SlideShare a Scribd company logo

Vendor Security Risk Management - How to Handle the New Normal

Download as PPTX, PDF
Argyle Executive Forum
Argyle Executive Forum

Joe Filer, Vice President and Chief Information Security Officer (CISO) at Harland Clarke, discussed the future of vendor management during his presentation at the 2014 CISO Leadership Forum in Dallas on Oct. 2. In his presentation, “Vendor Security Risk Management – How to Handle the New Normal,” Filer noted vendor security risk management is important, and auditing and validation is key to avoid security issues with vendors. According to Filer, documentation plays a vital role in vendor security risk management. If a vendor develops effective risk management processes, Filer said, it can minimize and prevent security issues: “The key component for the vendor security risk management piece for me has always been the documentation part of it. How do I develop something when I’m doing effective vendor security risk management that allows me to document my thought processes associated with performing that risk assessment of an individual vendor so I can provide that to whoever’s interested in seeing it?” Filer also pointed out consistent security risk management guidelines can have far-flung effects on an organization. In addition, an organization that understands the impact of these guidelines, Filer said, can avoid unnecessary risks: ” There are some real inconsistent guidelines to the management process out there and it’s important to put something together that allows you to continue to be subjected to the cost effective and efficiency space. You have to have a confident sense of the security posture of your key vendors, though, and it has to be one where you’ve been able to build that in a way that doesn’t push them into a place where they don’t want to be a part of the process.” - See more at: http://www.argylejournal.com/chief-information-security-officer/vendor-security-risk-management-how-to-handle-the-new-normal-joe-filer-vice-president-chief-information-security-officer-harland-clarke/#sthash.9bNU6U4O.dpuf

Technology
1 of 22
October 2014 Vendor Security Risk Management - How to Handle the New Normal “Some Important Lessons Learned From Both Directions” Presented By: Joe Filer, CISSP, PMP, CRISC
Who is this Guy?  BA in Math, Masters in Operations Research  Over 20 years as an information security professional –Increasing levels of global security leadership with extensive compliance focus  CISSP/CRISC – Security and Risk Experience  PMP – Project Management Experience  ISSA Distinguished Fellow  Currently – VP, CISO at Harland Clarke Holdings Corp. –Multi-company, global footprint  Resident of San Antonio, TX (almost 30 years) 2
Ground Rules  Some of the information provided will be identified as “my personal or professional opinion” and should not be considered as reflective of my employer’s position.  Any aspect of this presentation that might be considered to address legal issues reflect summaries and should not be considered legal advice. 3
Overview  What is Vendor Security Risk Management?  Overview of the Key Concepts  Perspective/Premise  Changing Landscape and Forecasts  Issues and Lessons Learned  Solutions  Conclusions 4
Definition Vendor Security Risk Management  Structured approach to ensure that relevant vendor security risk postures are understood, documented and validated to an appropriate level 5
Key components of effective VSRM Vendor Security Risk Management  Required confidentiality components in contracts  Confidence that all “relevant” vendors are subjected to program’s oversight  Approach where vendor security postures are understood, documented and validated when appropriate  Feedback to the vendor to facilitate remediation when required 6
Key Concepts  Risk – potential harm that could occur from a future event  Risk Management – the process of understanding risk and determining how best to handle exposure  Compliance – meeting all the requirements of a standard  Certification – authority attesting to a level of compliance 7
Unique Perspective  Own Vendor Security Risk Management for ~50 Critical Vendors My Team  Support client requirements as a Critical Vendor to hundreds of Financial Institutions 8
Premise - As an industry we need to recognize the importance of doing vendor security risk management better…. “Vendor Security Risk Management (VSRM/Due Diligence) efforts can be very costly and may not lead to confident visibility into the security posture of our critical vendor relationships.” “We have not embraced the key lessons learned from doing VSRM for several years.” “There has to be a better (cost effective) way to meet this important objective.” 9
Changing Landscapes and Forecasts  OCC Guidelines Oct 2013 –Establishes clear requirement for 3rd party oversight –Emphasis on risk management and due diligence –Considered somewhat ambiguous and subject to misinterpretation  The weaknesses associated with “Payment Card Industry approach” will be addressed –Expect more comprehensive requirements including vendor security management –More stringent assessor expectations –VISA Validation effort – Jan 2015 10
Changing Landscape and Forecasts  Consumers are sick of “holding the bag” –Companies will be held accountable for security decision-making –Too many vendors do not have a good “history”…. –Class action lawsuits  Federal legislation is Coming! –Tech savvy generation in leadership influencing direction –Lots of new regulations (See OCC 10/2013) –Legislation has been “bubbling under the surface” for several years (See http://fas.org/sgp/crs/natsec/R42114.pdf) –Response to consumer lack of confidence 11
Issues/Lessons Learned #1 Vendors are not your enemy! They are not trying to hide things from you and you should not fear them.  Lesson: If we need to be “afraid” of our vendors, why have them? –Build relationships with good partners. –Invest in good up-front vetting that starts the process on a solid footing. –There is too much focus on people trying to “pull the wool over our eyes”. 12
Issues/Lessons Learned #2 The PROCESS is not more important than the objective.  Lesson: We need to recognize the impact that this process has on our vendors and our business elements –Excessively burdensome requirements can impact the willingness of the vendor to “participate” in the effort –We don’t all have unlimited security budgets and “Time is Money” –Vendors are not impressed by fancy collection tools, overly comprehensive surveys, etc. 13
Issues/Lessons Learned #3 Inconsistent guidance to Vendor Security Management is reflected in extraordinary document requests  Lesson: Vendor Security Management has lost sight of the original objective – Confidence with the security posture of key vendors –Piles of documents cannot really support an effective evaluation of security posture –Approach probably increases overall risk as many documents reflect SENSITIVE information on their own 14
Issues/Lessons Learned #4 Not every “gap” is HIGH risk……….  Lesson: We need to be realistic about the sensitivity we attach to risk issues. –Threat consideration is a key piece of the process –Effective risk assessment allows for business prioritization and remediation –Credibility with the business is at stake 15
Issues/Lessons Learned #5 Compliance has become a CheckBox exercise in many cases.  Lesson: We have lost sight of something learned long ago - “There is no such thing as One Size Fits All Security” –PCI and “compliance versus security” failures –The “qualitative” aspect of reviews began to erode with SOX reviews –Risk context is very important 16
Issues/Lessons Learned #6 SOC 2 could be the best thing to happen to VSRM in some time…….  Lesson: We have to rely on comprehensive security reviews whenever possible. –SAS70 was not the answer – not always measured to same level –SOC 2 is a viable solution for non-validated control visibility – a good, cost effective starting point for vendor security awareness –Mentioned directly in OCC Guidelines as viable oversight 17
Solutions  Maintain the focus on Security Risk Management – Keep process on target and in a “Box” –We cannot over-rotate on parts of the issue (e.g., scanning) –Limit document exposure – Trust but Verify while keeping validation at an appropriate level…….  We do NOT need to Re-invent the Wheel –Effective Vendor Security Risk Management has been going on for over 15 years….. –Success starts with Clear Requirements in Contracts –Understand and respect the impact on the vendor  Be proactive as a Vendor – “Build Once, Use Many” documents provide efficient visibility –Confidence goes a long way –Stand firm when you have to 18
Solutions (Generally)  Focus on Effective Security Posture NOT Compliance –Comprehensive and secure programs lead to compliance BUT not the other way around……. –Recognize the Importance that Risk Plays in the Process  Document the Risk Management Decision Process –Capture why things were (or were not) done –Ensure the Business owns/drives the risk-based decision –Security should be a Consultant in the process –Understand and advocate for your vendors/clients/customers  Own your Compliance/Audit Relationships –Push them beyond the CheckBox mentality –Think quality –And, make them add value to your awareness 19
Conclusions • Vendor Security Risk Management is an absolute requirement today and we must do it right • Working together as “partners” is essential • Process is an enabler not the objective • As an industry, we have to get better at understanding and leveraging Risk Management • There is no such thing as “One Size Fits All Security” • We must address the rising “CheckBox Mindset” and its impact on Security /Compliance • Solid security programs reflect foundation for Compliance successes – Not the other way around • We must determine some alternatives – SOC 2 – YES! • Fundamental Philosophy has not changed – Effective Security Must Enable the Business 20
21 Questions
22 For more information… Joe Filer, CISSP, PMP, CRISC VP, Chief Information Security Officer 10931 Laureate Drive San Antonio, TX 78249 210.694.1560 (office) 210.475.1920 (cell) joseph.filer@harlandclarke.com

Recommended

Building an Effective Supply Chain Security Program
Building an Effective Supply Chain Security ProgramBuilding an Effective Supply Chain Security Program
Building an Effective Supply Chain Security ProgramPriyanka Aash
 
Patent: A presentation on "Patent Drafting" by Ms. Vinita Radhakrishnan - Ban...
Patent: A presentation on "Patent Drafting" by Ms. Vinita Radhakrishnan - Ban...Patent: A presentation on "Patent Drafting" by Ms. Vinita Radhakrishnan - Ban...
Patent: A presentation on "Patent Drafting" by Ms. Vinita Radhakrishnan - Ban...BananaIP Counsels
 
Patent drafting
Patent draftingPatent drafting
Patent draftingSupport to Research & Technological Development & Innovation Initiatives and Strategies in Jordan
 
ppt on Quality assuranse
ppt on Quality assuranseppt on Quality assuranse
ppt on Quality assuranseDr Ashok dhaka Bishnoi
 
Crash course on claim drafting (with exercises)
Crash course on claim drafting (with exercises)Crash course on claim drafting (with exercises)
Crash course on claim drafting (with exercises)Caezar Angelito E Arceo
 
Patent Search & Drafting Patent Claims
Patent Search & Drafting Patent ClaimsPatent Search & Drafting Patent Claims
Patent Search & Drafting Patent ClaimsProf. Dr. Basavaraj Nanjwade
 
How to Draft a Patent
How to Draft a PatentHow to Draft a Patent
How to Draft a PatentMaRS Discovery District
 
Outsourcing and Vendor management
Outsourcing and Vendor managementOutsourcing and Vendor management
Outsourcing and Vendor managementRaminder Pal Singh
 

Recommended

Building an Effective Supply Chain Security Program
Building an Effective Supply Chain Security ProgramBuilding an Effective Supply Chain Security Program
Building an Effective Supply Chain Security ProgramPriyanka Aash
 
Patent: A presentation on "Patent Drafting" by Ms. Vinita Radhakrishnan - Ban...
Patent: A presentation on "Patent Drafting" by Ms. Vinita Radhakrishnan - Ban...Patent: A presentation on "Patent Drafting" by Ms. Vinita Radhakrishnan - Ban...
Patent: A presentation on "Patent Drafting" by Ms. Vinita Radhakrishnan - Ban...BananaIP Counsels
 
Patent drafting
Patent draftingPatent drafting
Patent draftingSupport to Research & Technological Development & Innovation Initiatives and Strategies in Jordan
 
ppt on Quality assuranse
ppt on Quality assuranseppt on Quality assuranse
ppt on Quality assuranseDr Ashok dhaka Bishnoi
 
Crash course on claim drafting (with exercises)
Crash course on claim drafting (with exercises)Crash course on claim drafting (with exercises)
Crash course on claim drafting (with exercises)Caezar Angelito E Arceo
 
Patent Search & Drafting Patent Claims
Patent Search & Drafting Patent ClaimsPatent Search & Drafting Patent Claims
Patent Search & Drafting Patent ClaimsProf. Dr. Basavaraj Nanjwade
 
How to Draft a Patent
How to Draft a PatentHow to Draft a Patent
How to Draft a PatentMaRS Discovery District
 
Outsourcing and Vendor management
Outsourcing and Vendor managementOutsourcing and Vendor management
Outsourcing and Vendor managementRaminder Pal Singh
 
Rethink App Delivery with Workspace as a Service
Rethink App Delivery with Workspace as a ServiceRethink App Delivery with Workspace as a Service
Rethink App Delivery with Workspace as a ServiceArgyle Executive Forum
 
Global Megatrends in Cybersecurity – A Survey of 1,000 CxOs
Global Megatrends in Cybersecurity – A Survey of 1,000 CxOsGlobal Megatrends in Cybersecurity – A Survey of 1,000 CxOs
Global Megatrends in Cybersecurity – A Survey of 1,000 CxOsArgyle Executive Forum
 
Become the CEO: An Employee Excitement Survey
Become the CEO: An Employee Excitement SurveyBecome the CEO: An Employee Excitement Survey
Become the CEO: An Employee Excitement SurveyArgyle Executive Forum
 
Social Support and Total Community
Social Support and Total CommunitySocial Support and Total Community
Social Support and Total CommunityArgyle Executive Forum
 
Marketing to the Power of ONE!
Marketing to the Power of ONE!Marketing to the Power of ONE!
Marketing to the Power of ONE!Argyle Executive Forum
 
The New Era of Engagement Marketing
The New Era of Engagement MarketingThe New Era of Engagement Marketing
The New Era of Engagement MarketingArgyle Executive Forum
 
Re-Think App Delivery with Workspace as a Service
Re-Think App Delivery with Workspace as a ServiceRe-Think App Delivery with Workspace as a Service
Re-Think App Delivery with Workspace as a ServiceArgyle Executive Forum
 
Delighting Customers with Information Technology
Delighting Customers with Information TechnologyDelighting Customers with Information Technology
Delighting Customers with Information TechnologyArgyle Executive Forum
 
Top 12 Threats to Enterprise
Top 12 Threats to EnterpriseTop 12 Threats to Enterprise
Top 12 Threats to EnterpriseArgyle Executive Forum
 
9.35am presentation - john landy
9.35am presentation - john landy9.35am presentation - john landy
9.35am presentation - john landyArgyle Executive Forum
 
Keeping a Seat at the Table: Remaining Relevant
Keeping a Seat at the Table: Remaining RelevantKeeping a Seat at the Table: Remaining Relevant
Keeping a Seat at the Table: Remaining RelevantArgyle Executive Forum
 
Succession Matters: Effective Succession Management Planning
Succession Matters: Effective Succession Management PlanningSuccession Matters: Effective Succession Management Planning
Succession Matters: Effective Succession Management PlanningArgyle Executive Forum
 
It's a Balancing Act
It's a Balancing ActIt's a Balancing Act
It's a Balancing ActArgyle Executive Forum
 
Getting to the Heart of your Customer
Getting to the Heart of your CustomerGetting to the Heart of your Customer
Getting to the Heart of your CustomerArgyle Executive Forum
 
9.35am robert humphrey
9.35am robert humphrey9.35am robert humphrey
9.35am robert humphreyArgyle Executive Forum
 
Cloud Securiy: A Vendor Risk Management Perspective
Cloud Securiy: A Vendor Risk Management PerspectiveCloud Securiy: A Vendor Risk Management Perspective
Cloud Securiy: A Vendor Risk Management PerspectiveArgyle Executive Forum
 
Deliver any app to any device in 60 minutes
Deliver any app to any device in 60 minutesDeliver any app to any device in 60 minutes
Deliver any app to any device in 60 minutesArgyle Executive Forum
 
Enabling Opportunity to Transform Company Culture
Enabling Opportunity to Transform Company CultureEnabling Opportunity to Transform Company Culture
Enabling Opportunity to Transform Company CultureArgyle Executive Forum
 
The Future of Work
The Future of WorkThe Future of Work
The Future of WorkArgyle Executive Forum
 
The Challenge of Information Self-Service
The Challenge of Information Self-ServiceThe Challenge of Information Self-Service
The Challenge of Information Self-ServiceArgyle Executive Forum
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 

More Related Content

More from Argyle Executive Forum

Rethink App Delivery with Workspace as a Service
Rethink App Delivery with Workspace as a ServiceRethink App Delivery with Workspace as a Service
Rethink App Delivery with Workspace as a ServiceArgyle Executive Forum
 
Global Megatrends in Cybersecurity – A Survey of 1,000 CxOs
Global Megatrends in Cybersecurity – A Survey of 1,000 CxOsGlobal Megatrends in Cybersecurity – A Survey of 1,000 CxOs
Global Megatrends in Cybersecurity – A Survey of 1,000 CxOsArgyle Executive Forum
 
Become the CEO: An Employee Excitement Survey
Become the CEO: An Employee Excitement SurveyBecome the CEO: An Employee Excitement Survey
Become the CEO: An Employee Excitement SurveyArgyle Executive Forum
 
Re-Think App Delivery with Workspace as a Service
Re-Think App Delivery with Workspace as a ServiceRe-Think App Delivery with Workspace as a Service
Re-Think App Delivery with Workspace as a ServiceArgyle Executive Forum
 
Delighting Customers with Information Technology
Delighting Customers with Information TechnologyDelighting Customers with Information Technology
Delighting Customers with Information TechnologyArgyle Executive Forum
 
Keeping a Seat at the Table: Remaining Relevant
Keeping a Seat at the Table: Remaining RelevantKeeping a Seat at the Table: Remaining Relevant
Keeping a Seat at the Table: Remaining RelevantArgyle Executive Forum
 
Succession Matters: Effective Succession Management Planning
Succession Matters: Effective Succession Management PlanningSuccession Matters: Effective Succession Management Planning
Succession Matters: Effective Succession Management PlanningArgyle Executive Forum
 
Cloud Securiy: A Vendor Risk Management Perspective
Cloud Securiy: A Vendor Risk Management PerspectiveCloud Securiy: A Vendor Risk Management Perspective
Cloud Securiy: A Vendor Risk Management PerspectiveArgyle Executive Forum
 
Deliver any app to any device in 60 minutes
Deliver any app to any device in 60 minutesDeliver any app to any device in 60 minutes
Deliver any app to any device in 60 minutesArgyle Executive Forum
 
Enabling Opportunity to Transform Company Culture
Enabling Opportunity to Transform Company CultureEnabling Opportunity to Transform Company Culture
Enabling Opportunity to Transform Company CultureArgyle Executive Forum
 
The Challenge of Information Self-Service
The Challenge of Information Self-ServiceThe Challenge of Information Self-Service
The Challenge of Information Self-ServiceArgyle Executive Forum
 

More from Argyle Executive Forum (20)

Rethink App Delivery with Workspace as a Service
Rethink App Delivery with Workspace as a ServiceRethink App Delivery with Workspace as a Service
Rethink App Delivery with Workspace as a Service
 
Global Megatrends in Cybersecurity – A Survey of 1,000 CxOs
Global Megatrends in Cybersecurity – A Survey of 1,000 CxOsGlobal Megatrends in Cybersecurity – A Survey of 1,000 CxOs
Global Megatrends in Cybersecurity – A Survey of 1,000 CxOs
 
Become the CEO: An Employee Excitement Survey
Become the CEO: An Employee Excitement SurveyBecome the CEO: An Employee Excitement Survey
Become the CEO: An Employee Excitement Survey
 
Social Support and Total Community
Social Support and Total CommunitySocial Support and Total Community
Social Support and Total Community
 
Marketing to the Power of ONE!
Marketing to the Power of ONE!Marketing to the Power of ONE!
Marketing to the Power of ONE!
 
The New Era of Engagement Marketing
The New Era of Engagement MarketingThe New Era of Engagement Marketing
The New Era of Engagement Marketing
 
Re-Think App Delivery with Workspace as a Service
Re-Think App Delivery with Workspace as a ServiceRe-Think App Delivery with Workspace as a Service
Re-Think App Delivery with Workspace as a Service
 
Delighting Customers with Information Technology
Delighting Customers with Information TechnologyDelighting Customers with Information Technology
Delighting Customers with Information Technology
 
Top 12 Threats to Enterprise
Top 12 Threats to EnterpriseTop 12 Threats to Enterprise
Top 12 Threats to Enterprise
 
9.35am presentation - john landy
9.35am presentation - john landy9.35am presentation - john landy
9.35am presentation - john landy
 
Keeping a Seat at the Table: Remaining Relevant
Keeping a Seat at the Table: Remaining RelevantKeeping a Seat at the Table: Remaining Relevant
Keeping a Seat at the Table: Remaining Relevant
 
Succession Matters: Effective Succession Management Planning
Succession Matters: Effective Succession Management PlanningSuccession Matters: Effective Succession Management Planning
Succession Matters: Effective Succession Management Planning
 
It's a Balancing Act
It's a Balancing ActIt's a Balancing Act
It's a Balancing Act
 
Getting to the Heart of your Customer
Getting to the Heart of your CustomerGetting to the Heart of your Customer
Getting to the Heart of your Customer
 
9.35am robert humphrey
9.35am robert humphrey9.35am robert humphrey
9.35am robert humphrey
 
Cloud Securiy: A Vendor Risk Management Perspective
Cloud Securiy: A Vendor Risk Management PerspectiveCloud Securiy: A Vendor Risk Management Perspective
Cloud Securiy: A Vendor Risk Management Perspective
 
Deliver any app to any device in 60 minutes
Deliver any app to any device in 60 minutesDeliver any app to any device in 60 minutes
Deliver any app to any device in 60 minutes
 
Enabling Opportunity to Transform Company Culture
Enabling Opportunity to Transform Company CultureEnabling Opportunity to Transform Company Culture
Enabling Opportunity to Transform Company Culture
 
The Future of Work
The Future of WorkThe Future of Work
The Future of Work
 
The Challenge of Information Self-Service
The Challenge of Information Self-ServiceThe Challenge of Information Self-Service
The Challenge of Information Self-Service
 

Recently uploaded

DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 

Recently uploaded (20)

DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 

Vendor Security Risk Management - How to Handle the New Normal

  • 1. October 2014 Vendor Security Risk Management - How to Handle the New Normal “Some Important Lessons Learned From Both Directions” Presented By: Joe Filer, CISSP, PMP, CRISC
  • 2. Who is this Guy?  BA in Math, Masters in Operations Research  Over 20 years as an information security professional –Increasing levels of global security leadership with extensive compliance focus  CISSP/CRISC – Security and Risk Experience  PMP – Project Management Experience  ISSA Distinguished Fellow  Currently – VP, CISO at Harland Clarke Holdings Corp. –Multi-company, global footprint  Resident of San Antonio, TX (almost 30 years) 2
  • 3. Ground Rules  Some of the information provided will be identified as “my personal or professional opinion” and should not be considered as reflective of my employer’s position.  Any aspect of this presentation that might be considered to address legal issues reflect summaries and should not be considered legal advice. 3
  • 4. Overview  What is Vendor Security Risk Management?  Overview of the Key Concepts  Perspective/Premise  Changing Landscape and Forecasts  Issues and Lessons Learned  Solutions  Conclusions 4
  • 5. Definition Vendor Security Risk Management  Structured approach to ensure that relevant vendor security risk postures are understood, documented and validated to an appropriate level 5
  • 6. Key components of effective VSRM Vendor Security Risk Management  Required confidentiality components in contracts  Confidence that all “relevant” vendors are subjected to program’s oversight  Approach where vendor security postures are understood, documented and validated when appropriate  Feedback to the vendor to facilitate remediation when required 6
  • 7. Key Concepts  Risk – potential harm that could occur from a future event  Risk Management – the process of understanding risk and determining how best to handle exposure  Compliance – meeting all the requirements of a standard  Certification – authority attesting to a level of compliance 7
  • 8. Unique Perspective  Own Vendor Security Risk Management for ~50 Critical Vendors My Team  Support client requirements as a Critical Vendor to hundreds of Financial Institutions 8
  • 9. Premise - As an industry we need to recognize the importance of doing vendor security risk management better…. “Vendor Security Risk Management (VSRM/Due Diligence) efforts can be very costly and may not lead to confident visibility into the security posture of our critical vendor relationships.” “We have not embraced the key lessons learned from doing VSRM for several years.” “There has to be a better (cost effective) way to meet this important objective.” 9
  • 10. Changing Landscapes and Forecasts  OCC Guidelines Oct 2013 –Establishes clear requirement for 3rd party oversight –Emphasis on risk management and due diligence –Considered somewhat ambiguous and subject to misinterpretation  The weaknesses associated with “Payment Card Industry approach” will be addressed –Expect more comprehensive requirements including vendor security management –More stringent assessor expectations –VISA Validation effort – Jan 2015 10
  • 11. Changing Landscape and Forecasts  Consumers are sick of “holding the bag” –Companies will be held accountable for security decision-making –Too many vendors do not have a good “history”…. –Class action lawsuits  Federal legislation is Coming! –Tech savvy generation in leadership influencing direction –Lots of new regulations (See OCC 10/2013) –Legislation has been “bubbling under the surface” for several years (See http://fas.org/sgp/crs/natsec/R42114.pdf) –Response to consumer lack of confidence 11
  • 12. Issues/Lessons Learned #1 Vendors are not your enemy! They are not trying to hide things from you and you should not fear them.  Lesson: If we need to be “afraid” of our vendors, why have them? –Build relationships with good partners. –Invest in good up-front vetting that starts the process on a solid footing. –There is too much focus on people trying to “pull the wool over our eyes”. 12
  • 13. Issues/Lessons Learned #2 The PROCESS is not more important than the objective.  Lesson: We need to recognize the impact that this process has on our vendors and our business elements –Excessively burdensome requirements can impact the willingness of the vendor to “participate” in the effort –We don’t all have unlimited security budgets and “Time is Money” –Vendors are not impressed by fancy collection tools, overly comprehensive surveys, etc. 13
  • 14. Issues/Lessons Learned #3 Inconsistent guidance to Vendor Security Management is reflected in extraordinary document requests  Lesson: Vendor Security Management has lost sight of the original objective – Confidence with the security posture of key vendors –Piles of documents cannot really support an effective evaluation of security posture –Approach probably increases overall risk as many documents reflect SENSITIVE information on their own 14
  • 15. Issues/Lessons Learned #4 Not every “gap” is HIGH risk……….  Lesson: We need to be realistic about the sensitivity we attach to risk issues. –Threat consideration is a key piece of the process –Effective risk assessment allows for business prioritization and remediation –Credibility with the business is at stake 15
  • 16. Issues/Lessons Learned #5 Compliance has become a CheckBox exercise in many cases.  Lesson: We have lost sight of something learned long ago - “There is no such thing as One Size Fits All Security” –PCI and “compliance versus security” failures –The “qualitative” aspect of reviews began to erode with SOX reviews –Risk context is very important 16
  • 17. Issues/Lessons Learned #6 SOC 2 could be the best thing to happen to VSRM in some time…….  Lesson: We have to rely on comprehensive security reviews whenever possible. –SAS70 was not the answer – not always measured to same level –SOC 2 is a viable solution for non-validated control visibility – a good, cost effective starting point for vendor security awareness –Mentioned directly in OCC Guidelines as viable oversight 17
  • 18. Solutions  Maintain the focus on Security Risk Management – Keep process on target and in a “Box” –We cannot over-rotate on parts of the issue (e.g., scanning) –Limit document exposure – Trust but Verify while keeping validation at an appropriate level…….  We do NOT need to Re-invent the Wheel –Effective Vendor Security Risk Management has been going on for over 15 years….. –Success starts with Clear Requirements in Contracts –Understand and respect the impact on the vendor  Be proactive as a Vendor – “Build Once, Use Many” documents provide efficient visibility –Confidence goes a long way –Stand firm when you have to 18
  • 19. Solutions (Generally)  Focus on Effective Security Posture NOT Compliance –Comprehensive and secure programs lead to compliance BUT not the other way around……. –Recognize the Importance that Risk Plays in the Process  Document the Risk Management Decision Process –Capture why things were (or were not) done –Ensure the Business owns/drives the risk-based decision –Security should be a Consultant in the process –Understand and advocate for your vendors/clients/customers  Own your Compliance/Audit Relationships –Push them beyond the CheckBox mentality –Think quality –And, make them add value to your awareness 19
  • 20. Conclusions • Vendor Security Risk Management is an absolute requirement today and we must do it right • Working together as “partners” is essential • Process is an enabler not the objective • As an industry, we have to get better at understanding and leveraging Risk Management • There is no such thing as “One Size Fits All Security” • We must address the rising “CheckBox Mindset” and its impact on Security /Compliance • Solid security programs reflect foundation for Compliance successes – Not the other way around • We must determine some alternatives – SOC 2 – YES! • Fundamental Philosophy has not changed – Effective Security Must Enable the Business 20
  • 22. 22 For more information… Joe Filer, CISSP, PMP, CRISC VP, Chief Information Security Officer 10931 Laureate Drive San Antonio, TX 78249 210.694.1560 (office) 210.475.1920 (cell) joseph.filer@harlandclarke.com