An overview of the scale of the challenge and rational ways to cut that down to manageable and governable size. Slides compliment recent supplier security governance related posts on Infospectives.co.uk and LinkedIn.
2. Who Am I?
Sarah Clarke, BCom (Hons), Lapsed CCNA, Lapsed CISSP
Owner of Infospectives security consultancy and trade blog
16 years in IT & security, 8 years in financial services security, 6 years
focused solely on security G, R, and C
Specialising in vendor and change security governance using frontline
experience gained designing, and implementing frameworks.
infospectives.co.uk
@s_clarke22
https://uk.linkedin.com/in/infospectives
3. What we’ll cover
1. Why care?
2. The challenge
3. What is the risk?
4. Where is the risk?
5. Scope and triage
6. Resource modelling
7. Data management
8. Manageable and residual risk
9. CARDIs and RACIs
10.Key risk indicators
11.Models and methodologies
12.Supply chain complexity
13.Tweaks and tools
14.Management reporting
15.The rest of the lifecycle
16.A better way?
5. Service disruption
Black Lotus, March 2015 – 129 service providers surveyed https://www.blacklotus.net/connect/ddos-service-provider-survey/
6. Breaches & Service Disruptions = Pain
Kinaxis Infographic https://www.kinaxis.com/Global/resources/papers/supply-chain-risks-infographic-kinaxis.pdf – 4 March 2015
7. The challenge
Against a backdrop of: Cloud - Data security law and regulation -
Newsworthy incidents implicating 3rd parties - CEO ‘cyber’ focus
Key objectives: Maximise supplier security governance coverage to
address as much risk as possible and produce risk relevant reports
Largest
(mainly IT)
suppliers
Historical
Governance
Focus
Other
Suppliers
Residual
Risk
8. From cradle to grave
Early
Identification
Inherent Risk
Assessment
Due Diligence
Contractual
Requirements
On-going
Governance
Exit
Management
Embedding security throughout the supplier lifecycle
9. The journey
From the status quo to where?
From
Just large IT firms
Reactivity and inconsistency
Inability to evidence coverage
Tick box & delivery reports
Confused responsibilities
To
The whole supplier population
Risk based planning & delivery
The full risk picture
Risk relevant reports
A well defined risk RACI
11. What are firms doing now?
Kinaxis Infographic https://www.kinaxis.com/Global/resources/papers/supply-chain-risks-infographic-kinaxis.pdf – 4 March 2015
13. What is the risk?
…
The risk that there will be an incident, caused by
poor supplier information security…
…that damages the confidentiality, integrity, and/or
availability of confidential data and/or critical
systems…
…leading to an intolerable financial, operational
and/or reputational impact on the business, it’s
customers, it’s partners, and/or it’s shareholders.
14. What is the risk?
(Matrix from Peter Prevos’s 2011 article: ‘The Risk of Risk Management’)
15. What is the risk?
“If point A is a guesstimate and no meaningful way to measure
risk has been plugged in since, the movement towards your
target position (let’s call it guesstimate B), will be in
increments of ‘That’s enough to keep them happy, but not so
much they’ll doubt it’”
How is progress with risk mitigation proved?
From blog post ‘Schrödinger’s Risk’ May 2015
16. What is the target risk position?
How many
supplier incidents
can you live with
per year?
What size
incident is
tolerable?
How much does
an assessment
reduce the risk?
Copyright: fuzzbones / 123RF Stock Photo
Tolerate what?!
17. We know it needs to happen…
Losing data, or having it stolen
Data being seen by the wrong people
Data being messed about with
Online or in-house systems going down
AND
Any third parties you deal with letting any of the above happen
19. Where is the risk?
Assessed
Awaiting
Assessment
Awaiting Triage
Unidentified
• Compliant
• Non-compliant
• Compliant
• Non-compliant
• Compliant
• Non-compliant
• Compliant
• Non-compliant
Non-Compliant
High
Medium
Low
Risk Accepted
It’s not just about the known knowns
Supplier risk = Inherent risk minus mitigation from compliant
controls plus (risk linked to non-compliant controls
minus mitigation from compensatory controls)
20. Where are all the suppliers?
A list, a list, my kingdom for a list
Is there a list?
Is the list
complete?
If incomplete
what’s missing?
Is the list current?
If current is it
maintained?
21. Cutting the list down to size
It’s a matter of materiality
Critical? WTH is Critical?
Just based on spend
Just based on availability
Based on threats, vulnerabilities, and CIA
22. It really is…in almost every case…
all about the data…
Losing data, or having it
stolen
Data being seen by the wrong
people
Data being messed about
with
External or in-house systems
going down
OR one of your many suppliers letting any of the above happen
23. …and (according to this) employees
Data from the US Department of Health and Human Services (reporting mandated since 2009 for breaches >
500 records) and broken down by state. Partial 2015 data
24. Start with inherent risk
Legal, Policy, Regulatory, Risk
Absolute
PCI-DSS: Handing payment card
data
SOx: Handling financial report data
Policy: Handling Secret data
Policy: RTO for service (<Xhrs)
Policy: Dev/Host/Support
Ecommerce & data entry websites
Risk: Develop/Test non-COTS
software
Legal, Policy, Regulatory, Risk
Conditional
DPA/Policy: Type of non-secret data
handled (e.g. PSI, bank a/c)
DPA/Policy: Data handled outside
EEA
Risk: RTO for service (Xhrs - Xdays)
Risk: Other branded websites
Risk: Quantity of data handled
Risk: Number of employees
Mandatory vs should: Identifying attractive targets
25. What do you get?
BOOK
of
WORK
ASSESSMENT SCOPE
26. What you also get
• Means to justify de-scoping decisions
• Rich aggregate data to aid prioritisation and planning
• Data that’s easy to refresh
• Data that informs the quality and speed of future incident
management
• Data that enables creation of risk relevant reports
• Data that people don’t think is worthwhile until you have it,
then you end up beating them off with a stick.
27. Resource Modelling
Building the business case
0
10
20
30
40
50
60
70
80
90
100
Low Medium High Very0High
Number0of0Suppliers
Post:Triage0Inherent0Risk0Rating0/0Effort0to0Assess
Resource Model
Shortfall /
Excess
Options to Flex
Book of Work
All Suppliers
Suppliers by
Category
Effort Per Task
Overheads Per Supplier
Tasks
Plan / Triage
Assess /
Remediate
Activity
Per Supplier /
Overhead Effort
Scoping / Assessment Per Supplier
Remediation / Retesting Per Supplier
New Supplier Due Diligence Overhead
Triage / Assessment Data Collation Per Supplier
Remediation Data Collation Per Supplier
Regular Governance Per Supplier
Risk Management Per Supplier
Process Development / Planning Overhead
Training Overhead
Stakeholder Management Overhead
28. Data management and analysis
Taking the long view to avoid future pain
• Unique identifiers for suppliers and controls
• Structure data to allow for repeat assessment and trend analysis
• Associate data with all relevant stakeholder groups
• Implement change control for scoping decisions
• Log risk acceptance and discretionary re-categorisation decisions.
• Build reports to be drillable and assessment output to automatically
generate reports
Get a database, and keep viciously fierce control over
versions and access – you will live to regret it if you don’t
29. Then it’s back to that risk again…
…
The risk that there will be an incident, caused by
poor supplier information security…
…that damages the confidentiality, integrity, and/or
availability of confidential data and/or critical
systems…
…leading to an intolerable financial, operational
and/or reputational impact on the business, it’s
customers, it’s partners, and/or it’s shareholders.
30. …and those less known knowns
…
Assessed
Awaiting
Assessment
Awaiting Triage
Unidentified
• Compliant
• Non-compliant
• Compliant
• Non-compliant
• Compliant
• Non-compliant
• Compliant
• Non-compliant
Non-Compliant
High
Medium
Low
Risk Accepted
31. Which risks can you manage?
Assessed
•Compliant
•Non-compliant
Awaiting
Triage
•Compliant
•Non-compliant
Triaged
Awaiting
Assessment
•Compliant
•Non-compliant
Unidentified/
Engagement
Blocked
•Compliant
•Non-compliant
Non-Compliant
High
Medium
Low
Risk Accepted
Non-Compliant
??????
32. Forewarning and forearming
• Some suppliers are under the radar
• Known suppliers cannot all be assessed with available resource
• Some staff will block engagement
• Some supplier contracts don’t include any security requirements or a
right to audit
• Embedding a framework, assessment and remediation takes time
• Not all risks can be mitigated
• Risks quantification is an aiming point not a current reality
• Suppliers will still have breaches, but that doesn’t necessarily mean
you are getting it wrong
Things for your stakeholders
33. Forewarning and forearming
• There WILL be nasty surprises in cycles 1 and 2 of activity, but
things will incrementally and cumulatively improve.
• Until full coverage of agreed scope is achieved, risk owners
formally accept risks linked to unassessed suppliers.
• Risk owners need to adjust risk tolerance levels and/or invest
more time and effort to tackle residual risks (e.g. suppliers that
cannot be assessed with available resource, blocked
engagement / remediation, shadow supply, and risk that cannot
be mitigated).
• In other words: Suppliers will still have breaches, but that
doesn’t necessarily mean you are getting it wrong.
Yet more things for your stakeholders
34. Document and clearly communicate:
• Scope of assessment activity and options to flex
• Potential service constraints, assumptions, dependencies, risks
and issues (your CARDI log)
• Promptly and positively escalate issues
• Make constructive use of risk acceptance.
• Review risk tolerance regularly
• Ensure all parties understand that governance functions can’t
accept risks on behalf of the business.
Enable constructive collaboration
35. Security is everyone’s responsibility
What kind of RACI is revealed?
RACI
Security
Governance
Supplier
SRM
/
Project
Sponsor
Procurement
Data
Owner
Operational
Risk
Risk
Owner
Legal
Approve
criteria
and
thresholds
for
triage
and
assessment
Deal
with
commercial
/
contractual
disputes
regarding
governance
activity
Complete
triage
activity
Update
triage
information
if
supplier
agreement
/
service
changes
Facilitate
scoping,
assessment
and
remediation
meetings
with
supplier
Escalate
engagement
blockages
Conduct
compliance
and
risk
assessments
Report
on
compliance
and
risk
status
Ensure
evidence
is
delivered
to
support
findings
Provide
SME
input
to
support
agreement
of
remedial
actions
Oversee
progress
with
remediation
Escalate
remediation
blockages
Re-‐assess
post
remediation
to
ensure
risk
mitigated
Provide
control
status
and
risk
info
for
risk
acceptance
Provide
business
and
service
specific
rick
detail
for
risk
acceptance
Identify
risk
owners
to
risk
accept
Accept
risks
Own
residual
risk
of
a
breach
while
blockages
/
risks
persist.
36. Pick a methodology
Frameworks & Best Practice Guides Including Control Sets
• PCI DSS
• NIST 800.161 Supply Chain Risk Management for Federal Information Systems
and Organisations
• Cloud Security Alliance governance guidance and Controls Matrix 3.0
• International Security Forum Supplier Security Evaluation Tool (SSET) and
associated guidance
• Cyber Essentials and Cyber Essentials+
Frameworks for management
• COBIT
• ISO/IEC 27036:2014 parts 1-4 Information security for supplier relationships
Risk assessment methodologies
• Too many to mention
• Either evidence control design and operation, or take answers on face value.
• Either take a snapshot of security, or test controls over time.
• Either place numerical values on threats, vulnerabilities, resulting potential impact,
and place a % against probability of an incident causing that impact in a given year,
or use ordinals and maturity scores.
Many flavours, MANY questions
37. One approach for all suppliers?
1. Controls need to have an intuitive taxonomy: Risk/Leg/Reg > Control
Objective > Control Type > Control. A many to many mapping.
2. Questions must be branched, so response only required if relevant.
3. Controls should be weighted to reflect relative effectiveness
4. Residual risk can be adjusted to reflect inherent supplier risk
Weighted
Control
Compliance
Status
Compensatory
Control Residual Risk
Adjust for
Inherent Risk
The outcome: When coupled with more detailed supplier information
gathered during assessments, provides justification for risk estimates, and
means to compare assessment outcomes for different suppliers.
39. Complexity and Depth
Delegation, certification, or delving deeper?
Cloud XaaS
Outsourced
Development
Offshore
Data Centre
Outsourced
Development
Managed
Security
Penetration
Testing
3rd Party
Governance
Data Governance
Availability
Management
Access
Governance
Monitoring and
Incident Notification
40. A bit about tools
GRC software monsters and technical assessment
41. But what IS the target risk position?
How many
supplier incidents
can you live with
per year?
What size
incident is
tolerable?
How much does
an assessment
reduce the risk?
Image Copyright: fuzzbones / 123RF Stock Photo
42. A two part story with KRIs
Engagement KRIs
New and existing suppliers
are identified and
categorised
New and existing Critical
suppliers are assessed by
target dates
Assessment reports are
issued promptly
Remediation KRIs
Risk status for each supplier
= Adequate or better
Risks linked to single
control gaps reduced to
Low, closed OR formally risk
accepted
Open control gaps remain
below thresholds
43. Management reports
Engagement status & progress
TIP – Carefully manage expectations
about 1st outputs. Introducing the
process and tackling SRM/supplier
concerns can be tough
TIP – Report percentages not
numbers. Scope flexes wildly
during initial implementation
phases.
21%
4%
8%
2%
10%
13%
19%
23%
Out of Scope Pre-Triage
Pre-Triage Blockage Very High (Critical)
High (Critical) Medium
Low Triaged & No Assmt Reqd
44. Management reports
Remediation status & progress
Overall
Supplier
Risk
Status Adequate
Minor
Improvement
Major
Improvement
Inadequate
Number
of
Suppliers
Status and trends by:
• Business unit
• Control type
• Control gap severity
• Supply type
TIP – Introduce competition to
increase engagement:
• Top suppliers
• Top departments
• Top SRMs
• Top Procurement contacts
45. The bigger procurement picture
How does supplier security governance fit
Early
Identification
Inherent Risk
Assessment
Due Diligence
Contractual
Requirements
On-going
Governance
Exit
Management
46. The bigger governance picture
Supplier
Security
Change
Procurement
Legal
Incident
Mgmt
IT & Op Risk
Partner
Assurance
Audit
Data
Protection
Increase collaboration:
Understand stakeholder
processes and challenges.
Reduce duplication: Align
planned assessments, audits
and governance meetings
Kill ‘last gasp’ security
engagement: Plug triage into
earliest stages of associated
processes
Mature: Less big bang
assessment, more continuous
monitoring
Raise security awareness:
A natural result of getting this
this right
47. The journey
How did we do?
From
Just large IT firms
Reactivity and inconsistency
Inability to evidence coverage
Tick box delivery reports
Confused responsibilities
To
The whole supplier population
Risk based planning
The full risk picture
Business risk relevant reports
A well defined risk RACI
49. A better way?
Future possibilities
• Greater ‘cyber’ focus, greater budget, greater chance processes can
embed and mature
• Consolidation in the cloud market, greater transparency and
increasing availability of data tracking, user access, vulnerability,
threat, and availability monitoring tools
• No Safe Harbor so more near-shore hosting
• Insurers standardising control coverage
• Risk quantification improvements