SlideShare a Scribd company logo

Building an Effective Supply Chain Security Program

Priyanka Aash
Priyanka Aash

We’ve realized that the supply chain in most organizations is a potential weak spot for security controls and awareness. The time has come to shore up our approaches to supply chain management, incorporating security best practices at all stages. This talk will break down exactly how to get started, what to look for, and how to better secure your supply chain across the board. (Source: RSA USA 2016-San Francisco)

Technology
1 of 26
Download to read offline
SESSION ID: #RSAC Dave Shackleford Building an Effective Supply Chain Security Program GRC-W02 Sr. Faculty and Analyst SANS @daveshackleford
#RSAC Supply Chain Security: What It Means Supply chain security is a program that focuses on the potential risks associated with an organization’s suppliers of goods and services Attackers are focusing on this! There are many ways that a supply chain breach could occur Software compromise, credential theft, and more are becoming common scenarios
#RSAC Supply Chain Breach Example: Target Target experienced a significant breach of roughly 110 million customers’ data, with at least 40 million payment cards stolen. During the course of the investigation, it was found that Target was initially breached through a connection established by one of their vendors, HVAC vendor Fazio Mechanical Services
#RSAC Supply Chain Breach Example: Home Depot Home Depot, another large retailer, also claims that its credit card breach in 2014 was initially due to stolen credentials from a third-party vendor. In many of the most public cases we have seen, the attackers have targeted personal data, health care information and financial data, such as debit and credit card details.
#RSAC Supply Chain Breach Example: OPM In 2015, the U.S. Office of Personnel Management (OPM) revealed a significant breach of 22 million records including sensitive data tied to numerous federal employees, contractors and military personnel. This breach, like many others, seems to have originated with stolen credentials from a background check provider that worked with OPM, KeyPoint Government Solutions
#RSAC Getting a Handle on Vendor Management
#RSAC Current State Not Defined • No Process Defined • Ad Hoc and Inconsistent Approach Defined & Implemented • Consistent but Unstructured Approach • Documented and Detailed but not Measured or Enforced Continuous Improvement • Monitoring, Measuring, and Process Improvements • Best Practices for Risk Management and Automation
#RSAC Vendor Management: Define Important Vendors • Define Important Vendors • “Important” vendors can mean many things • These are vendors that: • Are critical to business operations • Maintain unique or legacy components of importance • Provide critical services
#RSAC Vendor Management: Specify Primary Contacts • Specify primary contacts • Coordinate due diligence on vendors and report to senior leadership using a risk-based approach • Maintain knowledge of, and compliance with, policies and reporting requirements. • File documentation and paperwork with the legal and contracting teams to ensure there is a central repository and audit trail. • Coordinate broad communication with those who can add value in vendor oversight
#RSAC Vendor Management: Establish Guidelines and Controls • Policies should include: • Requiring the right to audit and test the security controls of vendors and service providers annually, upon significant changes to the relationship and in response to audit requests or events • Requiring vendors to adhere to security monitoring requirements • Requiring periodic reports from the vendors and service providers demonstrating service level attainment and performance management • Requiring vendors and service providers to provide timely notification pursuant to any security breaches or incidents that may cause impact to the organization
#RSAC Vendor Management: Integrate with Organization’s Practices • With the pieces in place, a vendor management program can now start to integrate with the organization’s assessment and audit practices • Depending on the industry, organization, and culture, these practices will vary widely
#RSAC Supply Chain Security Best Practices
#RSAC People, Process and Technology
#RSAC Best Practices: People • These should be in place at supply chain companies • HR Teams: Background checks should be performed on a regular basis for both new and existing employees and contractors • Every 6-12 months is ideal • Monitor all staff that work with your organization’s data and systems for changes to job status and requirements • Access to critical systems should be monitored, and all third-party access should be revoked after a defined period of inactivity
#RSAC Best Practices: Employment Agreements • HR and security teams should verify that security requirements are clearly spelled out in contracts for supply chain personnel • Acceptable use provisions should be in place for supply chain organization employees through their employment agreements
#RSAC Best Practices: Process • Create a supply chain assessment questionnaire and checklists: • Application security • Audit and compliance • Business continuity and disaster recovery capabilities • Change and configuration management • Data security and data life cycle management • Physical (data center) security • Encryption and key management • Governance and risk management • Identity and access management (IAM) • Infrastructure and IT operations security • Threat and vulnerability management
#RSAC Best Practices: Process • Supply chain review should follow these guidelines: • Decide on a list of controls with which supply chain organizations need to demonstrate compliance • Determine the frequency of security reviews for internal and regulatory compliance needs • Define a remediation and arbitration process for handling supply chain organizations that are not currently meeting security requirements
#RSAC Process Best Practices: Code Review • Code analysis of software should ideally be done for supply chain partners • Having the code reviewed should ideally be the responsibility of the vendors, and they should attest to software security via a report issued prior to installation or updates • Contracts should require this! • Pen testing of software should also be allowed in contracts
#RSAC Process Best Practices: Vulnerability Mgmt • Supply chain vendors should have to provide patches to their products in a timely fashion • Heartbleed, Shellshock, and others have affected us significantly • SLAs should be in place for patch creation • Supply chain partners should be required to notify you of data breaches that may materially impact you • Incidents should be communicated, too…could you be the next target?
#RSAC Best Practices: Technology • The first, and perhaps simplest, change is to begin using technology services that offer supplier risk ratings or rankings compared to other industry organizations. • Monitoring the overall risk ratings of supply chain participants from other organizations working with them provides information on industry perceptions of security posture
#RSAC Technology Best Practices: Privileges • Vendors and partners with privileges should be controlled: • Enforce separation of duties and least privilege for accounts • Implement strict password and account-management policies and practices • Log, monitor, and audit all vendor/partner online actions • Consider a “sandboxed” approach for remote access • Most importantly, all organizations need a policy and approach to managing and monitoring privileged users
#RSAC Technology Best Practices: Network Isolation • Network isolation and segmentation changes can help with improving supply chain security • Remote attacks through supply chain access should be limited • Careful zoning and network isolation with strategic access controls can help prevent this • Multiple authentication points (while annoying) can be useful • Logs and events from remote access systems (VPNs, etc.) should be carefully monitored • Jump boxes and “thin client” approaches are also valuable
#RSAC Technology Best Practices: Analytics+Threat Intelligence • Many organizations use or plan to use security analytics tools and threat intelligence to help identify and combat advanced attacks • Analytics platforms provide: • Deep data sets • Pattern recognition • Machine learning • Threat intelligence can help to correlate information gleaned from internal sources with indicators of compromise spotted by other organizations
#RSAC Technology Best Practices: Exfiltration Monitoring • Monitoring egress points from the internal network is another way to improve security within the supply chain today • Some of the most common protocols and standards used for data exfiltration or command and control include HTTP/HTTPS, FTP/FTPS/SFTP, SSH, IRC, Email, P2P, and DNS or ICMP for covert channels • Monitor at NGFW, IDS/IPS, Proxy, and in DNS
#RSAC Wrapping Up
#RSAC Applying What We’ve Discussed Next week you should: Review your existing vendor management/procurement capabilities In the first three months following this presentation you should: Update product and vendor inventories Define appropriate controls for different vendor types (check best practices discussed earlier) Within six months you should: Update risk assessment processes for vendor review Ensure all critical vendors have complete reviews & documentation

Recommended

Integrating Cybersecurity into Supply Chain Risk Management
Integrating Cybersecurity into Supply Chain Risk ManagementIntegrating Cybersecurity into Supply Chain Risk Management
Integrating Cybersecurity into Supply Chain Risk ManagementPriyanka Aash
 
Vendor Security Practices: Turn the Rocks Over Early and Often
Vendor Security Practices: Turn the Rocks Over Early and OftenVendor Security Practices: Turn the Rocks Over Early and Often
Vendor Security Practices: Turn the Rocks Over Early and OftenPriyanka Aash
 
How to Steer Cyber Security with Only One KPI: The Cyber Risk Resilience
How to Steer Cyber Security with Only One KPI: The Cyber Risk ResilienceHow to Steer Cyber Security with Only One KPI: The Cyber Risk Resilience
How to Steer Cyber Security with Only One KPI: The Cyber Risk ResiliencePriyanka Aash
 
Make IR Effective with Risk Evaluation and Reporting
Make IR Effective with Risk Evaluation and ReportingMake IR Effective with Risk Evaluation and Reporting
Make IR Effective with Risk Evaluation and ReportingPriyanka Aash
 
Data Science Transforming Security Operations
Data Science Transforming Security OperationsData Science Transforming Security Operations
Data Science Transforming Security OperationsPriyanka Aash
 
OWASP based Threat Modeling Framework
OWASP based Threat Modeling FrameworkOWASP based Threat Modeling Framework
OWASP based Threat Modeling FrameworkChaitanya Bhatt
 
Partnership with a CFO: On the Front Line of Cybersecurity
Partnership with a CFO: On the Front Line of CybersecurityPartnership with a CFO: On the Front Line of Cybersecurity
Partnership with a CFO: On the Front Line of CybersecurityPriyanka Aash
 
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfAdaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfawish11
 

Recommended

Integrating Cybersecurity into Supply Chain Risk Management
Integrating Cybersecurity into Supply Chain Risk ManagementIntegrating Cybersecurity into Supply Chain Risk Management
Integrating Cybersecurity into Supply Chain Risk ManagementPriyanka Aash
 
Vendor Security Practices: Turn the Rocks Over Early and Often
Vendor Security Practices: Turn the Rocks Over Early and OftenVendor Security Practices: Turn the Rocks Over Early and Often
Vendor Security Practices: Turn the Rocks Over Early and OftenPriyanka Aash
 
How to Steer Cyber Security with Only One KPI: The Cyber Risk Resilience
How to Steer Cyber Security with Only One KPI: The Cyber Risk ResilienceHow to Steer Cyber Security with Only One KPI: The Cyber Risk Resilience
How to Steer Cyber Security with Only One KPI: The Cyber Risk ResiliencePriyanka Aash
 
Make IR Effective with Risk Evaluation and Reporting
Make IR Effective with Risk Evaluation and ReportingMake IR Effective with Risk Evaluation and Reporting
Make IR Effective with Risk Evaluation and ReportingPriyanka Aash
 
Data Science Transforming Security Operations
Data Science Transforming Security OperationsData Science Transforming Security Operations
Data Science Transforming Security OperationsPriyanka Aash
 
OWASP based Threat Modeling Framework
OWASP based Threat Modeling FrameworkOWASP based Threat Modeling Framework
OWASP based Threat Modeling FrameworkChaitanya Bhatt
 
Partnership with a CFO: On the Front Line of Cybersecurity
Partnership with a CFO: On the Front Line of CybersecurityPartnership with a CFO: On the Front Line of Cybersecurity
Partnership with a CFO: On the Front Line of CybersecurityPriyanka Aash
 
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfAdaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfawish11
 
Assuring the Security of the Supply Chain - Designing best practices for cybe...
Assuring the Security of the Supply Chain - Designing best practices for cybe...Assuring the Security of the Supply Chain - Designing best practices for cybe...
Assuring the Security of the Supply Chain - Designing best practices for cybe...Ollie Whitehouse
 
Demystifying Security Analytics: Data, Methods, Use Cases
Demystifying Security Analytics: Data, Methods, Use CasesDemystifying Security Analytics: Data, Methods, Use Cases
Demystifying Security Analytics: Data, Methods, Use CasesPriyanka Aash
 
From Cave Man to Business Man, the Evolution of the CISO to CIRO
From Cave Man to Business Man, the Evolution of the CISO to CIROFrom Cave Man to Business Man, the Evolution of the CISO to CIRO
From Cave Man to Business Man, the Evolution of the CISO to CIROPriyanka Aash
 
The Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryThe Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryPriyanka Aash
 
A case for Managed Detection and Response
A case for Managed Detection and ResponseA case for Managed Detection and Response
A case for Managed Detection and ResponseDigital Transformation EXPO Event Series
 
Bridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk ManagementBridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk ManagementPriyanka Aash
 
Security Program Development for the Hipster Company
Security Program Development for the Hipster CompanySecurity Program Development for the Hipster Company
Security Program Development for the Hipster CompanyPriyanka Aash
 
Luncheon 2015-06-18 Security Industry 2.0: Survival in the Boardroom by David...
Luncheon 2015-06-18 Security Industry 2.0: Survival in the Boardroom by David...Luncheon 2015-06-18 Security Industry 2.0: Survival in the Boardroom by David...
Luncheon 2015-06-18 Security Industry 2.0: Survival in the Boardroom by David...North Texas Chapter of the ISSA
 
Agile Security—Field of Dreams
Agile Security—Field of DreamsAgile Security—Field of Dreams
Agile Security—Field of DreamsPriyanka Aash
 
To MSSP or not to MSSP IISF 2015
To MSSP or not to MSSP IISF 2015To MSSP or not to MSSP IISF 2015
To MSSP or not to MSSP IISF 2015Paul Hogan
 
Cybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDCybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDPranav Shah
 
CHIME Lead Forum - Seattle 2015
CHIME Lead Forum - Seattle 2015CHIME Lead Forum - Seattle 2015
CHIME Lead Forum - Seattle 2015Health IT Conference – iHT2
 
NISTs Cybersecurity Framework -- Comparison with Best Practice
NISTs Cybersecurity Framework -- Comparison with Best PracticeNISTs Cybersecurity Framework -- Comparison with Best Practice
NISTs Cybersecurity Framework -- Comparison with Best PracticeDavid Ochel
 
Integrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Integrated Security Operations Center (ISOC) for Cybersecurity CollaborationIntegrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Integrated Security Operations Center (ISOC) for Cybersecurity CollaborationPriyanka Aash
 
Evolve or Die, How to Stop Getting Slaughtered Due to Bad Vulnerability Manag...
Evolve or Die, How to Stop Getting Slaughtered Due to Bad Vulnerability Manag...Evolve or Die, How to Stop Getting Slaughtered Due to Bad Vulnerability Manag...
Evolve or Die, How to Stop Getting Slaughtered Due to Bad Vulnerability Manag...Priyanka Aash
 
Does audit make us more secure
Does audit make us more secureDoes audit make us more secure
Does audit make us more secureEnterpriseGRC Solutions, Inc.
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmPriyanka Aash
 
What We’ve Learned Building a Cyber Security Operation Center: du Case Study
What We’ve Learned Building a Cyber Security Operation Center: du Case StudyWhat We’ve Learned Building a Cyber Security Operation Center: du Case Study
What We’ve Learned Building a Cyber Security Operation Center: du Case StudyPriyanka Aash
 
Simplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Simplify Your Approach To_Assess The Risks Of Moving Into The CloudSimplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Simplify Your Approach To_Assess The Risks Of Moving Into The CloudHappiest Minds Technologies
 
Secrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance ProjectsSecrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance ProjectsChristopher Foot
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA Information Security
 
Best Practices & Considerations in “IT Suppliers Audit”
Best Practices & Considerations in “IT Suppliers Audit”Best Practices & Considerations in “IT Suppliers Audit”
Best Practices & Considerations in “IT Suppliers Audit”Shankar Subramaniyan
 

More Related Content

What's hot

Assuring the Security of the Supply Chain - Designing best practices for cybe...
Assuring the Security of the Supply Chain - Designing best practices for cybe...Assuring the Security of the Supply Chain - Designing best practices for cybe...
Assuring the Security of the Supply Chain - Designing best practices for cybe...Ollie Whitehouse
 
Demystifying Security Analytics: Data, Methods, Use Cases
Demystifying Security Analytics: Data, Methods, Use CasesDemystifying Security Analytics: Data, Methods, Use Cases
Demystifying Security Analytics: Data, Methods, Use CasesPriyanka Aash
 
From Cave Man to Business Man, the Evolution of the CISO to CIRO
From Cave Man to Business Man, the Evolution of the CISO to CIROFrom Cave Man to Business Man, the Evolution of the CISO to CIRO
From Cave Man to Business Man, the Evolution of the CISO to CIROPriyanka Aash
 
The Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryThe Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryPriyanka Aash
 
Bridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk ManagementBridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk ManagementPriyanka Aash
 
Security Program Development for the Hipster Company
Security Program Development for the Hipster CompanySecurity Program Development for the Hipster Company
Security Program Development for the Hipster CompanyPriyanka Aash
 
Luncheon 2015-06-18 Security Industry 2.0: Survival in the Boardroom by David...
Luncheon 2015-06-18 Security Industry 2.0: Survival in the Boardroom by David...Luncheon 2015-06-18 Security Industry 2.0: Survival in the Boardroom by David...
Luncheon 2015-06-18 Security Industry 2.0: Survival in the Boardroom by David...North Texas Chapter of the ISSA
 
Agile Security—Field of Dreams
Agile Security—Field of DreamsAgile Security—Field of Dreams
Agile Security—Field of DreamsPriyanka Aash
 
To MSSP or not to MSSP IISF 2015
To MSSP or not to MSSP IISF 2015To MSSP or not to MSSP IISF 2015
To MSSP or not to MSSP IISF 2015Paul Hogan
 
Cybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDCybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDPranav Shah
 
NISTs Cybersecurity Framework -- Comparison with Best Practice
NISTs Cybersecurity Framework -- Comparison with Best PracticeNISTs Cybersecurity Framework -- Comparison with Best Practice
NISTs Cybersecurity Framework -- Comparison with Best PracticeDavid Ochel
 
Integrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Integrated Security Operations Center (ISOC) for Cybersecurity CollaborationIntegrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Integrated Security Operations Center (ISOC) for Cybersecurity CollaborationPriyanka Aash
 
Evolve or Die, How to Stop Getting Slaughtered Due to Bad Vulnerability Manag...
Evolve or Die, How to Stop Getting Slaughtered Due to Bad Vulnerability Manag...Evolve or Die, How to Stop Getting Slaughtered Due to Bad Vulnerability Manag...
Evolve or Die, How to Stop Getting Slaughtered Due to Bad Vulnerability Manag...Priyanka Aash
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmPriyanka Aash
 
What We’ve Learned Building a Cyber Security Operation Center: du Case Study
What We’ve Learned Building a Cyber Security Operation Center: du Case StudyWhat We’ve Learned Building a Cyber Security Operation Center: du Case Study
What We’ve Learned Building a Cyber Security Operation Center: du Case StudyPriyanka Aash
 
Simplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Simplify Your Approach To_Assess The Risks Of Moving Into The CloudSimplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Simplify Your Approach To_Assess The Risks Of Moving Into The CloudHappiest Minds Technologies
 

What's hot (19)

Assuring the Security of the Supply Chain - Designing best practices for cybe...
Assuring the Security of the Supply Chain - Designing best practices for cybe...Assuring the Security of the Supply Chain - Designing best practices for cybe...
Assuring the Security of the Supply Chain - Designing best practices for cybe...
 
Demystifying Security Analytics: Data, Methods, Use Cases
Demystifying Security Analytics: Data, Methods, Use CasesDemystifying Security Analytics: Data, Methods, Use Cases
Demystifying Security Analytics: Data, Methods, Use Cases
 
From Cave Man to Business Man, the Evolution of the CISO to CIRO
From Cave Man to Business Man, the Evolution of the CISO to CIROFrom Cave Man to Business Man, the Evolution of the CISO to CIRO
From Cave Man to Business Man, the Evolution of the CISO to CIRO
 
The Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryThe Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your Story
 
A case for Managed Detection and Response
A case for Managed Detection and ResponseA case for Managed Detection and Response
A case for Managed Detection and Response
 
Bridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk ManagementBridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk Management
 
Security Program Development for the Hipster Company
Security Program Development for the Hipster CompanySecurity Program Development for the Hipster Company
Security Program Development for the Hipster Company
 
Luncheon 2015-06-18 Security Industry 2.0: Survival in the Boardroom by David...
Luncheon 2015-06-18 Security Industry 2.0: Survival in the Boardroom by David...Luncheon 2015-06-18 Security Industry 2.0: Survival in the Boardroom by David...
Luncheon 2015-06-18 Security Industry 2.0: Survival in the Boardroom by David...
 
Agile Security—Field of Dreams
Agile Security—Field of DreamsAgile Security—Field of Dreams
Agile Security—Field of Dreams
 
To MSSP or not to MSSP IISF 2015
To MSSP or not to MSSP IISF 2015To MSSP or not to MSSP IISF 2015
To MSSP or not to MSSP IISF 2015
 
Cybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDCybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoD
 
CHIME Lead Forum - Seattle 2015
CHIME Lead Forum - Seattle 2015CHIME Lead Forum - Seattle 2015
CHIME Lead Forum - Seattle 2015
 
NISTs Cybersecurity Framework -- Comparison with Best Practice
NISTs Cybersecurity Framework -- Comparison with Best PracticeNISTs Cybersecurity Framework -- Comparison with Best Practice
NISTs Cybersecurity Framework -- Comparison with Best Practice
 
Integrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Integrated Security Operations Center (ISOC) for Cybersecurity CollaborationIntegrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Integrated Security Operations Center (ISOC) for Cybersecurity Collaboration
 
Evolve or Die, How to Stop Getting Slaughtered Due to Bad Vulnerability Manag...
Evolve or Die, How to Stop Getting Slaughtered Due to Bad Vulnerability Manag...Evolve or Die, How to Stop Getting Slaughtered Due to Bad Vulnerability Manag...
Evolve or Die, How to Stop Getting Slaughtered Due to Bad Vulnerability Manag...
 
Does audit make us more secure
Does audit make us more secureDoes audit make us more secure
Does audit make us more secure
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity Chasm
 
What We’ve Learned Building a Cyber Security Operation Center: du Case Study
What We’ve Learned Building a Cyber Security Operation Center: du Case StudyWhat We’ve Learned Building a Cyber Security Operation Center: du Case Study
What We’ve Learned Building a Cyber Security Operation Center: du Case Study
 
Simplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Simplify Your Approach To_Assess The Risks Of Moving Into The CloudSimplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Simplify Your Approach To_Assess The Risks Of Moving Into The Cloud
 

Similar to Building an Effective Supply Chain Security Program

Secrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance ProjectsSecrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance ProjectsChristopher Foot
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA Information Security
 
Best Practices & Considerations in “IT Suppliers Audit”
Best Practices & Considerations in “IT Suppliers Audit”Best Practices & Considerations in “IT Suppliers Audit”
Best Practices & Considerations in “IT Suppliers Audit”Shankar Subramaniyan
 
Roadmap to SAP® Security and Compliance | Symmetry
Roadmap to SAP® Security and Compliance | SymmetryRoadmap to SAP® Security and Compliance | Symmetry
Roadmap to SAP® Security and Compliance | SymmetrySymmetry™
 
Audit Practice at CipherTechs
Audit Practice at CipherTechsAudit Practice at CipherTechs
Audit Practice at CipherTechsMordecai Kraushar
 
Bringing the Cloud Back to Earth
Bringing the Cloud Back to EarthBringing the Cloud Back to Earth
Bringing the Cloud Back to EarthSri Chalasani
 
str-f02-vendor_security_practices-turn_the_rocks_over_early_and_often
str-f02-vendor_security_practices-turn_the_rocks_over_early_and_oftenstr-f02-vendor_security_practices-turn_the_rocks_over_early_and_often
str-f02-vendor_security_practices-turn_the_rocks_over_early_and_oftenMichael Hammer
 
Myths of validation
Myths of validationMyths of validation
Myths of validationJeff Thomas
 
Integrating Cybersecurity into Supply Chain Risk Management
Integrating Cybersecurity into Supply Chain Risk ManagementIntegrating Cybersecurity into Supply Chain Risk Management
Integrating Cybersecurity into Supply Chain Risk ManagementPriyanka Aash
 
Security architecture best practices for saas applications
Security architecture best practices for saas applicationsSecurity architecture best practices for saas applications
Security architecture best practices for saas applicationskanimozhin
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkTuan Phan
 
Introducing Assure Security Risk Assessment
Introducing Assure Security Risk AssessmentIntroducing Assure Security Risk Assessment
Introducing Assure Security Risk AssessmentPrecisely
 
2016-06-08 FDA Inspection Readiness - Mikael Yde
2016-06-08 FDA Inspection Readiness - Mikael Yde2016-06-08 FDA Inspection Readiness - Mikael Yde
2016-06-08 FDA Inspection Readiness - Mikael Ydemikaelyde
 
Security Architecture Best Practices for SaaS Applications
Security Architecture Best Practices for SaaS ApplicationsSecurity Architecture Best Practices for SaaS Applications
Security Architecture Best Practices for SaaS ApplicationsTechcello
 
TrustedAgent FedRAMP Security Authorization
TrustedAgent FedRAMP Security AuthorizationTrustedAgent FedRAMP Security Authorization
TrustedAgent FedRAMP Security AuthorizationTuan Phan
 
SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070
SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070
SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070retheauditors
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchMcKonly & Asbury, LLP
 
Just Trust Everyone and We Will Be Fine, Right?
Just Trust Everyone and We Will Be Fine, Right?Just Trust Everyone and We Will Be Fine, Right?
Just Trust Everyone and We Will Be Fine, Right?Scott Carlson
 

Similar to Building an Effective Supply Chain Security Program (20)

Secrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance ProjectsSecrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance Projects
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
 
Best Practices & Considerations in “IT Suppliers Audit”
Best Practices & Considerations in “IT Suppliers Audit”Best Practices & Considerations in “IT Suppliers Audit”
Best Practices & Considerations in “IT Suppliers Audit”
 
Institute of Internal Auditors Presentation 2014
Institute of Internal Auditors Presentation 2014Institute of Internal Auditors Presentation 2014
Institute of Internal Auditors Presentation 2014
 
Roadmap to SAP® Security and Compliance | Symmetry
Roadmap to SAP® Security and Compliance | SymmetryRoadmap to SAP® Security and Compliance | Symmetry
Roadmap to SAP® Security and Compliance | Symmetry
 
Audit Practice at CipherTechs
Audit Practice at CipherTechsAudit Practice at CipherTechs
Audit Practice at CipherTechs
 
Bringing the Cloud Back to Earth
Bringing the Cloud Back to EarthBringing the Cloud Back to Earth
Bringing the Cloud Back to Earth
 
str-f02-vendor_security_practices-turn_the_rocks_over_early_and_often
str-f02-vendor_security_practices-turn_the_rocks_over_early_and_oftenstr-f02-vendor_security_practices-turn_the_rocks_over_early_and_often
str-f02-vendor_security_practices-turn_the_rocks_over_early_and_often
 
Myths of validation
Myths of validationMyths of validation
Myths of validation
 
Integrating Cybersecurity into Supply Chain Risk Management
Integrating Cybersecurity into Supply Chain Risk ManagementIntegrating Cybersecurity into Supply Chain Risk Management
Integrating Cybersecurity into Supply Chain Risk Management
 
Security architecture best practices for saas applications
Security architecture best practices for saas applicationsSecurity architecture best practices for saas applications
Security architecture best practices for saas applications
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity Framework
 
Introducing Assure Security Risk Assessment
Introducing Assure Security Risk AssessmentIntroducing Assure Security Risk Assessment
Introducing Assure Security Risk Assessment
 
2016-06-08 FDA Inspection Readiness - Mikael Yde
2016-06-08 FDA Inspection Readiness - Mikael Yde2016-06-08 FDA Inspection Readiness - Mikael Yde
2016-06-08 FDA Inspection Readiness - Mikael Yde
 
Security Architecture Best Practices for SaaS Applications
Security Architecture Best Practices for SaaS ApplicationsSecurity Architecture Best Practices for SaaS Applications
Security Architecture Best Practices for SaaS Applications
 
TrustedAgent FedRAMP Security Authorization
TrustedAgent FedRAMP Security AuthorizationTrustedAgent FedRAMP Security Authorization
TrustedAgent FedRAMP Security Authorization
 
SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070
SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070
SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect Match
 
Forecast 2014: SaaS Data Exchange
Forecast 2014: SaaS Data ExchangeForecast 2014: SaaS Data Exchange
Forecast 2014: SaaS Data Exchange
 
Just Trust Everyone and We Will Be Fine, Right?
Just Trust Everyone and We Will Be Fine, Right?Just Trust Everyone and We Will Be Fine, Right?
Just Trust Everyone and We Will Be Fine, Right?
 

More from Priyanka Aash

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfPriyanka Aash
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfPriyanka Aash
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfPriyanka Aash
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfPriyanka Aash
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfPriyanka Aash
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfPriyanka Aash
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdfPriyanka Aash
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfPriyanka Aash
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfPriyanka Aash
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfPriyanka Aash
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldPriyanka Aash
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksPriyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 

More from Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Recently uploaded

Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 

Recently uploaded (20)

Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 

Building an Effective Supply Chain Security Program

  • 1. SESSION ID: #RSAC Dave Shackleford Building an Effective Supply Chain Security Program GRC-W02 Sr. Faculty and Analyst SANS @daveshackleford
  • 2. #RSAC Supply Chain Security: What It Means Supply chain security is a program that focuses on the potential risks associated with an organization’s suppliers of goods and services Attackers are focusing on this! There are many ways that a supply chain breach could occur Software compromise, credential theft, and more are becoming common scenarios
  • 3. #RSAC Supply Chain Breach Example: Target Target experienced a significant breach of roughly 110 million customers’ data, with at least 40 million payment cards stolen. During the course of the investigation, it was found that Target was initially breached through a connection established by one of their vendors, HVAC vendor Fazio Mechanical Services
  • 4. #RSAC Supply Chain Breach Example: Home Depot Home Depot, another large retailer, also claims that its credit card breach in 2014 was initially due to stolen credentials from a third-party vendor. In many of the most public cases we have seen, the attackers have targeted personal data, health care information and financial data, such as debit and credit card details.
  • 5. #RSAC Supply Chain Breach Example: OPM In 2015, the U.S. Office of Personnel Management (OPM) revealed a significant breach of 22 million records including sensitive data tied to numerous federal employees, contractors and military personnel. This breach, like many others, seems to have originated with stolen credentials from a background check provider that worked with OPM, KeyPoint Government Solutions
  • 6. #RSAC Getting a Handle on Vendor Management
  • 7. #RSAC Current State Not Defined • No Process Defined • Ad Hoc and Inconsistent Approach Defined & Implemented • Consistent but Unstructured Approach • Documented and Detailed but not Measured or Enforced Continuous Improvement • Monitoring, Measuring, and Process Improvements • Best Practices for Risk Management and Automation
  • 8. #RSAC Vendor Management: Define Important Vendors • Define Important Vendors • “Important” vendors can mean many things • These are vendors that: • Are critical to business operations • Maintain unique or legacy components of importance • Provide critical services
  • 9. #RSAC Vendor Management: Specify Primary Contacts • Specify primary contacts • Coordinate due diligence on vendors and report to senior leadership using a risk-based approach • Maintain knowledge of, and compliance with, policies and reporting requirements. • File documentation and paperwork with the legal and contracting teams to ensure there is a central repository and audit trail. • Coordinate broad communication with those who can add value in vendor oversight
  • 10. #RSAC Vendor Management: Establish Guidelines and Controls • Policies should include: • Requiring the right to audit and test the security controls of vendors and service providers annually, upon significant changes to the relationship and in response to audit requests or events • Requiring vendors to adhere to security monitoring requirements • Requiring periodic reports from the vendors and service providers demonstrating service level attainment and performance management • Requiring vendors and service providers to provide timely notification pursuant to any security breaches or incidents that may cause impact to the organization
  • 11. #RSAC Vendor Management: Integrate with Organization’s Practices • With the pieces in place, a vendor management program can now start to integrate with the organization’s assessment and audit practices • Depending on the industry, organization, and culture, these practices will vary widely
  • 12. #RSAC Supply Chain Security Best Practices
  • 14. #RSAC Best Practices: People • These should be in place at supply chain companies • HR Teams: Background checks should be performed on a regular basis for both new and existing employees and contractors • Every 6-12 months is ideal • Monitor all staff that work with your organization’s data and systems for changes to job status and requirements • Access to critical systems should be monitored, and all third-party access should be revoked after a defined period of inactivity
  • 15. #RSAC Best Practices: Employment Agreements • HR and security teams should verify that security requirements are clearly spelled out in contracts for supply chain personnel • Acceptable use provisions should be in place for supply chain organization employees through their employment agreements
  • 16. #RSAC Best Practices: Process • Create a supply chain assessment questionnaire and checklists: • Application security • Audit and compliance • Business continuity and disaster recovery capabilities • Change and configuration management • Data security and data life cycle management • Physical (data center) security • Encryption and key management • Governance and risk management • Identity and access management (IAM) • Infrastructure and IT operations security • Threat and vulnerability management
  • 17. #RSAC Best Practices: Process • Supply chain review should follow these guidelines: • Decide on a list of controls with which supply chain organizations need to demonstrate compliance • Determine the frequency of security reviews for internal and regulatory compliance needs • Define a remediation and arbitration process for handling supply chain organizations that are not currently meeting security requirements
  • 18. #RSAC Process Best Practices: Code Review • Code analysis of software should ideally be done for supply chain partners • Having the code reviewed should ideally be the responsibility of the vendors, and they should attest to software security via a report issued prior to installation or updates • Contracts should require this! • Pen testing of software should also be allowed in contracts
  • 19. #RSAC Process Best Practices: Vulnerability Mgmt • Supply chain vendors should have to provide patches to their products in a timely fashion • Heartbleed, Shellshock, and others have affected us significantly • SLAs should be in place for patch creation • Supply chain partners should be required to notify you of data breaches that may materially impact you • Incidents should be communicated, too…could you be the next target?
  • 20. #RSAC Best Practices: Technology • The first, and perhaps simplest, change is to begin using technology services that offer supplier risk ratings or rankings compared to other industry organizations. • Monitoring the overall risk ratings of supply chain participants from other organizations working with them provides information on industry perceptions of security posture
  • 21. #RSAC Technology Best Practices: Privileges • Vendors and partners with privileges should be controlled: • Enforce separation of duties and least privilege for accounts • Implement strict password and account-management policies and practices • Log, monitor, and audit all vendor/partner online actions • Consider a “sandboxed” approach for remote access • Most importantly, all organizations need a policy and approach to managing and monitoring privileged users
  • 22. #RSAC Technology Best Practices: Network Isolation • Network isolation and segmentation changes can help with improving supply chain security • Remote attacks through supply chain access should be limited • Careful zoning and network isolation with strategic access controls can help prevent this • Multiple authentication points (while annoying) can be useful • Logs and events from remote access systems (VPNs, etc.) should be carefully monitored • Jump boxes and “thin client” approaches are also valuable
  • 23. #RSAC Technology Best Practices: Analytics+Threat Intelligence • Many organizations use or plan to use security analytics tools and threat intelligence to help identify and combat advanced attacks • Analytics platforms provide: • Deep data sets • Pattern recognition • Machine learning • Threat intelligence can help to correlate information gleaned from internal sources with indicators of compromise spotted by other organizations
  • 24. #RSAC Technology Best Practices: Exfiltration Monitoring • Monitoring egress points from the internal network is another way to improve security within the supply chain today • Some of the most common protocols and standards used for data exfiltration or command and control include HTTP/HTTPS, FTP/FTPS/SFTP, SSH, IRC, Email, P2P, and DNS or ICMP for covert channels • Monitor at NGFW, IDS/IPS, Proxy, and in DNS
  • 26. #RSAC Applying What We’ve Discussed Next week you should: Review your existing vendor management/procurement capabilities In the first three months following this presentation you should: Update product and vendor inventories Define appropriate controls for different vendor types (check best practices discussed earlier) Within six months you should: Update risk assessment processes for vendor review Ensure all critical vendors have complete reviews & documentation