SlideShare ist ein Scribd-Unternehmen logo

Vendor Cybersecurity Governance: Scaling the risk

Sarah Clarke
Sarah Clarke

An overview of the scale of the challenge and rational ways to cut that down to manageable and governable size. Slides compliment recent supplier security governance related posts on Infospectives.co.uk and LinkedIn.

Business
1 von 49
Supplier  Security  Governance A  risk  and  business  centric  approach Identify Scope Prioritize Assess Mitigate Govern
Who  Am  I? Sarah  Clarke,  BCom  (Hons),  Lapsed  CCNA,  Lapsed  CISSP Owner  of  Infospectives  security  consultancy  and  trade  blog 16  years  in  IT  &  security,  8  years  in  financial  services  security,  6  years   focused  solely  on  security  G,  R,  and  C Specialising  in  vendor  and  change  security  governance  using  frontline   experience  gained  designing,  and  implementing  frameworks. infospectives.co.uk @s_clarke22 https://uk.linkedin.com/in/infospectives
What  we’ll  cover 1. Why  care? 2. The  challenge 3. What is  the  risk? 4. Where  is  the  risk? 5. Scope  and  triage 6. Resource  modelling 7. Data  management 8. Manageable  and  residual  risk 9. CARDIs  and  RACIs 10.Key  risk  indicators 11.Models  and  methodologies 12.Supply  chain  complexity 13.Tweaks  and  tools 14.Management  reporting 15.The  rest  of  the  lifecycle 16.A  better  way?
Data  breaches Information  is  Beautiful  interactive  map  http://www.informationisbeautiful.net/visualizations/
Service  disruption Black  Lotus,  March  2015  – 129  service  providers  surveyed  https://www.blacklotus.net/connect/ddos-­service-­provider-­survey/
Breaches  &  Service  Disruptions  =  Pain Kinaxis  Infographic https://www.kinaxis.com/Global/resources/papers/supply-­chain-­risks-­infographic-­kinaxis.pdf  – 4  March  2015
The  challenge Against  a  backdrop  of:  Cloud  -­ Data  security  law  and  regulation  -­ Newsworthy  incidents  implicating  3rd parties  -­ CEO  ‘cyber’  focus Key  objectives:  Maximise  supplier  security  governance  coverage  to   address  as  much  risk  as  possible  and  produce  risk  relevant  reports Largest   (mainly  IT)   suppliers Historical   Governance   Focus Other   Suppliers Residual   Risk
From  cradle  to  grave Early   Identification Inherent  Risk   Assessment Due  Diligence Contractual   Requirements On-­going   Governance Exit   Management Embedding  security  throughout  the  supplier  lifecycle
The  journey From  the  status  quo  to  where? From Just  large  IT  firms Reactivity  and  inconsistency Inability  to  evidence  coverage Tick  box  &  delivery  reports Confused  responsibilities To The  whole  supplier  population Risk based planning  &  delivery The  full  risk  picture Risk  relevant  reports A  well  defined  risk  RACI
Where  do  you  start? 2000+  Suppliers
What  are  firms  doing  now? Kinaxis  Infographic https://www.kinaxis.com/Global/resources/papers/supply-­chain-­risks-­infographic-­kinaxis.pdf  – 4  March  2015
How  big  an  issue  is  this?
What  is  the  risk? … The  risk  that  there  will  be  an  incident,  caused  by   poor  supplier  information  security… …that  damages  the  confidentiality,  integrity,  and/or   availability  of  confidential  data  and/or  critical   systems… …leading  to  an  intolerable  financial,  operational   and/or  reputational  impact  on  the  business,  it’s   customers,  it’s  partners,  and/or  it’s  shareholders.
What is  the  risk? (Matrix  from  Peter  Prevos’s  2011  article:  ‘The  Risk  of  Risk  Management’)
What is  the  risk? “If  point  A  is  a  guesstimate  and  no  meaningful  way  to  measure   risk  has  been  plugged  in  since,  the  movement  towards  your   target  position  (let’s  call  it  guesstimate  B),  will  be  in   increments  of  ‘That’s  enough  to  keep  them  happy,  but  not  so   much  they’ll  doubt  it’”   How  is  progress  with  risk  mitigation  proved? From  blog  post  ‘Schrödinger’s  Risk’ May  2015
What  is  the  target  risk  position? How  many   supplier  incidents   can  you  live  with   per  year? What  size   incident  is   tolerable? How  much  does   an  assessment   reduce  the  risk? Copyright:  fuzzbones  /  123RF  Stock  Photo Tolerate  what?!
We  know  it  needs  to  happen… Losing  data,  or  having  it  stolen   Data  being  seen  by  the  wrong  people Data  being  messed  about  with Online  or  in-­house  systems  going down AND Any  third  parties  you  deal  with  letting  any  of  the  above happen
…but  there’s  still  this 2000+  Suppliers
Where is  the  risk? Assessed Awaiting Assessment Awaiting  Triage Unidentified • Compliant • Non-­compliant • Compliant • Non-­compliant • Compliant • Non-­compliant • Compliant • Non-­compliant Non-­Compliant High Medium Low Risk  Accepted It’s  not  just  about  the  known  knowns Supplier  risk  =  Inherent  risk  minus mitigation  from  compliant   controls  plus (risk  linked  to  non-­compliant  controls   minus mitigation  from  compensatory  controls)
Where  are  all  the  suppliers? A  list,  a  list,  my  kingdom  for  a  list Is  there  a  list? Is  the  list   complete? If  incomplete   what’s  missing? Is  the  list  current? If  current  is  it   maintained?
Cutting  the  list  down  to  size   It’s  a  matter  of  materiality Critical?  WTH  is  Critical? Just  based  on  spend Just  based  on  availability Based  on  threats,  vulnerabilities,  and  CIA
It  really  is…in  almost  every  case… all  about  the  data… Losing  data,  or  having  it   stolen   Data  being  seen  by  the  wrong   people Data  being  messed  about   with External  or  in-­house  systems   going down OR one  of  your  many  suppliers  letting  any  of  the  above happen
…and (according  to  this)  employees Data  from  the  US  Department  of  Health  and  Human  Services  (reporting  mandated  since  2009  for  breaches  >   500  records)  and  broken  down  by  state.  Partial  2015  data
Start  with  inherent  risk Legal,  Policy,  Regulatory,  Risk   Absolute PCI-­DSS:  Handing  payment  card   data SOx:  Handling  financial  report  data Policy:  Handling  Secret  data Policy:  RTO  for  service  (<Xhrs) Policy:  Dev/Host/Support   Ecommerce  & data  entry  websites Risk:  Develop/Test  non-­COTS   software Legal,  Policy,  Regulatory,  Risk   Conditional DPA/Policy:  Type  of  non-­secret  data   handled  (e.g.  PSI,  bank  a/c) DPA/Policy:  Data  handled  outside   EEA Risk:  RTO  for  service  (Xhrs  -­ Xdays) Risk:  Other  branded  websites Risk:  Quantity  of  data  handled Risk:  Number  of  employees   Mandatory  vs  should:  Identifying  attractive  targets
What  do  you  get? BOOK of   WORK ASSESSMENT  SCOPE
What  you  also  get • Means  to  justify  de-­scoping  decisions • Rich  aggregate  data  to  aid  prioritisation  and  planning • Data  that’s  easy  to  refresh • Data  that  informs  the  quality  and  speed  of  future  incident   management • Data  that  enables  creation  of  risk  relevant  reports • Data  that  people  don’t  think  is  worthwhile  until  you  have  it,   then  you  end  up  beating  them  off  with  a  stick.
Resource  Modelling Building  the  business  case 0 10 20 30 40 50 60 70 80 90 100 Low Medium High Very0High Number0of0Suppliers Post:Triage0Inherent0Risk0Rating0/0Effort0to0Assess Resource  Model Shortfall  /   Excess Options  to  Flex Book  of  Work All  Suppliers Suppliers  by   Category Effort  Per  Task Overheads Per  Supplier Tasks Plan  /  Triage Assess  /   Remediate Activity Per  Supplier  /   Overhead  Effort Scoping  /  Assessment Per  Supplier Remediation  /  Retesting Per  Supplier New  Supplier  Due  Diligence Overhead Triage  /  Assessment  Data  Collation Per  Supplier Remediation  Data  Collation Per  Supplier Regular  Governance Per  Supplier Risk  Management Per  Supplier Process  Development  /  Planning Overhead Training Overhead Stakeholder  Management Overhead
Data  management  and  analysis Taking  the  long  view  to  avoid  future  pain • Unique  identifiers  for  suppliers  and  controls • Structure  data  to  allow  for  repeat  assessment  and  trend  analysis • Associate  data  with  all  relevant  stakeholder  groups   • Implement  change  control  for  scoping  decisions • Log  risk  acceptance  and  discretionary  re-­categorisation  decisions. • Build  reports  to  be  drillable  and  assessment  output  to  automatically   generate  reports Get  a  database,  and  keep  viciously  fierce  control  over   versions  and  access  – you  will  live  to  regret  it  if  you  don’t
Then  it’s  back  to  that  risk  again… … The  risk  that  there  will  be  an  incident,  caused  by   poor  supplier  information  security… …that  damages  the  confidentiality,  integrity,  and/or   availability  of  confidential  data  and/or  critical   systems… …leading  to  an  intolerable  financial,  operational   and/or  reputational  impact  on  the  business,  it’s   customers,  it’s  partners,  and/or  it’s  shareholders.
…and  those  less  known  knowns … Assessed Awaiting Assessment Awaiting  Triage Unidentified • Compliant • Non-­compliant • Compliant • Non-­compliant • Compliant • Non-­compliant • Compliant • Non-­compliant Non-­Compliant High Medium Low Risk  Accepted
Which  risks  can  you  manage? Assessed •Compliant •Non-­compliant Awaiting   Triage •Compliant •Non-­compliant Triaged   Awaiting Assessment •Compliant •Non-­compliant Unidentified/   Engagement   Blocked •Compliant •Non-­compliant Non-­Compliant High Medium Low Risk  Accepted Non-­Compliant ??????
Forewarning  and  forearming • Some  suppliers  are  under  the  radar • Known  suppliers  cannot  all  be  assessed  with  available  resource • Some  staff  will  block  engagement • Some  supplier  contracts  don’t  include  any  security  requirements  or  a   right  to  audit • Embedding  a  framework,  assessment  and  remediation  takes  time • Not  all  risks  can be  mitigated • Risks  quantification  is  an  aiming  point  not  a  current  reality • Suppliers  will  still  have  breaches,  but  that  doesn’t  necessarily  mean   you  are  getting  it  wrong Things  for  your  stakeholders
Forewarning  and  forearming • There  WILL  be  nasty  surprises  in  cycles  1  and  2 of  activity,  but   things  will  incrementally  and  cumulatively  improve. • Until  full  coverage  of  agreed  scope  is  achieved,  risk  owners   formally  accept  risks  linked  to  unassessed  suppliers. • Risk  owners  need  to  adjust  risk  tolerance  levels  and/or  invest   more  time  and  effort  to  tackle  residual  risks  (e.g.  suppliers  that   cannot  be  assessed  with  available  resource,  blocked   engagement  /  remediation,  shadow  supply,  and  risk  that  cannot   be  mitigated).   • In  other  words:  Suppliers  will  still  have  breaches,  but  that   doesn’t  necessarily  mean  you  are  getting  it  wrong. Yet  more  things  for  your  stakeholders
Document  and  clearly  communicate:   • Scope  of  assessment  activity  and  options  to  flex • Potential  service  constraints,  assumptions,  dependencies,  risks   and  issues  (your  CARDI  log) • Promptly  and  positively  escalate  issues • Make  constructive  use  of  risk  acceptance. • Review  risk  tolerance  regularly • Ensure  all  parties  understand  that  governance  functions  can’t   accept  risks  on  behalf  of  the  business. Enable  constructive  collaboration
Security  is everyone’s  responsibility What  kind  of  RACI  is  revealed?   RACI Security  Governance Supplier SRM  /  Project   Sponsor Procurement Data  Owner Operational  Risk Risk  Owner Legal Approve  criteria  and  thresholds  for  triage  and  assessment Deal  with  commercial  /  contractual  disputes  regarding  governance  activity Complete  triage  activity Update  triage  information  if  supplier  agreement  /  service  changes Facilitate  scoping,  assessment  and  remediation  meetings  with  supplier Escalate  engagement  blockages Conduct  compliance  and  risk  assessments Report  on  compliance  and  risk  status Ensure  evidence  is  delivered  to  support  findings Provide  SME  input  to  support  agreement  of  remedial  actions Oversee  progress  with  remediation Escalate  remediation  blockages Re-­‐assess  post  remediation  to  ensure  risk  mitigated Provide  control  status  and  risk  info  for  risk  acceptance Provide  business  and  service  specific  rick  detail  for  risk  acceptance Identify  risk  owners  to  risk  accept Accept  risks Own  residual  risk  of  a  breach  while  blockages  /  risks  persist.
Pick  a  methodology Frameworks   &  Best  Practice  Guides  Including  Control  Sets • PCI  DSS • NIST  800.161  Supply  Chain  Risk  Management   for  Federal  Information  Systems     and  Organisations • Cloud  Security  Alliance  governance  guidance   and  Controls  Matrix  3.0 • International  Security  Forum  Supplier  Security  Evaluation  Tool  (SSET)  and   associated  guidance • Cyber  Essentials  and  Cyber  Essentials+ Frameworks   for  management • COBIT • ISO/IEC  27036:2014   parts  1-­4  Information  security  for  supplier  relationships Risk  assessment   methodologies • Too  many  to  mention • Either  evidence  control  design  and  operation,  or  take  answers  on  face  value.   • Either  take  a  snapshot  of  security,  or  test  controls  over  time.   • Either  place  numerical  values  on  threats,  vulnerabilities,  resulting  potential  impact,   and  place  a  %  against  probability  of  an  incident  causing  that  impact  in  a  given  year,   or  use  ordinals  and  maturity  scores.   Many  flavours,  MANY  questions
One  approach  for  all  suppliers? 1. Controls  need  to  have  an  intuitive  taxonomy:  Risk/Leg/Reg  >  Control   Objective  >  Control  Type  >  Control.  A  many  to  many  mapping. 2. Questions  must  be  branched,  so  response  only  required  if  relevant. 3. Controls  should  be  weighted  to  reflect  relative  effectiveness 4. Residual  risk  can  be  adjusted  to  reflect  inherent  supplier  risk Weighted   Control Compliance   Status Compensatory   Control Residual Risk Adjust  for   Inherent Risk The  outcome:  When  coupled  with  more  detailed  supplier  information   gathered  during  assessments,  provides  justification  for  risk  estimates,  and   means  to  compare  assessment  outcomes  for  different  suppliers.
Complexity  and  Depth How  do  you  tackle  a  long  and  complex  supply  chain?
Complexity  and  Depth Delegation,  certification,  or  delving  deeper?   Cloud  XaaS Outsourced   Development Offshore   Data  Centre Outsourced   Development   Managed   Security Penetration   Testing 3rd Party   Governance Data  Governance Availability   Management Access Governance Monitoring  and   Incident  Notification  
A  bit  about  tools GRC  software  monsters  and  technical  assessment
But  what  IS  the  target  risk  position? How  many   supplier  incidents   can  you  live  with   per  year? What  size   incident  is   tolerable? How  much  does   an  assessment   reduce  the  risk? Image  Copyright:  fuzzbones  /  123RF  Stock  Photo
A  two  part  story  with  KRIs Engagement  KRIs New  and  existing  suppliers   are  identified  and   categorised New  and  existing  Critical   suppliers  are  assessed  by   target  dates   Assessment  reports  are   issued  promptly Remediation  KRIs Risk  status  for  each  supplier   =  Adequate  or  better Risks  linked  to  single   control  gaps  reduced  to   Low,  closed  OR  formally  risk   accepted Open  control  gaps  remain   below  thresholds
Management  reports Engagement  status  &  progress TIP – Carefully  manage  expectations   about  1st outputs.  Introducing  the   process  and  tackling  SRM/supplier   concerns  can  be  tough TIP – Report  percentages  not   numbers.  Scope  flexes  wildly   during  initial  implementation   phases. 21% 4% 8% 2% 10% 13% 19% 23% Out  of  Scope Pre-­Triage Pre-­Triage  Blockage Very  High  (Critical) High  (Critical) Medium Low Triaged  &  No  Assmt  Reqd
Management  reports Remediation  status  &  progress Overall  Supplier  Risk  Status Adequate Minor   Improvement Major   Improvement Inadequate Number  of  Suppliers Status  and  trends  by: • Business  unit • Control  type • Control  gap  severity • Supply  type TIP – Introduce  competition  to   increase  engagement: • Top  suppliers • Top  departments • Top  SRMs • Top  Procurement  contacts
The  bigger  procurement  picture How  does  supplier  security  governance  fit Early   Identification Inherent  Risk   Assessment Due  Diligence Contractual   Requirements On-­going   Governance Exit   Management
The  bigger  governance  picture Supplier   Security Change Procurement Legal Incident Mgmt IT  &  Op Risk Partner Assurance Audit Data   Protection Increase  collaboration:   Understand  stakeholder   processes  and  challenges. Reduce  duplication:  Align planned   assessments,  audits   and  governance  meetings   Kill  ‘last  gasp’  security   engagement:   Plug  triage  into   earliest  stages  of  associated   processes Mature: Less  big  bang   assessment,  more  continuous   monitoring Raise  security  awareness:   A  natural  result  of  getting  this   this  right
The  journey How  did  we  do? From Just  large  IT  firms Reactivity  and  inconsistency Inability  to  evidence  coverage Tick  box  delivery  reports Confused  responsibilities To The  whole  supplier  population Risk based planning The  full  risk  picture Business  risk  relevant  reports A  well  defined  risk  RACI
Complexity  and  Depth A  mountain  of  wasted  effort  and  missed  opportunities
A  better  way? Future  possibilities • Greater  ‘cyber’  focus,  greater  budget,  greater  chance  processes  can   embed  and  mature • Consolidation  in  the  cloud  market,  greater  transparency  and   increasing  availability  of  data  tracking,  user  access,  vulnerability,   threat,  and  availability  monitoring  tools • No  Safe  Harbor  so  more  near-­shore  hosting • Insurers  standardising  control  coverage • Risk  quantification  improvements

Empfohlen

Data Management Strategies
Data Management StrategiesData Management Strategies
Data Management StrategiesMicheal Axelsen
 
Data Privacy in the DMBOK - No Need to Reinvent the Wheel
Data Privacy in the DMBOK - No Need to Reinvent the WheelData Privacy in the DMBOK - No Need to Reinvent the Wheel
Data Privacy in the DMBOK - No Need to Reinvent the WheelDATAVERSITY
 
HOW TO BUILDUP WORLD-CLASS LIBRARY? A PROPOSAL
HOW TO BUILDUP WORLD-CLASS LIBRARY? A PROPOSALHOW TO BUILDUP WORLD-CLASS LIBRARY? A PROPOSAL
HOW TO BUILDUP WORLD-CLASS LIBRARY? A PROPOSALDr. Anjaiah Mothukuri
 
Business intelligence
Business intelligenceBusiness intelligence
Business intelligenceDr. Dipti Patil
 
Data ethics
Data ethicsData ethics
Data ethicsMathieu d'Aquin
 
Data Management PowerPoint Presentation Slides
Data Management PowerPoint Presentation Slides Data Management PowerPoint Presentation Slides
Data Management PowerPoint Presentation Slides SlideTeam
 
Data Governance
Data GovernanceData Governance
Data GovernanceAxis Technology, LLC
 
The Missing Link in Enterprise Data Governance - Automated Metadata Management
The Missing Link in Enterprise Data Governance - Automated Metadata ManagementThe Missing Link in Enterprise Data Governance - Automated Metadata Management
The Missing Link in Enterprise Data Governance - Automated Metadata ManagementDATAVERSITY
 

Empfohlen

Data Management Strategies
Data Management StrategiesData Management Strategies
Data Management StrategiesMicheal Axelsen
 
Data Privacy in the DMBOK - No Need to Reinvent the Wheel
Data Privacy in the DMBOK - No Need to Reinvent the WheelData Privacy in the DMBOK - No Need to Reinvent the Wheel
Data Privacy in the DMBOK - No Need to Reinvent the WheelDATAVERSITY
 
HOW TO BUILDUP WORLD-CLASS LIBRARY? A PROPOSAL
HOW TO BUILDUP WORLD-CLASS LIBRARY? A PROPOSALHOW TO BUILDUP WORLD-CLASS LIBRARY? A PROPOSAL
HOW TO BUILDUP WORLD-CLASS LIBRARY? A PROPOSALDr. Anjaiah Mothukuri
 
Business intelligence
Business intelligenceBusiness intelligence
Business intelligenceDr. Dipti Patil
 
Data ethics
Data ethicsData ethics
Data ethicsMathieu d'Aquin
 
Data Management PowerPoint Presentation Slides
Data Management PowerPoint Presentation Slides Data Management PowerPoint Presentation Slides
Data Management PowerPoint Presentation Slides SlideTeam
 
Data Governance
Data GovernanceData Governance
Data GovernanceAxis Technology, LLC
 
The Missing Link in Enterprise Data Governance - Automated Metadata Management
The Missing Link in Enterprise Data Governance - Automated Metadata ManagementThe Missing Link in Enterprise Data Governance - Automated Metadata Management
The Missing Link in Enterprise Data Governance - Automated Metadata ManagementDATAVERSITY
 
Data Quality Management: Cleaner Data, Better Reporting
Data Quality Management: Cleaner Data, Better ReportingData Quality Management: Cleaner Data, Better Reporting
Data Quality Management: Cleaner Data, Better Reportingaccenture
 
Learning Analytics in Education: Using Student’s Big Data to Improve Teaching
Learning Analytics in Education: Using Student’s Big Data to Improve TeachingLearning Analytics in Education: Using Student’s Big Data to Improve Teaching
Learning Analytics in Education: Using Student’s Big Data to Improve TeachingRafael Scapin, Ph.D.
 
Data Catalog for Better Data Discovery and Governance
Data Catalog for Better Data Discovery and GovernanceData Catalog for Better Data Discovery and Governance
Data Catalog for Better Data Discovery and GovernanceDenodo
 
Data Quality Presentation
Data Quality PresentationData Quality Presentation
Data Quality PresentationStephen McCarthy
 
Data Catalog as the Platform for Data Intelligence
Data Catalog as the Platform for Data IntelligenceData Catalog as the Platform for Data Intelligence
Data Catalog as the Platform for Data IntelligenceAlation
 
Screw DevOps, Let's Talk DataOps
Screw DevOps, Let's Talk DataOpsScrew DevOps, Let's Talk DataOps
Screw DevOps, Let's Talk DataOpsKellyn Pot'Vin-Gorman
 
The Case for Graphs in Supply Chains
The Case for Graphs in Supply ChainsThe Case for Graphs in Supply Chains
The Case for Graphs in Supply ChainsNeo4j
 
Importance of data analytics for business
Importance of data analytics for businessImportance of data analytics for business
Importance of data analytics for businessBranliticSocial
 
Active Governance Across the Delta Lake with Alation
Active Governance Across the Delta Lake with AlationActive Governance Across the Delta Lake with Alation
Active Governance Across the Delta Lake with AlationDatabricks
 
Best Approach to Integrate ISO 9001 and ISO 27001 Simultaneously
Best Approach to Integrate ISO 9001 and ISO 27001 SimultaneouslyBest Approach to Integrate ISO 9001 and ISO 27001 Simultaneously
Best Approach to Integrate ISO 9001 and ISO 27001 SimultaneouslyPECB
 
Introduction to Business Intelligence
Introduction to Business IntelligenceIntroduction to Business Intelligence
Introduction to Business IntelligenceAlmog Ramrajkar
 
Requirements for a Master Data Management (MDM) Solution - Presentation
Requirements for a Master Data Management (MDM) Solution - PresentationRequirements for a Master Data Management (MDM) Solution - Presentation
Requirements for a Master Data Management (MDM) Solution - PresentationVicki McCracken
 
Data Governance
Data GovernanceData Governance
Data GovernanceSambaSoup
 
You Need a Data Catalog. Do You Know Why?
You Need a Data Catalog. Do You Know Why?You Need a Data Catalog. Do You Know Why?
You Need a Data Catalog. Do You Know Why?Precisely
 
Data Quality as a prerequisite for you business success: when should I start ...
Data Quality as a prerequisite for you business success: when should I start ...Data Quality as a prerequisite for you business success: when should I start ...
Data Quality as a prerequisite for you business success: when should I start ...Anastasija Nikiforova
 
Building A Bi Strategy
Building A Bi StrategyBuilding A Bi Strategy
Building A Bi Strategylarryzagata
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security StrategyAndrew Byers
 
Data Profiling, Data Catalogs and Metadata Harmonisation
Data Profiling, Data Catalogs and Metadata HarmonisationData Profiling, Data Catalogs and Metadata Harmonisation
Data Profiling, Data Catalogs and Metadata HarmonisationAlan McSweeney
 
Data Management Best Practices
Data Management Best PracticesData Management Best Practices
Data Management Best PracticesDATAVERSITY
 
Cyber Resilience
Cyber ResilienceCyber Resilience
Cyber ResilienceIan-Edward Stafrace
 
Risk Management and Remediation
Risk Management and RemediationRisk Management and Remediation
Risk Management and RemediationCarahsoft
 
Strategic Leadership for Managing Evolving Cybersecurity Risks
Strategic Leadership for Managing Evolving Cybersecurity RisksStrategic Leadership for Managing Evolving Cybersecurity Risks
Strategic Leadership for Managing Evolving Cybersecurity RisksMatthew Rosenquist
 

Weitere ähnliche Inhalte

Was ist angesagt?

Data Quality Management: Cleaner Data, Better Reporting
Data Quality Management: Cleaner Data, Better ReportingData Quality Management: Cleaner Data, Better Reporting
Data Quality Management: Cleaner Data, Better Reportingaccenture
 
Learning Analytics in Education: Using Student’s Big Data to Improve Teaching
Learning Analytics in Education: Using Student’s Big Data to Improve TeachingLearning Analytics in Education: Using Student’s Big Data to Improve Teaching
Learning Analytics in Education: Using Student’s Big Data to Improve TeachingRafael Scapin, Ph.D.
 
Data Catalog for Better Data Discovery and Governance
Data Catalog for Better Data Discovery and GovernanceData Catalog for Better Data Discovery and Governance
Data Catalog for Better Data Discovery and GovernanceDenodo
 
Data Catalog as the Platform for Data Intelligence
Data Catalog as the Platform for Data IntelligenceData Catalog as the Platform for Data Intelligence
Data Catalog as the Platform for Data IntelligenceAlation
 
The Case for Graphs in Supply Chains
The Case for Graphs in Supply ChainsThe Case for Graphs in Supply Chains
The Case for Graphs in Supply ChainsNeo4j
 
Importance of data analytics for business
Importance of data analytics for businessImportance of data analytics for business
Importance of data analytics for businessBranliticSocial
 
Active Governance Across the Delta Lake with Alation
Active Governance Across the Delta Lake with AlationActive Governance Across the Delta Lake with Alation
Active Governance Across the Delta Lake with AlationDatabricks
 
Best Approach to Integrate ISO 9001 and ISO 27001 Simultaneously
Best Approach to Integrate ISO 9001 and ISO 27001 SimultaneouslyBest Approach to Integrate ISO 9001 and ISO 27001 Simultaneously
Best Approach to Integrate ISO 9001 and ISO 27001 SimultaneouslyPECB
 
Introduction to Business Intelligence
Introduction to Business IntelligenceIntroduction to Business Intelligence
Introduction to Business IntelligenceAlmog Ramrajkar
 
Requirements for a Master Data Management (MDM) Solution - Presentation
Requirements for a Master Data Management (MDM) Solution - PresentationRequirements for a Master Data Management (MDM) Solution - Presentation
Requirements for a Master Data Management (MDM) Solution - PresentationVicki McCracken
 
Data Governance
Data GovernanceData Governance
Data GovernanceSambaSoup
 
You Need a Data Catalog. Do You Know Why?
You Need a Data Catalog. Do You Know Why?You Need a Data Catalog. Do You Know Why?
You Need a Data Catalog. Do You Know Why?Precisely
 
Data Quality as a prerequisite for you business success: when should I start ...
Data Quality as a prerequisite for you business success: when should I start ...Data Quality as a prerequisite for you business success: when should I start ...
Data Quality as a prerequisite for you business success: when should I start ...Anastasija Nikiforova
 
Building A Bi Strategy
Building A Bi StrategyBuilding A Bi Strategy
Building A Bi Strategylarryzagata
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security StrategyAndrew Byers
 
Data Profiling, Data Catalogs and Metadata Harmonisation
Data Profiling, Data Catalogs and Metadata HarmonisationData Profiling, Data Catalogs and Metadata Harmonisation
Data Profiling, Data Catalogs and Metadata HarmonisationAlan McSweeney
 
Data Management Best Practices
Data Management Best PracticesData Management Best Practices
Data Management Best PracticesDATAVERSITY
 

Was ist angesagt? (20)

Data Quality Management: Cleaner Data, Better Reporting
Data Quality Management: Cleaner Data, Better ReportingData Quality Management: Cleaner Data, Better Reporting
Data Quality Management: Cleaner Data, Better Reporting
 
Learning Analytics in Education: Using Student’s Big Data to Improve Teaching
Learning Analytics in Education: Using Student’s Big Data to Improve TeachingLearning Analytics in Education: Using Student’s Big Data to Improve Teaching
Learning Analytics in Education: Using Student’s Big Data to Improve Teaching
 
Data Catalog for Better Data Discovery and Governance
Data Catalog for Better Data Discovery and GovernanceData Catalog for Better Data Discovery and Governance
Data Catalog for Better Data Discovery and Governance
 
Data Quality Presentation
Data Quality PresentationData Quality Presentation
Data Quality Presentation
 
Data Catalog as the Platform for Data Intelligence
Data Catalog as the Platform for Data IntelligenceData Catalog as the Platform for Data Intelligence
Data Catalog as the Platform for Data Intelligence
 
Screw DevOps, Let's Talk DataOps
Screw DevOps, Let's Talk DataOpsScrew DevOps, Let's Talk DataOps
Screw DevOps, Let's Talk DataOps
 
The Case for Graphs in Supply Chains
The Case for Graphs in Supply ChainsThe Case for Graphs in Supply Chains
The Case for Graphs in Supply Chains
 
Importance of data analytics for business
Importance of data analytics for businessImportance of data analytics for business
Importance of data analytics for business
 
Active Governance Across the Delta Lake with Alation
Active Governance Across the Delta Lake with AlationActive Governance Across the Delta Lake with Alation
Active Governance Across the Delta Lake with Alation
 
Best Approach to Integrate ISO 9001 and ISO 27001 Simultaneously
Best Approach to Integrate ISO 9001 and ISO 27001 SimultaneouslyBest Approach to Integrate ISO 9001 and ISO 27001 Simultaneously
Best Approach to Integrate ISO 9001 and ISO 27001 Simultaneously
 
Introduction to Business Intelligence
Introduction to Business IntelligenceIntroduction to Business Intelligence
Introduction to Business Intelligence
 
Requirements for a Master Data Management (MDM) Solution - Presentation
Requirements for a Master Data Management (MDM) Solution - PresentationRequirements for a Master Data Management (MDM) Solution - Presentation
Requirements for a Master Data Management (MDM) Solution - Presentation
 
Data Governance
Data GovernanceData Governance
Data Governance
 
You Need a Data Catalog. Do You Know Why?
You Need a Data Catalog. Do You Know Why?You Need a Data Catalog. Do You Know Why?
You Need a Data Catalog. Do You Know Why?
 
Data Quality as a prerequisite for you business success: when should I start ...
Data Quality as a prerequisite for you business success: when should I start ...Data Quality as a prerequisite for you business success: when should I start ...
Data Quality as a prerequisite for you business success: when should I start ...
 
Building A Bi Strategy
Building A Bi StrategyBuilding A Bi Strategy
Building A Bi Strategy
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security Strategy
 
Data Profiling, Data Catalogs and Metadata Harmonisation
Data Profiling, Data Catalogs and Metadata HarmonisationData Profiling, Data Catalogs and Metadata Harmonisation
Data Profiling, Data Catalogs and Metadata Harmonisation
 
Data Management Best Practices
Data Management Best PracticesData Management Best Practices
Data Management Best Practices
 
Cyber Resilience
Cyber ResilienceCyber Resilience
Cyber Resilience
 

Andere mochten auch

Risk Management and Remediation
Risk Management and RemediationRisk Management and Remediation
Risk Management and RemediationCarahsoft
 
Strategic Leadership for Managing Evolving Cybersecurity Risks
Strategic Leadership for Managing Evolving Cybersecurity RisksStrategic Leadership for Managing Evolving Cybersecurity Risks
Strategic Leadership for Managing Evolving Cybersecurity RisksMatthew Rosenquist
 
The Economics of Cyber Security
The Economics of Cyber SecurityThe Economics of Cyber Security
The Economics of Cyber SecurityJohn Gilligan
 
Cybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDCybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDPranav Shah
 
Meaningfull security metrics
Meaningfull security metricsMeaningfull security metrics
Meaningfull security metricsVladimir Jirasek
 
Top 10 Essentials for Building a Powerful Security Dashboard
Top 10 Essentials for Building a Powerful Security DashboardTop 10 Essentials for Building a Powerful Security Dashboard
Top 10 Essentials for Building a Powerful Security DashboardTripwire
 
Maintaining Brand Integrity at Scale - Affiliate Management Days SF 2015
Maintaining Brand Integrity at Scale - Affiliate Management Days SF 2015Maintaining Brand Integrity at Scale - Affiliate Management Days SF 2015
Maintaining Brand Integrity at Scale - Affiliate Management Days SF 2015Sam Engel
 
A Case for Strategic Transformation of I.T. - A C.E.O.s Perspective
A Case for Strategic Transformation of I.T. - A C.E.O.s PerspectiveA Case for Strategic Transformation of I.T. - A C.E.O.s Perspective
A Case for Strategic Transformation of I.T. - A C.E.O.s PerspectiveRangam Bir
 
Fueling Strategic Transformation at Emirates National Oil Company
Fueling Strategic Transformation at Emirates National Oil CompanyFueling Strategic Transformation at Emirates National Oil Company
Fueling Strategic Transformation at Emirates National Oil CompanyRafael Lemaitre
 
Leveraging PowerPivot
Leveraging PowerPivotLeveraging PowerPivot
Leveraging PowerPivotDan English
 
CFPB Hot Topics in 2016
CFPB Hot Topics in 2016 CFPB Hot Topics in 2016
CFPB Hot Topics in 2016 Experian
 
2015 ISACA NACACS - Audit as Controls Factory
2015 ISACA NACACS - Audit as Controls Factory2015 ISACA NACACS - Audit as Controls Factory
2015 ISACA NACACS - Audit as Controls FactoryNathan Anderson
 
Digital Business 2020: Getting There from Here, Part II
Digital Business 2020: Getting There from Here, Part IIDigital Business 2020: Getting There from Here, Part II
Digital Business 2020: Getting There from Here, Part IICognizant
 
PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500
PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500
PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500PECB
 
Transform IT Operations with CSC
Transform IT Operations with CSCTransform IT Operations with CSC
Transform IT Operations with CSCAmazon Web Services
 
Achieving Operational Excellence in the Upstream Oil and Gas Industry with th...
Achieving Operational Excellence in the Upstream Oil and Gas Industry with th...Achieving Operational Excellence in the Upstream Oil and Gas Industry with th...
Achieving Operational Excellence in the Upstream Oil and Gas Industry with th...Rolta
 
Transform IT Operations and Management
Transform IT Operations and ManagementTransform IT Operations and Management
Transform IT Operations and ManagementAmazon Web Services
 
Enterprise-architecture and the service-oriented enterprise
Enterprise-architecture and the service-oriented enterpriseEnterprise-architecture and the service-oriented enterprise
Enterprise-architecture and the service-oriented enterpriseTetradian Consulting
 

Andere mochten auch (20)

Risk Management and Remediation
Risk Management and RemediationRisk Management and Remediation
Risk Management and Remediation
 
Strategic Leadership for Managing Evolving Cybersecurity Risks
Strategic Leadership for Managing Evolving Cybersecurity RisksStrategic Leadership for Managing Evolving Cybersecurity Risks
Strategic Leadership for Managing Evolving Cybersecurity Risks
 
The Economics of Cyber Security
The Economics of Cyber SecurityThe Economics of Cyber Security
The Economics of Cyber Security
 
Cybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDCybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoD
 
Meaningfull security metrics
Meaningfull security metricsMeaningfull security metrics
Meaningfull security metrics
 
Top 10 Essentials for Building a Powerful Security Dashboard
Top 10 Essentials for Building a Powerful Security DashboardTop 10 Essentials for Building a Powerful Security Dashboard
Top 10 Essentials for Building a Powerful Security Dashboard
 
Maintaining Brand Integrity at Scale - Affiliate Management Days SF 2015
Maintaining Brand Integrity at Scale - Affiliate Management Days SF 2015Maintaining Brand Integrity at Scale - Affiliate Management Days SF 2015
Maintaining Brand Integrity at Scale - Affiliate Management Days SF 2015
 
A Case for Strategic Transformation of I.T. - A C.E.O.s Perspective
A Case for Strategic Transformation of I.T. - A C.E.O.s PerspectiveA Case for Strategic Transformation of I.T. - A C.E.O.s Perspective
A Case for Strategic Transformation of I.T. - A C.E.O.s Perspective
 
Fueling Strategic Transformation at Emirates National Oil Company
Fueling Strategic Transformation at Emirates National Oil CompanyFueling Strategic Transformation at Emirates National Oil Company
Fueling Strategic Transformation at Emirates National Oil Company
 
Oil & Gas Themes 2016
Oil & Gas Themes 2016Oil & Gas Themes 2016
Oil & Gas Themes 2016
 
Leveraging PowerPivot
Leveraging PowerPivotLeveraging PowerPivot
Leveraging PowerPivot
 
CFPB Hot Topics in 2016
CFPB Hot Topics in 2016 CFPB Hot Topics in 2016
CFPB Hot Topics in 2016
 
2015 ISACA NACACS - Audit as Controls Factory
2015 ISACA NACACS - Audit as Controls Factory2015 ISACA NACACS - Audit as Controls Factory
2015 ISACA NACACS - Audit as Controls Factory
 
Digital Business 2020: Getting There from Here, Part II
Digital Business 2020: Getting There from Here, Part IIDigital Business 2020: Getting There from Here, Part II
Digital Business 2020: Getting There from Here, Part II
 
PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500
PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500
PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500
 
Transform IT Operations with CSC
Transform IT Operations with CSCTransform IT Operations with CSC
Transform IT Operations with CSC
 
Achieving Operational Excellence in the Upstream Oil and Gas Industry with th...
Achieving Operational Excellence in the Upstream Oil and Gas Industry with th...Achieving Operational Excellence in the Upstream Oil and Gas Industry with th...
Achieving Operational Excellence in the Upstream Oil and Gas Industry with th...
 
Transform IT Operations and Management
Transform IT Operations and ManagementTransform IT Operations and Management
Transform IT Operations and Management
 
CobiT Foundation Free Training
CobiT Foundation Free TrainingCobiT Foundation Free Training
CobiT Foundation Free Training
 
Enterprise-architecture and the service-oriented enterprise
Enterprise-architecture and the service-oriented enterpriseEnterprise-architecture and the service-oriented enterprise
Enterprise-architecture and the service-oriented enterprise
 

Ähnlich wie Vendor Cybersecurity Governance: Scaling the risk

Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Ernest Staats
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber riskStephen Cobb
 
Riskpro SCRAY whitepaper
Riskpro SCRAY whitepaperRiskpro SCRAY whitepaper
Riskpro SCRAY whitepaperEdgevalue
 
Securing your supply chain & vicarious liability (cyber security)
Securing your supply chain & vicarious liability (cyber security)Securing your supply chain & vicarious liability (cyber security)
Securing your supply chain & vicarious liability (cyber security)Ollie Whitehouse
 
Ingenia consultants-9 basic steps towards TRM compliance
Ingenia consultants-9 basic steps towards TRM complianceIngenia consultants-9 basic steps towards TRM compliance
Ingenia consultants-9 basic steps towards TRM complianceSami Benafia
 
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging RisksC-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging RisksAronson LLC
 
Risk Management (1) (1).ppt
Risk Management (1) (1).pptRisk Management (1) (1).ppt
Risk Management (1) (1).pptAjjuSingh2
 
Cloud Cybersecurity: Strategies for Managing Vendor Risk
Cloud Cybersecurity: Strategies for Managing Vendor RiskCloud Cybersecurity: Strategies for Managing Vendor Risk
Cloud Cybersecurity: Strategies for Managing Vendor RiskHealth Catalyst
 
Cybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfCybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfTheWalkerGroup1
 
Be More Secure than your Competition: MePush Cyber Security for Small Business
Be More Secure than your Competition: MePush Cyber Security for Small BusinessBe More Secure than your Competition: MePush Cyber Security for Small Business
Be More Secure than your Competition: MePush Cyber Security for Small BusinessArt Ocain
 
Cal cpa meeting infosec challenge - 160511
Cal cpa meeting infosec challenge - 160511Cal cpa meeting infosec challenge - 160511
Cal cpa meeting infosec challenge - 160511Stan Stahl, PhD
 
How to Mitigate Risk From Your Expanding Digital Presence
How to Mitigate Risk From Your Expanding Digital PresenceHow to Mitigate Risk From Your Expanding Digital Presence
How to Mitigate Risk From Your Expanding Digital PresenceSurfWatch Labs
 
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...PECB
 
Audit and Compliance BDR Knowledge Training
Audit and Compliance BDR Knowledge TrainingAudit and Compliance BDR Knowledge Training
Audit and Compliance BDR Knowledge TrainingTory Quinton
 
How to Make Your Enterprise Cyber Resilient
How to Make Your Enterprise Cyber ResilientHow to Make Your Enterprise Cyber Resilient
How to Make Your Enterprise Cyber ResilientAccenture Operations
 
Quantifying Cyber Risk, Insurance and The Value of Personal Data
Quantifying Cyber Risk, Insurance and The Value of Personal DataQuantifying Cyber Risk, Insurance and The Value of Personal Data
Quantifying Cyber Risk, Insurance and The Value of Personal DataSteven Schwartz
 
Deliver the ‘Right’ Customer Experience without Compromising Data Security
Deliver the ‘Right’ Customer Experience without Compromising Data SecurityDeliver the ‘Right’ Customer Experience without Compromising Data Security
Deliver the ‘Right’ Customer Experience without Compromising Data SecuritySPLICE Software
 
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...Wendy Knox Everette
 
Corporate Treasurers Focus on Cyber Security
Corporate Treasurers Focus on Cyber SecurityCorporate Treasurers Focus on Cyber Security
Corporate Treasurers Focus on Cyber SecurityJoan Weber
 

Ähnlich wie Vendor Cybersecurity Governance: Scaling the risk (20)

Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber risk
 
Riskpro SCRAY whitepaper
Riskpro SCRAY whitepaperRiskpro SCRAY whitepaper
Riskpro SCRAY whitepaper
 
Securing your supply chain & vicarious liability (cyber security)
Securing your supply chain & vicarious liability (cyber security)Securing your supply chain & vicarious liability (cyber security)
Securing your supply chain & vicarious liability (cyber security)
 
Ingenia consultants-9 basic steps towards TRM compliance
Ingenia consultants-9 basic steps towards TRM complianceIngenia consultants-9 basic steps towards TRM compliance
Ingenia consultants-9 basic steps towards TRM compliance
 
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging RisksC-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
 
Risk Management (1) (1).ppt
Risk Management (1) (1).pptRisk Management (1) (1).ppt
Risk Management (1) (1).ppt
 
Cloud Cybersecurity: Strategies for Managing Vendor Risk
Cloud Cybersecurity: Strategies for Managing Vendor RiskCloud Cybersecurity: Strategies for Managing Vendor Risk
Cloud Cybersecurity: Strategies for Managing Vendor Risk
 
Cybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfCybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdf
 
Be More Secure than your Competition: MePush Cyber Security for Small Business
Be More Secure than your Competition: MePush Cyber Security for Small BusinessBe More Secure than your Competition: MePush Cyber Security for Small Business
Be More Secure than your Competition: MePush Cyber Security for Small Business
 
Cal cpa meeting infosec challenge - 160511
Cal cpa meeting infosec challenge - 160511Cal cpa meeting infosec challenge - 160511
Cal cpa meeting infosec challenge - 160511
 
How to Mitigate Risk From Your Expanding Digital Presence
How to Mitigate Risk From Your Expanding Digital PresenceHow to Mitigate Risk From Your Expanding Digital Presence
How to Mitigate Risk From Your Expanding Digital Presence
 
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
 
Audit and Compliance BDR Knowledge Training
Audit and Compliance BDR Knowledge TrainingAudit and Compliance BDR Knowledge Training
Audit and Compliance BDR Knowledge Training
 
How to Make Your Enterprise Cyber Resilient
How to Make Your Enterprise Cyber ResilientHow to Make Your Enterprise Cyber Resilient
How to Make Your Enterprise Cyber Resilient
 
Risk Assessments
Risk AssessmentsRisk Assessments
Risk Assessments
 
Quantifying Cyber Risk, Insurance and The Value of Personal Data
Quantifying Cyber Risk, Insurance and The Value of Personal DataQuantifying Cyber Risk, Insurance and The Value of Personal Data
Quantifying Cyber Risk, Insurance and The Value of Personal Data
 
Deliver the ‘Right’ Customer Experience without Compromising Data Security
Deliver the ‘Right’ Customer Experience without Compromising Data SecurityDeliver the ‘Right’ Customer Experience without Compromising Data Security
Deliver the ‘Right’ Customer Experience without Compromising Data Security
 
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
 
Corporate Treasurers Focus on Cyber Security
Corporate Treasurers Focus on Cyber SecurityCorporate Treasurers Focus on Cyber Security
Corporate Treasurers Focus on Cyber Security
 

Kürzlich hochgeladen

How To Simplify Your Scheduling with AI Calendarfly The Hassle-Free Online Bo...
How To Simplify Your Scheduling with AI Calendarfly The Hassle-Free Online Bo...How To Simplify Your Scheduling with AI Calendarfly The Hassle-Free Online Bo...
How To Simplify Your Scheduling with AI Calendarfly The Hassle-Free Online Bo...SOFTTECHHUB
 
20200128 Ethical by Design - Whitepaper.pdf
20200128 Ethical by Design - Whitepaper.pdf20200128 Ethical by Design - Whitepaper.pdf
20200128 Ethical by Design - Whitepaper.pdfChris Skinner
 
Healthcare Feb. & Mar. Healthcare Newsletter
Healthcare Feb. & Mar. Healthcare NewsletterHealthcare Feb. & Mar. Healthcare Newsletter
Healthcare Feb. & Mar. Healthcare NewsletterJamesConcepcion7
 
The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...
The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...
The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...Operational Excellence Consulting
 
1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdf1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdfShaun Heinrichs
 
Effective Strategies for Maximizing Your Profit When Selling Gold Jewelry
Effective Strategies for Maximizing Your Profit When Selling Gold JewelryEffective Strategies for Maximizing Your Profit When Selling Gold Jewelry
Effective Strategies for Maximizing Your Profit When Selling Gold JewelryWhittensFineJewelry1
 
Memorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQMMemorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQMVoces Mineras
 
Introducing the Analogic framework for business planning applications
Introducing the Analogic framework for business planning applicationsIntroducing the Analogic framework for business planning applications
Introducing the Analogic framework for business planning applicationsKnowledgeSeed
 
Welding Electrode Making Machine By Deccan Dynamics
Welding Electrode Making Machine By Deccan DynamicsWelding Electrode Making Machine By Deccan Dynamics
Welding Electrode Making Machine By Deccan DynamicsIndiaMART InterMESH Limited
 
Onemonitar Android Spy App Features: Explore Advanced Monitoring Capabilities
Onemonitar Android Spy App Features: Explore Advanced Monitoring CapabilitiesOnemonitar Android Spy App Features: Explore Advanced Monitoring Capabilities
Onemonitar Android Spy App Features: Explore Advanced Monitoring CapabilitiesOne Monitar
 
Jewish Resources in the Family Resource Centre
Jewish Resources in the Family Resource CentreJewish Resources in the Family Resource Centre
Jewish Resources in the Family Resource CentreNZSG
 
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptxThe-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptxmbikashkanyari
 
EUDR Info Meeting Ethiopian coffee exporters
EUDR Info Meeting Ethiopian coffee exportersEUDR Info Meeting Ethiopian coffee exporters
EUDR Info Meeting Ethiopian coffee exportersPeter Horsten
 
digital marketing , introduction of digital marketing
digital marketing , introduction of digital marketingdigital marketing , introduction of digital marketing
digital marketing , introduction of digital marketingrajputmeenakshi733
 
Pitch Deck Teardown: Xpanceo's $40M Seed deck
Pitch Deck Teardown: Xpanceo's $40M Seed deckPitch Deck Teardown: Xpanceo's $40M Seed deck
Pitch Deck Teardown: Xpanceo's $40M Seed deckHajeJanKamps
 
Technical Leaders - Working with the Management Team
Technical Leaders - Working with the Management TeamTechnical Leaders - Working with the Management Team
Technical Leaders - Working with the Management TeamArik Fletcher
 
Driving Business Impact for PMs with Jon Harmer
Driving Business Impact for PMs with Jon HarmerDriving Business Impact for PMs with Jon Harmer
Driving Business Impact for PMs with Jon HarmerAggregage
 
Unveiling the Soundscape Music for Psychedelic Experiences
Unveiling the Soundscape Music for Psychedelic ExperiencesUnveiling the Soundscape Music for Psychedelic Experiences
Unveiling the Soundscape Music for Psychedelic ExperiencesDoe Paoro
 
Entrepreneurship lessons in Philippines
Entrepreneurship lessons in PhilippinesEntrepreneurship lessons in Philippines
Entrepreneurship lessons in PhilippinesDavidSamuel525586
 

Kürzlich hochgeladen (20)

How To Simplify Your Scheduling with AI Calendarfly The Hassle-Free Online Bo...
How To Simplify Your Scheduling with AI Calendarfly The Hassle-Free Online Bo...How To Simplify Your Scheduling with AI Calendarfly The Hassle-Free Online Bo...
How To Simplify Your Scheduling with AI Calendarfly The Hassle-Free Online Bo...
 
20200128 Ethical by Design - Whitepaper.pdf
20200128 Ethical by Design - Whitepaper.pdf20200128 Ethical by Design - Whitepaper.pdf
20200128 Ethical by Design - Whitepaper.pdf
 
Healthcare Feb. & Mar. Healthcare Newsletter
Healthcare Feb. & Mar. Healthcare NewsletterHealthcare Feb. & Mar. Healthcare Newsletter
Healthcare Feb. & Mar. Healthcare Newsletter
 
The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...
The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...
The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...
 
1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdf1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdf
 
Effective Strategies for Maximizing Your Profit When Selling Gold Jewelry
Effective Strategies for Maximizing Your Profit When Selling Gold JewelryEffective Strategies for Maximizing Your Profit When Selling Gold Jewelry
Effective Strategies for Maximizing Your Profit When Selling Gold Jewelry
 
Memorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQMMemorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQM
 
Introducing the Analogic framework for business planning applications
Introducing the Analogic framework for business planning applicationsIntroducing the Analogic framework for business planning applications
Introducing the Analogic framework for business planning applications
 
Welding Electrode Making Machine By Deccan Dynamics
Welding Electrode Making Machine By Deccan DynamicsWelding Electrode Making Machine By Deccan Dynamics
Welding Electrode Making Machine By Deccan Dynamics
 
Onemonitar Android Spy App Features: Explore Advanced Monitoring Capabilities
Onemonitar Android Spy App Features: Explore Advanced Monitoring CapabilitiesOnemonitar Android Spy App Features: Explore Advanced Monitoring Capabilities
Onemonitar Android Spy App Features: Explore Advanced Monitoring Capabilities
 
Jewish Resources in the Family Resource Centre
Jewish Resources in the Family Resource CentreJewish Resources in the Family Resource Centre
Jewish Resources in the Family Resource Centre
 
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptxThe-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
 
EUDR Info Meeting Ethiopian coffee exporters
EUDR Info Meeting Ethiopian coffee exportersEUDR Info Meeting Ethiopian coffee exporters
EUDR Info Meeting Ethiopian coffee exporters
 
digital marketing , introduction of digital marketing
digital marketing , introduction of digital marketingdigital marketing , introduction of digital marketing
digital marketing , introduction of digital marketing
 
Pitch Deck Teardown: Xpanceo's $40M Seed deck
Pitch Deck Teardown: Xpanceo's $40M Seed deckPitch Deck Teardown: Xpanceo's $40M Seed deck
Pitch Deck Teardown: Xpanceo's $40M Seed deck
 
The Bizz Quiz-E-Summit-E-Cell-IITPatna.pptx
The Bizz Quiz-E-Summit-E-Cell-IITPatna.pptxThe Bizz Quiz-E-Summit-E-Cell-IITPatna.pptx
The Bizz Quiz-E-Summit-E-Cell-IITPatna.pptx
 
Technical Leaders - Working with the Management Team
Technical Leaders - Working with the Management TeamTechnical Leaders - Working with the Management Team
Technical Leaders - Working with the Management Team
 
Driving Business Impact for PMs with Jon Harmer
Driving Business Impact for PMs with Jon HarmerDriving Business Impact for PMs with Jon Harmer
Driving Business Impact for PMs with Jon Harmer
 
Unveiling the Soundscape Music for Psychedelic Experiences
Unveiling the Soundscape Music for Psychedelic ExperiencesUnveiling the Soundscape Music for Psychedelic Experiences
Unveiling the Soundscape Music for Psychedelic Experiences
 
Entrepreneurship lessons in Philippines
Entrepreneurship lessons in PhilippinesEntrepreneurship lessons in Philippines
Entrepreneurship lessons in Philippines
 

Vendor Cybersecurity Governance: Scaling the risk

  • 1. Supplier  Security  Governance A  risk  and  business  centric  approach Identify Scope Prioritize Assess Mitigate Govern
  • 2. Who  Am  I? Sarah  Clarke,  BCom  (Hons),  Lapsed  CCNA,  Lapsed  CISSP Owner  of  Infospectives  security  consultancy  and  trade  blog 16  years  in  IT  &  security,  8  years  in  financial  services  security,  6  years   focused  solely  on  security  G,  R,  and  C Specialising  in  vendor  and  change  security  governance  using  frontline   experience  gained  designing,  and  implementing  frameworks. infospectives.co.uk @s_clarke22 https://uk.linkedin.com/in/infospectives
  • 3. What  we’ll  cover 1. Why  care? 2. The  challenge 3. What is  the  risk? 4. Where  is  the  risk? 5. Scope  and  triage 6. Resource  modelling 7. Data  management 8. Manageable  and  residual  risk 9. CARDIs  and  RACIs 10.Key  risk  indicators 11.Models  and  methodologies 12.Supply  chain  complexity 13.Tweaks  and  tools 14.Management  reporting 15.The  rest  of  the  lifecycle 16.A  better  way?
  • 4. Data  breaches Information  is  Beautiful  interactive  map  http://www.informationisbeautiful.net/visualizations/
  • 5. Service  disruption Black  Lotus,  March  2015  – 129  service  providers  surveyed  https://www.blacklotus.net/connect/ddos-­service-­provider-­survey/
  • 6. Breaches  &  Service  Disruptions  =  Pain Kinaxis  Infographic https://www.kinaxis.com/Global/resources/papers/supply-­chain-­risks-­infographic-­kinaxis.pdf  – 4  March  2015
  • 7. The  challenge Against  a  backdrop  of:  Cloud  -­ Data  security  law  and  regulation  -­ Newsworthy  incidents  implicating  3rd parties  -­ CEO  ‘cyber’  focus Key  objectives:  Maximise  supplier  security  governance  coverage  to   address  as  much  risk  as  possible  and  produce  risk  relevant  reports Largest   (mainly  IT)   suppliers Historical   Governance   Focus Other   Suppliers Residual   Risk
  • 8. From  cradle  to  grave Early   Identification Inherent  Risk   Assessment Due  Diligence Contractual   Requirements On-­going   Governance Exit   Management Embedding  security  throughout  the  supplier  lifecycle
  • 9. The  journey From  the  status  quo  to  where? From Just  large  IT  firms Reactivity  and  inconsistency Inability  to  evidence  coverage Tick  box  &  delivery  reports Confused  responsibilities To The  whole  supplier  population Risk based planning  &  delivery The  full  risk  picture Risk  relevant  reports A  well  defined  risk  RACI
  • 10. Where  do  you  start? 2000+  Suppliers
  • 11. What  are  firms  doing  now? Kinaxis  Infographic https://www.kinaxis.com/Global/resources/papers/supply-­chain-­risks-­infographic-­kinaxis.pdf  – 4  March  2015
  • 12. How  big  an  issue  is  this?
  • 13. What  is  the  risk? … The  risk  that  there  will  be  an  incident,  caused  by   poor  supplier  information  security… …that  damages  the  confidentiality,  integrity,  and/or   availability  of  confidential  data  and/or  critical   systems… …leading  to  an  intolerable  financial,  operational   and/or  reputational  impact  on  the  business,  it’s   customers,  it’s  partners,  and/or  it’s  shareholders.
  • 14. What is  the  risk? (Matrix  from  Peter  Prevos’s  2011  article:  ‘The  Risk  of  Risk  Management’)
  • 15. What is  the  risk? “If  point  A  is  a  guesstimate  and  no  meaningful  way  to  measure   risk  has  been  plugged  in  since,  the  movement  towards  your   target  position  (let’s  call  it  guesstimate  B),  will  be  in   increments  of  ‘That’s  enough  to  keep  them  happy,  but  not  so   much  they’ll  doubt  it’”   How  is  progress  with  risk  mitigation  proved? From  blog  post  ‘Schrödinger’s  Risk’ May  2015
  • 16. What  is  the  target  risk  position? How  many   supplier  incidents   can  you  live  with   per  year? What  size   incident  is   tolerable? How  much  does   an  assessment   reduce  the  risk? Copyright:  fuzzbones  /  123RF  Stock  Photo Tolerate  what?!
  • 17. We  know  it  needs  to  happen… Losing  data,  or  having  it  stolen   Data  being  seen  by  the  wrong  people Data  being  messed  about  with Online  or  in-­house  systems  going down AND Any  third  parties  you  deal  with  letting  any  of  the  above happen
  • 18. …but  there’s  still  this 2000+  Suppliers
  • 19. Where is  the  risk? Assessed Awaiting Assessment Awaiting  Triage Unidentified • Compliant • Non-­compliant • Compliant • Non-­compliant • Compliant • Non-­compliant • Compliant • Non-­compliant Non-­Compliant High Medium Low Risk  Accepted It’s  not  just  about  the  known  knowns Supplier  risk  =  Inherent  risk  minus mitigation  from  compliant   controls  plus (risk  linked  to  non-­compliant  controls   minus mitigation  from  compensatory  controls)
  • 20. Where  are  all  the  suppliers? A  list,  a  list,  my  kingdom  for  a  list Is  there  a  list? Is  the  list   complete? If  incomplete   what’s  missing? Is  the  list  current? If  current  is  it   maintained?
  • 21. Cutting  the  list  down  to  size   It’s  a  matter  of  materiality Critical?  WTH  is  Critical? Just  based  on  spend Just  based  on  availability Based  on  threats,  vulnerabilities,  and  CIA
  • 22. It  really  is…in  almost  every  case… all  about  the  data… Losing  data,  or  having  it   stolen   Data  being  seen  by  the  wrong   people Data  being  messed  about   with External  or  in-­house  systems   going down OR one  of  your  many  suppliers  letting  any  of  the  above happen
  • 23. …and (according  to  this)  employees Data  from  the  US  Department  of  Health  and  Human  Services  (reporting  mandated  since  2009  for  breaches  >   500  records)  and  broken  down  by  state.  Partial  2015  data
  • 24. Start  with  inherent  risk Legal,  Policy,  Regulatory,  Risk   Absolute PCI-­DSS:  Handing  payment  card   data SOx:  Handling  financial  report  data Policy:  Handling  Secret  data Policy:  RTO  for  service  (<Xhrs) Policy:  Dev/Host/Support   Ecommerce  & data  entry  websites Risk:  Develop/Test  non-­COTS   software Legal,  Policy,  Regulatory,  Risk   Conditional DPA/Policy:  Type  of  non-­secret  data   handled  (e.g.  PSI,  bank  a/c) DPA/Policy:  Data  handled  outside   EEA Risk:  RTO  for  service  (Xhrs  -­ Xdays) Risk:  Other  branded  websites Risk:  Quantity  of  data  handled Risk:  Number  of  employees   Mandatory  vs  should:  Identifying  attractive  targets
  • 25. What  do  you  get? BOOK of   WORK ASSESSMENT  SCOPE
  • 26. What  you  also  get • Means  to  justify  de-­scoping  decisions • Rich  aggregate  data  to  aid  prioritisation  and  planning • Data  that’s  easy  to  refresh • Data  that  informs  the  quality  and  speed  of  future  incident   management • Data  that  enables  creation  of  risk  relevant  reports • Data  that  people  don’t  think  is  worthwhile  until  you  have  it,   then  you  end  up  beating  them  off  with  a  stick.
  • 27. Resource  Modelling Building  the  business  case 0 10 20 30 40 50 60 70 80 90 100 Low Medium High Very0High Number0of0Suppliers Post:Triage0Inherent0Risk0Rating0/0Effort0to0Assess Resource  Model Shortfall  /   Excess Options  to  Flex Book  of  Work All  Suppliers Suppliers  by   Category Effort  Per  Task Overheads Per  Supplier Tasks Plan  /  Triage Assess  /   Remediate Activity Per  Supplier  /   Overhead  Effort Scoping  /  Assessment Per  Supplier Remediation  /  Retesting Per  Supplier New  Supplier  Due  Diligence Overhead Triage  /  Assessment  Data  Collation Per  Supplier Remediation  Data  Collation Per  Supplier Regular  Governance Per  Supplier Risk  Management Per  Supplier Process  Development  /  Planning Overhead Training Overhead Stakeholder  Management Overhead
  • 28. Data  management  and  analysis Taking  the  long  view  to  avoid  future  pain • Unique  identifiers  for  suppliers  and  controls • Structure  data  to  allow  for  repeat  assessment  and  trend  analysis • Associate  data  with  all  relevant  stakeholder  groups   • Implement  change  control  for  scoping  decisions • Log  risk  acceptance  and  discretionary  re-­categorisation  decisions. • Build  reports  to  be  drillable  and  assessment  output  to  automatically   generate  reports Get  a  database,  and  keep  viciously  fierce  control  over   versions  and  access  – you  will  live  to  regret  it  if  you  don’t
  • 29. Then  it’s  back  to  that  risk  again… … The  risk  that  there  will  be  an  incident,  caused  by   poor  supplier  information  security… …that  damages  the  confidentiality,  integrity,  and/or   availability  of  confidential  data  and/or  critical   systems… …leading  to  an  intolerable  financial,  operational   and/or  reputational  impact  on  the  business,  it’s   customers,  it’s  partners,  and/or  it’s  shareholders.
  • 30. …and  those  less  known  knowns … Assessed Awaiting Assessment Awaiting  Triage Unidentified • Compliant • Non-­compliant • Compliant • Non-­compliant • Compliant • Non-­compliant • Compliant • Non-­compliant Non-­Compliant High Medium Low Risk  Accepted
  • 31. Which  risks  can  you  manage? Assessed •Compliant •Non-­compliant Awaiting   Triage •Compliant •Non-­compliant Triaged   Awaiting Assessment •Compliant •Non-­compliant Unidentified/   Engagement   Blocked •Compliant •Non-­compliant Non-­Compliant High Medium Low Risk  Accepted Non-­Compliant ??????
  • 32. Forewarning  and  forearming • Some  suppliers  are  under  the  radar • Known  suppliers  cannot  all  be  assessed  with  available  resource • Some  staff  will  block  engagement • Some  supplier  contracts  don’t  include  any  security  requirements  or  a   right  to  audit • Embedding  a  framework,  assessment  and  remediation  takes  time • Not  all  risks  can be  mitigated • Risks  quantification  is  an  aiming  point  not  a  current  reality • Suppliers  will  still  have  breaches,  but  that  doesn’t  necessarily  mean   you  are  getting  it  wrong Things  for  your  stakeholders
  • 33. Forewarning  and  forearming • There  WILL  be  nasty  surprises  in  cycles  1  and  2 of  activity,  but   things  will  incrementally  and  cumulatively  improve. • Until  full  coverage  of  agreed  scope  is  achieved,  risk  owners   formally  accept  risks  linked  to  unassessed  suppliers. • Risk  owners  need  to  adjust  risk  tolerance  levels  and/or  invest   more  time  and  effort  to  tackle  residual  risks  (e.g.  suppliers  that   cannot  be  assessed  with  available  resource,  blocked   engagement  /  remediation,  shadow  supply,  and  risk  that  cannot   be  mitigated).   • In  other  words:  Suppliers  will  still  have  breaches,  but  that   doesn’t  necessarily  mean  you  are  getting  it  wrong. Yet  more  things  for  your  stakeholders
  • 34. Document  and  clearly  communicate:   • Scope  of  assessment  activity  and  options  to  flex • Potential  service  constraints,  assumptions,  dependencies,  risks   and  issues  (your  CARDI  log) • Promptly  and  positively  escalate  issues • Make  constructive  use  of  risk  acceptance. • Review  risk  tolerance  regularly • Ensure  all  parties  understand  that  governance  functions  can’t   accept  risks  on  behalf  of  the  business. Enable  constructive  collaboration
  • 35. Security  is everyone’s  responsibility What  kind  of  RACI  is  revealed?   RACI Security  Governance Supplier SRM  /  Project   Sponsor Procurement Data  Owner Operational  Risk Risk  Owner Legal Approve  criteria  and  thresholds  for  triage  and  assessment Deal  with  commercial  /  contractual  disputes  regarding  governance  activity Complete  triage  activity Update  triage  information  if  supplier  agreement  /  service  changes Facilitate  scoping,  assessment  and  remediation  meetings  with  supplier Escalate  engagement  blockages Conduct  compliance  and  risk  assessments Report  on  compliance  and  risk  status Ensure  evidence  is  delivered  to  support  findings Provide  SME  input  to  support  agreement  of  remedial  actions Oversee  progress  with  remediation Escalate  remediation  blockages Re-­‐assess  post  remediation  to  ensure  risk  mitigated Provide  control  status  and  risk  info  for  risk  acceptance Provide  business  and  service  specific  rick  detail  for  risk  acceptance Identify  risk  owners  to  risk  accept Accept  risks Own  residual  risk  of  a  breach  while  blockages  /  risks  persist.
  • 36. Pick  a  methodology Frameworks   &  Best  Practice  Guides  Including  Control  Sets • PCI  DSS • NIST  800.161  Supply  Chain  Risk  Management   for  Federal  Information  Systems     and  Organisations • Cloud  Security  Alliance  governance  guidance   and  Controls  Matrix  3.0 • International  Security  Forum  Supplier  Security  Evaluation  Tool  (SSET)  and   associated  guidance • Cyber  Essentials  and  Cyber  Essentials+ Frameworks   for  management • COBIT • ISO/IEC  27036:2014   parts  1-­4  Information  security  for  supplier  relationships Risk  assessment   methodologies • Too  many  to  mention • Either  evidence  control  design  and  operation,  or  take  answers  on  face  value.   • Either  take  a  snapshot  of  security,  or  test  controls  over  time.   • Either  place  numerical  values  on  threats,  vulnerabilities,  resulting  potential  impact,   and  place  a  %  against  probability  of  an  incident  causing  that  impact  in  a  given  year,   or  use  ordinals  and  maturity  scores.   Many  flavours,  MANY  questions
  • 37. One  approach  for  all  suppliers? 1. Controls  need  to  have  an  intuitive  taxonomy:  Risk/Leg/Reg  >  Control   Objective  >  Control  Type  >  Control.  A  many  to  many  mapping. 2. Questions  must  be  branched,  so  response  only  required  if  relevant. 3. Controls  should  be  weighted  to  reflect  relative  effectiveness 4. Residual  risk  can  be  adjusted  to  reflect  inherent  supplier  risk Weighted   Control Compliance   Status Compensatory   Control Residual Risk Adjust  for   Inherent Risk The  outcome:  When  coupled  with  more  detailed  supplier  information   gathered  during  assessments,  provides  justification  for  risk  estimates,  and   means  to  compare  assessment  outcomes  for  different  suppliers.
  • 38. Complexity  and  Depth How  do  you  tackle  a  long  and  complex  supply  chain?
  • 39. Complexity  and  Depth Delegation,  certification,  or  delving  deeper?   Cloud  XaaS Outsourced   Development Offshore   Data  Centre Outsourced   Development   Managed   Security Penetration   Testing 3rd Party   Governance Data  Governance Availability   Management Access Governance Monitoring  and   Incident  Notification  
  • 40. A  bit  about  tools GRC  software  monsters  and  technical  assessment
  • 41. But  what  IS  the  target  risk  position? How  many   supplier  incidents   can  you  live  with   per  year? What  size   incident  is   tolerable? How  much  does   an  assessment   reduce  the  risk? Image  Copyright:  fuzzbones  /  123RF  Stock  Photo
  • 42. A  two  part  story  with  KRIs Engagement  KRIs New  and  existing  suppliers   are  identified  and   categorised New  and  existing  Critical   suppliers  are  assessed  by   target  dates   Assessment  reports  are   issued  promptly Remediation  KRIs Risk  status  for  each  supplier   =  Adequate  or  better Risks  linked  to  single   control  gaps  reduced  to   Low,  closed  OR  formally  risk   accepted Open  control  gaps  remain   below  thresholds
  • 43. Management  reports Engagement  status  &  progress TIP – Carefully  manage  expectations   about  1st outputs.  Introducing  the   process  and  tackling  SRM/supplier   concerns  can  be  tough TIP – Report  percentages  not   numbers.  Scope  flexes  wildly   during  initial  implementation   phases. 21% 4% 8% 2% 10% 13% 19% 23% Out  of  Scope Pre-­Triage Pre-­Triage  Blockage Very  High  (Critical) High  (Critical) Medium Low Triaged  &  No  Assmt  Reqd
  • 44. Management  reports Remediation  status  &  progress Overall  Supplier  Risk  Status Adequate Minor   Improvement Major   Improvement Inadequate Number  of  Suppliers Status  and  trends  by: • Business  unit • Control  type • Control  gap  severity • Supply  type TIP – Introduce  competition  to   increase  engagement: • Top  suppliers • Top  departments • Top  SRMs • Top  Procurement  contacts
  • 45. The  bigger  procurement  picture How  does  supplier  security  governance  fit Early   Identification Inherent  Risk   Assessment Due  Diligence Contractual   Requirements On-­going   Governance Exit   Management
  • 46. The  bigger  governance  picture Supplier   Security Change Procurement Legal Incident Mgmt IT  &  Op Risk Partner Assurance Audit Data   Protection Increase  collaboration:   Understand  stakeholder   processes  and  challenges. Reduce  duplication:  Align planned   assessments,  audits   and  governance  meetings   Kill  ‘last  gasp’  security   engagement:   Plug  triage  into   earliest  stages  of  associated   processes Mature: Less  big  bang   assessment,  more  continuous   monitoring Raise  security  awareness:   A  natural  result  of  getting  this   this  right
  • 47. The  journey How  did  we  do? From Just  large  IT  firms Reactivity  and  inconsistency Inability  to  evidence  coverage Tick  box  delivery  reports Confused  responsibilities To The  whole  supplier  population Risk based planning The  full  risk  picture Business  risk  relevant  reports A  well  defined  risk  RACI
  • 48. Complexity  and  Depth A  mountain  of  wasted  effort  and  missed  opportunities
  • 49. A  better  way? Future  possibilities • Greater  ‘cyber’  focus,  greater  budget,  greater  chance  processes  can   embed  and  mature • Consolidation  in  the  cloud  market,  greater  transparency  and   increasing  availability  of  data  tracking,  user  access,  vulnerability,   threat,  and  availability  monitoring  tools • No  Safe  Harbor  so  more  near-­shore  hosting • Insurers  standardising  control  coverage • Risk  quantification  improvements