62 Metro 959961乂3876dlhescort
 
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...rajveerescorts2022
 
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...lizamodels9
 
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...amitlee9823
 
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRLBAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRLkapoorjyoti4444
 
Katrina Personal Brand Project and portfolio 1
Katrina Personal Brand Project and portfolio 1Katrina Personal Brand Project and portfolio 1
Katrina Personal Brand Project and portfolio 1kcpayne
 
How to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League CityHow to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League CityEric T. Tung
 
Marel Q1 2024 Investor Presentation from May 8, 2024
Marel Q1 2024 Investor Presentation from May 8, 2024Marel Q1 2024 Investor Presentation from May 8, 2024
Marel Q1 2024 Investor Presentation from May 8, 2024Marel
 
Call Girls In Majnu Ka Tilla 959961~3876 Shot 2000 Night 8000
Call Girls In Majnu Ka Tilla 959961~3876 Shot 2000 Night 8000Call Girls In Majnu Ka Tilla 959961~3876 Shot 2000 Night 8000
Call Girls In Majnu Ka Tilla 959961~3876 Shot 2000 Night 8000dlhescort
 
Call Now ☎️🔝 9332606886🔝 Call Girls ❤ Service In Bhilwara Female Escorts Serv...
Call Now ☎️🔝 9332606886🔝 Call Girls ❤ Service In Bhilwara Female Escorts Serv...Call Now ☎️🔝 9332606886🔝 Call Girls ❤ Service In Bhilwara Female Escorts Serv...
Call Now ☎️🔝 9332606886🔝 Call Girls ❤ Service In Bhilwara Female Escorts Serv...Anamikakaur10
 
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableSeo
 
Eluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort Service
Eluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort ServiceEluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort Service
Eluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort ServiceDamini Dixit
 
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...amitlee9823
 
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...lizamodels9
 
Value Proposition canvas- Customer needs and pains
Value Proposition canvas- Customer needs and painsValue Proposition canvas- Customer needs and pains
Value Proposition canvas- Customer needs and painsP&CO
 
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service BangaloreCall Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangaloreamitlee9823
 

Kürzlich hochgeladen (20)

RSA Conference Exhibitor List 2024 - Exhibitors Data
RSA Conference Exhibitor List 2024 - Exhibitors DataRSA Conference Exhibitor List 2024 - Exhibitors Data
RSA Conference Exhibitor List 2024 - Exhibitors Data
 
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesMysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
 
(Anamika) VIP Call Girls Napur Call Now 8617697112 Napur Escorts 24x7
(Anamika) VIP Call Girls Napur Call Now 8617697112 Napur Escorts 24x7(Anamika) VIP Call Girls Napur Call Now 8617697112 Napur Escorts 24x7
(Anamika) VIP Call Girls Napur Call Now 8617697112 Napur Escorts 24x7
 
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
 
Cheap Rate Call Girls In Noida Sector 62 Metro 959961乂3876
Cheap Rate Call Girls In Noida Sector 62 Metro 959961乂3876Cheap Rate Call Girls In Noida Sector 62 Metro 959961乂3876
Cheap Rate Call Girls In Noida Sector 62 Metro 959961乂3876
 
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
 
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
 
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
 
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRLBAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
 
Katrina Personal Brand Project and portfolio 1
Katrina Personal Brand Project and portfolio 1Katrina Personal Brand Project and portfolio 1
Katrina Personal Brand Project and portfolio 1
 
How to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League CityHow to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League City
 
Marel Q1 2024 Investor Presentation from May 8, 2024
Marel Q1 2024 Investor Presentation from May 8, 2024Marel Q1 2024 Investor Presentation from May 8, 2024
Marel Q1 2024 Investor Presentation from May 8, 2024
 
Call Girls In Majnu Ka Tilla 959961~3876 Shot 2000 Night 8000
Call Girls In Majnu Ka Tilla 959961~3876 Shot 2000 Night 8000Call Girls In Majnu Ka Tilla 959961~3876 Shot 2000 Night 8000
Call Girls In Majnu Ka Tilla 959961~3876 Shot 2000 Night 8000
 
Call Now ☎️🔝 9332606886🔝 Call Girls ❤ Service In Bhilwara Female Escorts Serv...
Call Now ☎️🔝 9332606886🔝 Call Girls ❤ Service In Bhilwara Female Escorts Serv...Call Now ☎️🔝 9332606886🔝 Call Girls ❤ Service In Bhilwara Female Escorts Serv...
Call Now ☎️🔝 9332606886🔝 Call Girls ❤ Service In Bhilwara Female Escorts Serv...
 
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
 
Eluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort Service
Eluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort ServiceEluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort Service
Eluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort Service
 
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
 
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
 
Value Proposition canvas- Customer needs and pains
Value Proposition canvas- Customer needs and painsValue Proposition canvas- Customer needs and pains
Value Proposition canvas- Customer needs and pains
 
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service BangaloreCall Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
 

Managing Third-Party Risk Effectively

  • 1. Managing Third Party Risk Effectively How to Conduct a 3rd Party Vendor Risk Assessment Prior to Signing your Cloud Hosting Contract Evan Francen, CEO & Founder of FRSecure evan@frsecure.com (877) 960-1814 Thank you to our sponsor! Sponsor logo
  • 2. Speaker Bio: Evan Francen CONFIDENTIAL | ©2019 CSA MN Chapter 2 • Speaker: CEO & Founder of FRSecure and SecurityStudio (https://www.linkedin.com/in/evanfrancen/) • Co-inventor of SecurityStudio®, FISA™, FISASCORE® and Vendefense® • 25+ years of “practical” information security experience (started as a Cisco Engineer in the early 90s) Author of UNSECURITY • Developed the FRSecure Mentor Program; six students in 2010/497 in 2019 • Dozens of television and radio appearances; numerous topics • Advised legal counsel in very public breaches (Target, Blue Cross/Blue Shield, etc.)
  • 3. • Why should you care about your vendors? • Four approaches to VRM • Standardize • Defensible • Learning Takeaways: • Driven by Risk Management Program • Part of Contracts & Administration • Use SIG LITE or Equivalent • Review the MSA Contract for Liabilities • Align Risk Accordingly CONFIDENTIAL | ©2019 CSA MN Chapter 3 Agenda NOTE: I’m a literal person. If you are too, you might notice “VRM”. Vendor Risk Management (VRM) is not the same as third-party information security risk management (TPISRM). One sort of fits into the other. We’re talking about TPISRM, but for the sake of brevity, we sometimes use VRM and TPISRM synonymously.
  • 4. CONFIDENTIAL | ©2019 CSA MN Chapter 4 BEFORE WEGO MUCH FURTHER… Why should you care about your vendors?
  • 5. CONFIDENTIAL | ©2019 CSA MN Chapter 5 Most of us have seen the stats… • 69% of respondents say they definitely or possibly suffered a security breach resulting from vendor access within the last year. • On average, organizations spent $10 million responding to third-party breaches over a 12-month period in 2016. • 63% of all cyber attacks could be traced either directly or indirectly to third parties. • Nearly 97% of respondents said that cyber risk affecting third parties is a major issue. • Nearly 80% of respondents said they have terminated or would decline a business relationship due to a vendor's cyber security performance. Sources: Bomgar survey, PwC, Soha Systems, CSO Online
  • 6. CONFIDENTIAL | ©2019 CSA MN Chapter 6 But… • Only 35% of enterprise security professionals are very confident in knowing the actual number of vendors accessing their systems. • Only 52% of companies have security standards for third-parties. • Just 34% know the number of individual log-ins that can be attributed to vendors. • 1 in 10 organizations has a role specifically dedicated to vendor, third-party or supplier risk • No sector reported more than 50% of respondents at a mature level with regard to managing vendor risk Sources: Bomgar survey, PwC, Soha Systems, CSO Online
  • 7. CONFIDENTIAL | ©2019 CSA MN Chapter 7 The reality is… • We’re all tired of statistics and studies. • Most statistics and studies are commissioned by someone who wants to sell us something. • There’s a thing called “confirmation bias”. • We’ve all got 1,000 things on our plate. • You won’t do anything (significant) about third-party security risk management unless you want to or you’ve been told you have to. • You might want to because you understand risk and this is your next significant unacceptable risk. (could be other reasons) • You have to because it’s the law (or the interpretation of the law). You should care, right? Yes, you should. You should care enough to understand the problem (assuming you have one) and make an educated decision on what, if anything you plan to do about it. Figure out your “WHY”. Doing nothing will imply risk acceptance.
  • 8. CONFIDENTIAL | ©2019 CSA MN Chapter 8 FOUR APPROACHES TO VRM Where do you fall?
  • 9. CONFIDENTIAL | ©2019 CSA MN Chapter 9 FOUR CATEGORIES OF ORGANIZATIONS Common issues: • Several people having to work on VRM • Knowing who all your vendors are • Categorizing 'high risk’ vendors • Gathering accurate vendor information • Tracking and acting on results • Keeping up with scheduling _______ GOOD PARTIAL PAINFUL NONE A third-party information risk management program that efficiently manages information security risk. Doing something, but missing one or more parts of “information security risk”. Doing the best they can with manual processes. Think spreadsheets. Not managing third-party information security risk at all.
  • 10. CONFIDENTIAL | ©2019 CSA MN Chapter 10 WHERE DO YOU FALL? NONE Several reasons, including: • You just didn’t/don’t know any better. • You don’t know where to start. • You’ve tried before and gave up due to complexity or shifting priorities. • You don’t see the value in establishing a good third-party information security risk management program. • You don’t have the time or money • Executive Leadership do not feel it is a priority • Other? _______ GOOD PARTIAL PAINFUL NONE
  • 11. CONFIDENTIAL | ©2019 CSA MN Chapter 11 WHERE DO YOU FALL? _______ PAINFUL • Trying to do VRM, but it’s painful • Want to do the right thing. • Forced to do it. • Usually manual, difficult to manage, disruptive and subjective • Overall ineffective at managing risk and defensibility is variable. • The painful approach is expensive and a waste of valuable resources. GOOD PARTIAL PAINFUL NONE
  • 12. CONFIDENTIAL | ©2019 CSA MN Chapter 12 WHERE DO YOU FALL? _______ PARTIAL • Only covers part of “information security” • Information security is managing risk to information confidentiality, integrity, and availability considering administrative, physical, and technical controls. • Typically focused on technical controls because they’re easy; however, aren’t people the greatest risk? • Good at partial, but not likely to address how breaches will occur; partially defensible. • The partial approach is incomplete and leads to a false sense of security (sometime worse than no security at all). GOOD PARTIAL PAINFUL NONE
  • 13. CONFIDENTIAL | ©2019 CSA MN Chapter 13 WHERE DO YOU FALL? _______ GOOD • Rare, but effective and streamlined. • Doesn’t compromise on our definition of “information security”. • Simplified – no unnecessary steps; easy-to-follow. • Standardized – objective, same processes for all third-parties. • Defensible – logical, organized, objective, auditable and completely effective. GOOD PARTIAL PAINFUL NONE
  • 14. CONFIDENTIAL | ©2019 CSA MN Chapter 14 SIMPLIFY Don’t over-complicate the matter, there are only four steps… 1. Inventory (and inventory management) • You’re paying them; existing third-parties. • You’re engaging them; new third-parties, procurement. 2. Classify (inherent risk) • Risk without control. • High, Medium, Low is fine. Don’t waste your time with the low-risk vendors, just cycle them. If you’re doing it right, the ratios (with exceptions) are typically 5/10/85. 3. Assess (residual risk) 4. Decide (risk decisions) • Scores and thresholds work best • Accept/Mitigate/Transfer(unlikely)/Avoid
  • 15. CONFIDENTIAL | ©2019 CSA MN Chapter 15 SIMPLIFY Inventory Classify Assess Decide Low Medium High 1 2 3 4
  • 16. CONFIDENTIAL | ©2019 CSA MN Chapter 16 STANDARDIZE One-Offs Hurt
  • 17. CONFIDENTIAL | ©2019 CSA MN Chapter 17 STANDARDIZE • Once we’ve established the standard process, don’t deviate unless it’s absolutely necessary. _______ • Each deviation from the standard process erodes defensibility. • If deviations from the standard process must be done, make sure they’re justified, documented and signed off on.
  • 18. CONFIDENTIAL | ©2019 CSA MN Chapter 18 STANDARDIZE _______ • Big vendors (Microsoft, Google, Amazon, etc.) may not participate in our process; these are common deviations and are exceptions that can easily be explained away should something bad happen. • Standardization comes through documentation, training, and automation. Every step in the process that can be automated should be automated.
  • 19. CONFIDENTIAL | ©2019 CSA MN Chapter 19 DEFENSIBLE The True Motivator Full Transparency: This would be my motivator.
  • 20. CONFIDENTIAL | ©2019 CSA MN Chapter 20 The True Motivation: Defensibility _______ • Defensibility in your VRM practices is arguably the most significant “why” for doing it in the first place. • If/when something bad happens, attackers become customers, regulators, opposing counsel, etc.
  • 21. CONFIDENTIAL | ©2019 CSA MN Chapter 21 The True Motivation: Defensibility _______ • If defensibility is your “why”, ensure that it’s carried out in your “how” and “what”. Do you have answers to these questions? • How many vendors do we have? Defensible? • How many high-risk vendors do we have? Defensible? • Have you vetted all high-risk vendors? Defensible? • Non-definitive answers (assumptions, guesses, etc.) are more likely to be indefensible.
  • 22. CONFIDENTIAL | ©2019 CSA MN Chapter 22 Learning Takeways Driven by the Risk Management Program. • You have a risk management program, right? • Where does third-party information security risk management fit into risk management? • No two risk management programs are the same, but in general: • Third-party information security risk is a subset of: • Third-party risk management (in procurement or other), which is a subset of: • Supply chain, operational, and/or financial risk management. • Information security risk management, which is a subset of: • Corporate risk management
  • 23. Information Security Risk CONFIDENTIAL | ©2019 CSA MN Chapter 23 Learning Takeways Driven by the Risk Management Program. Corporate Risk Management Financial RiskStrategic RiskEconomic Risk Technology Risk Regulatory Risk Operational Risk Third-Party Risk Management Third-Party Information Security Risk Management
  • 24. CONFIDENTIAL | ©2019 CSA MN Chapter 24 Learning Takeways What about the assessing 3rd-party cloud providers? • Inventory and inherent risk questions and ratings don’t change (usually). • Residual risk is where things change, because it’s where controls change. • The Cloud Security Alliance Consensus Assessments Initiative (CAI) • Launched to perform research, create tools, and develop industry partnerships • Enable cloud computing assessments • Developed the Consensus Assessments Initiative Questionnaire (CAIQ), often pronounced “CAKE”. • Do residual risk assessment and make decisions before signing contracts or agreements (unless there are stipulation). This is CSA after all?!
  • 25. CONFIDENTIAL | ©2019 CSA MN Chapter 25 Learning Takeways One way to assess cloud providers (High/Medium Risk) • Check the STAR Registry (https://cloudsecurityalliance.org/star/registry) • Based on CAIQv3.01 • Self-Assessment, Certification, or C-Star (a little more to it than this) • Create a scoring methodology or review for KRIs. • Not acceptable or not present… • Use the CSA CAIQ as is or customize: • https://cloudsecurityalliance.org/articles/consensus-assessments-initiative- questionnaire-caiq-v-3-review/ • https://cloudsecurityalliance.org/artifacts/consensus-assessments- initiative-questionnaire-v3-0-1/ • Develop scoring methodology and/or identify KRIs. More information about STAR: https://cloudsecurityalliance.org/star/#_overview
  • 26. CONFIDENTIAL | ©2019 CSA MN Chapter 26 SIMPLIFY Inventory Classify Assess Decide Low Medium High 1 2 3 4 What’s potentially different for a cloud provider?
  • 27. CONFIDENTIAL | ©2019 CSA MN Chapter 27 SIMPLIFY Inventory Classify Assess Decide Low Medium High 1 2 3 4 Cloud Cloud
  • 28. CONFIDENTIAL | ©2019 CSA MN Chapter 28 SIMPLIFY Classify Assess Low Medium High 2 3 STAR Registry Cloud Cloud CAIQ or Custom SCORING
  • 29. CONFIDENTIAL | ©2019 CSA MN Chapter 29 Learning Takeways Part of Contracts & Administration • How will you enforce/demand/request that a third-party comply with your requirements? • No third-party access/use until contract negotiation is complete. • Must haves: • Risk assessment • Right to audit (try exercising it sometime, build the process 1st) • Incident notification and process
  • 30. CONFIDENTIAL | ©2019 CSA MN Chapter 30 Learning Takeaways Use SIG LITE or Equivalent • For assessing residual risk. • 71% of organizations use a custom risk assessment methodology and/or assessment. • SIG – Shared Assessments - https://sharedassessments.org/sig-faq/ • Not free. Designed to provide a broad but high-level understanding about an Assessee’s internal information security controls. This level is for Assessees that need a basic level of due diligence. It can also be used as a preliminary assessment before a more detailed review. – Santa Fe Group
  • 31. CONFIDENTIAL | ©2019 CSA MN Chapter 31 Learning Takeways Use SIG LITE or Equivalent • For assessing residual risk. • 71% of organizations use a custom risk assessment methodology and/or assessment. • SIG – Shared Assessments - https://sharedassessments.org/sig-faq/ • Not free. Designed to provide a broad but high-level understanding about an Assessee’s internal information security controls. This level is for Assessees that need a basic level of due diligence. It can also be used as a preliminary assessment before a more detailed review. – Santa Fe Group
  • 32. CONFIDENTIAL | ©2019 CSA MN Chapter 32 Learning Takeaways Use SIG LITE or Equivalent • 1000’s of different methodologies and questionnaires. • Choose one that fits with: • Your understanding of risk • Your organization’s understanding of risk (risk management program) • Efficiency goals • Your own due diligence requirements • Your regulators requirements. • ISO Certification, SOC 2, HITRUST, etc. are all common. • We use the FISASCORE®, now used by more than 1,000 organizations. • Security Trust Assurance and Risk (STAR) Program https://cloudsecurityalliance.org/star/#_overview
  • 33. CONFIDENTIAL | ©2019 CSA MN Chapter 33 Learning Takeaways Use SIG LITE or Equivalent • 1000’s of different methodologies and questionnaires. • Choose one that fits with: • Your understanding of risk • Your organization’s understanding of risk (risk management program) • Efficiency goals • Your own due diligence requirements • Your regulators requirements. • ISO Certification, SOC 2, HITRUST, etc. are all common. • Security Trust Assurance and Risk (STAR) Program https://cloudsecurityalliance.org/star/#_overview
  • 34. CONFIDENTIAL | ©2019 CSA MN Chapter 34 Learning Takeaways Review the MSA Contract for Liabilities • Your Master Service Agreement must be reviewed and squared away prior to using a third-party. • If you don’t review, make sure someone who’s qualified does. Someone in Legal/Legal Counsel.
  • 35. CONFIDENTIAL | ©2019 CSA MN Chapter 35 Download the Presentation For a copy of these slides, visit: https://info.frsecure.com/csa2019
  • 36. CONFIDENTIAL | ©2019 CSA MN Chapter 36 Quick Recap Covered a lot, but it was all simple. 1. Figure out your WHY. – If you don’t have one, then don’t do anything. 2. Figure out the WHAT. • The type of program you build depends on your WHY; Painful, Partial, or Good. • Make it SIMPLE. • Make it STANDARD. • Make it DEFENSIBLE. 3. Figure out the HOW. • Details like the specific contract language, questionnaires, scoring, etc. • This is also a feedback into #2 and #1 above. Thank you! @evanfrancen https://www.linkedin.com/in/evanfrancen/
  • 37. CONFIDENTIAL | ©2019 CSA MN Chapter 37 Thank You for Participating in Today’s Event! Sponsor Logo
  • 38. CONFIDENTIAL | ©2019 CSA MN Chapter 38 Heads Up! Next Month’s Event is on… Solving the Data at Rest Confidentiality Problem: Encryption vs. Block-Chain for Cloud Solutions Next Month’s Curriculum Topic – Provided by CSA Board Member Learning objectives from Curriculum – Provided by CSA Board Member