SlideShare a Scribd company logo

Comprehensive Approach to Third Party Risk Management

DVV Solutions Third Party Risk Management
DVV Solutions Third Party Risk Management

This document discusses the need for comprehensive third party risk management. It notes that companies are increasingly reliant on third party suppliers but often do not have full visibility into the security practices of those suppliers. A successful third party risk management program requires tools to efficiently assess supplier risk, continuously monitor suppliers for security threats, evaluate the security of small suppliers, and share supplier assessment information. The document advocates for using an integrated software platform that brings together automated assessment, continuous monitoring, inspection of small suppliers, and an evidence sharing network.

Technology
1 of 7
Download to read offline
A Comprehensive Approach To Third Party Risk Management WHITE PAPER
DVV Solutions Limited Grosvenor House, St. Thomas’s Place, Stockport, Cheshire, SK1 3TZ, United Kingdom Tel: +44 (0) 161 476 8700 Email: enquiries@dvvs.co.uk Web: www.dvvs.co.uk Contact Us What’s The Purpose Of Third Party Risk Management? Your company deploys advanced IT security controls and follows best practices to prevent unauthorised access to your systems and protect sensitive company and customer data. Unfortunately, it’s not enough. It’s not enough because there is an entire spectrum of risks you don’t directly control – access to your systems and sensitive data by your suppliers. Simply stated: the overall security of your data and systems is dependent on the risk controls provided by your suppliers. on average, are accessing a company’s network every week enforce policies around Third Party access of companies said they know the number of log-ins that could be attributed to suppliers said they definitely or possibly suffered a security breach resulting from supplier access in the past year 89 46% 51% 69%SUPPLIERS ONLY ONLY A recent Vulnerability Index research report released by Privileged Identity Management company Bomgar, showed that breaches¹ occurring from third parties account for two-thirds of the total number of reported breaches. In addition, the study found that: Studies like this and many others over the past few years have driven the consensus among security professionals that the risk posed by third parties is not only substantial, but it is increasing, and there is no “one size fits all” solution to the problem. 1 Bomgar. Vendor Vulnerability Index brings security risk of third-parties to light, April 2016 This is why you need a comprehensive approach to your Third Party Risk Management (TPRM) program that allows you to: Identify the security controls a supplier must have based on the services they provide Determine if they are maintaining those controls Develop plans for corrective action to be taken by the supplier Monitor the supplier’s threat environment for additional external risks and operational issues Reduce collection time by leveraging shared, standardised risk information collected for other companies who utilise the same supplier  
DVV Solutions Limited Grosvenor House, St. Thomas’s Place, Stockport, Cheshire, SK1 3TZ, United Kingdom Tel: +44 (0) 161 476 8700 Email: enquiries@dvvs.co.uk Web: www.dvvs.co.uk Contact Us Why Is Third Party Risk Management So Complicated? TPRM is a growing concern for the CISO, CIO, CEO, and even Board-level stakeholders. In fact, Gartner recently stated in their 2017 Magic Quadrant for IT Vendor Risk Management that by 2020, 75% of Fortune Global 500 companies will treat supplier risk management as a board-level initiative to mitigate brand and reputation risk². In addition, with the introduction of the Internet of Things (IoT), organisations are quickly realising that they are not prepared, and according to a recent Poneman and Shared Assessments study, are still “relying on technologies and governance practices that have not evolved to address emergent IoT threat vectors.” Even though 25% of respondents in this study stated that their board of directors require assurances that IoT risk among third parties is being assessed, managed, and monitored appropriately, only 27% said they have the resources to support it³. The reality is that once your data is under the control of your suppliers, it’s still YOUR data. It is up to you to ensure your suppliers have adequate security controls in place and that they keep those controls current based on the ongoing changes to the threat environment. Further complicating this, are many supplier variables that you need to consider, such as: • Whether the supplier has custody of, or access to, your sensitive information • Whether the supplier has access to your company’s network • Size of the supplier • Location of the supplier • Sophistication of the supplier’s IT and security teams • If the supplier itself outsources services • The supplier’s product or service • Regulations IoT risks in the next two years Very likely, somewhat likely & likely responses combined Other factors to consider include geography, recent events relating to the supplier (e.g. a data breach, bankruptcy filing, lawsuit, leadership change), and any number of other variables unique to the millions of suppliers in business globally. What does this supplier relationship complexity mean for security professionals responsible for third party risk management? In short, they need several tools to efficiently gain visibility into and manage the risk of their supplier ecosystem. A security incident related to unsecured loT devices or applications could be catastrophic The loss or theft of data caused by unsecured loT devices or applications Cyber attack caused by unsecured loT devices or applications 94% 78% 76% 2 Gartner. Magic Quadrant for IT Vendor Risk Management, June 2017 3 Poneman Institute. The Internet of Things (IoT): A New Era of Third- Party Risk, May 2017
DVV Solutions Limited Grosvenor House, St. Thomas’s Place, Stockport, Cheshire, SK1 3TZ, United Kingdom Tel: +44 (0) 161 476 8700 Email: enquiries@dvvs.co.uk Web: www.dvvs.co.uk Contact Us One Size Doesn’t Fit All Supplier assessment must be ‘fine-tuned’ to the type of data involved, the systems being accessed, and the nature of the services provided by the supplier. For example, would you ask a 15-person law firm that handles your patent filings and litigation to complete the same comprehensive questionnaire they send to a cloud-based application provider? Would a healthcare company ask their laboratory analysis suppliers the same set of risk questions they would their payroll company? How much do you really care about the security controls of the supplier that landscapes your company grounds? Software Development Life Cycle (SDLC) processes are obviously important for suppliers delivering applications embedded in your organisation’s operations, but they’re irrelevant to a claims processing supplier of a car insurance company. Once the proper scope is established, assessment due diligence must be requested from the supplier, validated, and then analysed. Upon completion, decisions are then made about risk acceptance and/or mitigation. Results must be consolidated and reports generated to senior management that define outsourcing risk and the operational efficiency of the TPRM process. This effort - extended over dozens, hundreds, or even thousands of suppliers - is essentially impossible to conduct without software automation. Assessment has become the go-to word in the third party risk world, but whether a formal Assessment is appropriate for a supplier or not, the requirement to assess (evaluate, appraise, gauge, estimate, determine, etc.) the risk of the supplier doesn’t go away. Multiple options are needed to have a successful TPRM program. Fortunately, technology is evolving to provide exactly such options for the growing third party risk community. First, automated assessment tools are significantly more sophisticated than their predecessor generations. Today’s Third Party risk management software offers the kinds of features that enable supplier content tuning, including: • Ability to “tier” suppliers, or determine which surveys and other requests to make of suppliers based on their relationship to the organisation • Ability to pull completed and reviewed standard content from supplier evidence networks, saving both the suppliers and your organisation countless hours of time • Ability to build custom, supplemental surveys that address the gaps in standard content • Risk score flexibility to enable users to customise to their risk needs within the tools • Shipping with off-the-shelf, industry-accepted standard content • Built-in workflows that provide automated and auditable interaction with suppliers to facilitate remediation and/or provide greater risk visibility into your supplier ecosystem Third Party Assessment Software
DVV Solutions Limited Grosvenor House, St. Thomas’s Place, Stockport, Cheshire, SK1 3TZ, United Kingdom Tel: +44 (0) 161 476 8700 Email: enquiries@dvvs.co.uk Web: www.dvvs.co.uk Contact Us Unlike first generation continuous monitoring offerings, contemporary services provide a holistic view of supplier risk as determined by external events and internal security posture. Rather than focusing exclusively on outdated measures of security provided by external network scans, today’s monitoring products gather risk event data from several sources on an on-going basis to form a risk picture across the supplier’s entire spectrum of potential threats to your organisation. Data breaches are just one way in which your relationship with a supplier can negatively impact your operations and external network scans provide little insight into a supplier’s vulnerability in today’s sophisticated threat environment. Financial risk events, operational challenges (such as natural disasters or leadership shake-ups), regulatory citations, fraudulent practice claims, and lawsuits are just a few examples of the kinds of events that can greatly impact the risk of a supplier to your organisation. Fortunately, options exist in advanced TPRM solutions for third party risk professionals to keep track of their suppliers on a daily basis, beyond the narrow focus of first-generation monitoring tools with a narrow-minded view of risk. One of the challenges that has traditionally faced the third party risk community is the inability to gauge the risk of small suppliers, those with only 2 to 100 employees. Compounding the challenge is the increasing importance of these small suppliers to the operations of many organisations and their resulting exposure to sensitive data. Small law firms, local printing companies, production studios, small PR organisations, or family-run claims processing companies are just a few examples of suppliers who can comprise a small number of employees, but require access to a large organisation’s sensitive information. The risk associated with this segment of suppliers continues to grow as they increasingly become targets for hackers. Lacking the resources and skill sets of larger organisations, criminals rightfully identify them as easier targets than their customers. According to a recent Symantec⁴ study almost one-half of all cyber-attacks (43%) last year were against small businesses with a 2017 Webroot Cyber Threat report finding that IT decision makers at 96% of SMBs in the US, UK, and Australia believe their organisations will be susceptible to external cybersecurity threats this year⁵. Until recently, evaluating the risk of these small suppliers has been an elusive goal. However, with advanced TPRM solutions, automated inspection and risk evaluation solutions are available to benefit both the small supplier, as well as their large and medium size customers. Low-footprint agents gather information on the endpoint security state of a small supplier, process the information, and generate security deficiency reports. In addition, recommendations are made for the supplier to improve their security profile. Your organisation now has a means to assess and help mitigate the risk of very small, essential suppliers, and the suppliers – often too small to employ IT resources, let alone security professionals – have a tool to help them improve their security and keep your sensitive data safe. Continuous Threat Monitoring Small Business Supplier Inspection 4 Symantec. Internet Security Threat Report, 2017 5 Webroot. Cyber Threat to Small – and Medium-Sized Businesses in 2017, 2017
DVV Solutions Limited Grosvenor House, St. Thomas’s Place, Stockport, Cheshire, SK1 3TZ, United Kingdom Tel: +44 (0) 161 476 8700 Email: enquiries@dvvs.co.uk Web: www.dvvs.co.uk Contact Us A relatively new innovation in third party risk is providing third party risk managers with all of the benefits of the traditional Assessment process, but with much less aggravation. The advent of Supplier Evidence Sharing Networks is making completed, verified, standard surveys available to organisations while eliminating the tedious time-and-resource consuming process of collecting accurate data from suppliers. The “Complete-Once, Share-Many” model of supplier sharing networks means the burden on suppliers is similarly alleviated. By greatly reducing the effort required to collect or complete surveys, it means that both first and third parties can spend much less time gathering controls data and much more time on what’s important: working together to decrease control gaps and reduce overall risk. Evidence network sharing is a feature built into advanced supplier risk management software, so that users can not only leverage advanced workflows, reporting, scoring, and other features of these enterprise software solutions, but can also augment that rich functionality with “off-the-shelf” supplier evidence that can instantly form the foundation of a comprehensive and effective third party risk management program. Evidence Sharing Networks Mixing and Matching Capabilities to Meet Your Program Needs Today and Tomorrow Very rarely will only one of the four solutions discussed in this whitepaper satisfy the TPRM needs of an organisation with such diverse suppliers - and that’s exactly the point. Having the access to all four components is necessary to build a highly-functioning, efficient third party risk program - and Prevalent is the only solution provider in the market today that can deliver all four advanced solutions. Prevalent developed the first purpose-built Third Party Risk Management cloud-based platform in 2012 and is the only company that offers a complete, integrated suite of solutions that includes automated assessment software, continuous threat monitoring, leading-edge SMB inspection, and innovative supplier evidence sharing networks.
DVV Solutions Limited Grosvenor House, St. Thomas’s Place, Stockport, Cheshire, SK1 3TZ, United Kingdom Tel: +44 (0) 161 476 8700 Email: enquiries@dvvs.co.uk Web: www.dvvs.co.uk Contact Us About DVV Solutions DVV Solutions was established in 1999, and has become one of the UK’s leading providers in the design, implementation and management of Third Party Risk Management (TPRM) and IT Security services. We have a proven model for Third Party risk reduction and mitigation. Our suite of consultative and managed services improve your ability to manage increasing numbers and complexity of outsourced supplier risk backed by leading risk intelligence and automation platforms. Our ethos is to provide you the best value for money by offering the highest quality of service within a clear and consistent cost model. We do this by leveraging our extensive experience in the IT services sector and our best-of- breed technology and service partners. As a Shared Assessments program member and registered Assessment Firm we utilise industry-standard practices including Standardised Information Gathering (SIG) questionnaires and Standardised Control Assessment (SCA) for onsite assessments. www.sharedassessments.org Our channel partnership agreement with Prevalent Inc. enables DVV Solutions to deliver and support Prevalent technologies to UK and European customers and add significant value to their Third Party Risk Assessment capabilities. Recently named a Leader in the Gartner Magic Quadrant for IT Supplier Risk Management, Prevalent helps global organisations manage and monitor the security threats and risks associated with Third and Fourth Party suppliers. www.prevalent.net Please note: This White Paper contains excerpts used, with kind permission, from Prevalent Inc. Registered trademarks acknowledged. All rights reserved.

Recommended

MDR-SOC is a cybersecurity framework services | Ampcus Inc
MDR-SOC is a cybersecurity framework services | Ampcus IncMDR-SOC is a cybersecurity framework services | Ampcus Inc
MDR-SOC is a cybersecurity framework services | Ampcus IncUnified11
 
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...Nicolas Beyer
 
Cyber Security Needs and Challenges
Cyber Security Needs and ChallengesCyber Security Needs and Challenges
Cyber Security Needs and ChallengesHappiest Minds Technologies
 
Operationalizing Security Intelligence
Operationalizing Security IntelligenceOperationalizing Security Intelligence
Operationalizing Security IntelligenceSplunk
 
APT Monitoring and Compliance
APT Monitoring and ComplianceAPT Monitoring and Compliance
APT Monitoring and ComplianceMarcus Clarke
 
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINAL
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINALDefending Against Advanced Threats-Addressing the Cyber Kill Chain_FINAL
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINALMichael Bunn
 
Cyber risks in supply chains
Cyber risks in supply chains Cyber risks in supply chains
Cyber risks in supply chains Aparajita Banerjee
 
The Changing Security Landscape
The Changing Security LandscapeThe Changing Security Landscape
The Changing Security LandscapeArrow ECS UK
 

Recommended

MDR-SOC is a cybersecurity framework services | Ampcus Inc
MDR-SOC is a cybersecurity framework services | Ampcus IncMDR-SOC is a cybersecurity framework services | Ampcus Inc
MDR-SOC is a cybersecurity framework services | Ampcus IncUnified11
 
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...Nicolas Beyer
 
Cyber Security Needs and Challenges
Cyber Security Needs and ChallengesCyber Security Needs and Challenges
Cyber Security Needs and ChallengesHappiest Minds Technologies
 
Operationalizing Security Intelligence
Operationalizing Security IntelligenceOperationalizing Security Intelligence
Operationalizing Security IntelligenceSplunk
 
APT Monitoring and Compliance
APT Monitoring and ComplianceAPT Monitoring and Compliance
APT Monitoring and ComplianceMarcus Clarke
 
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINAL
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINALDefending Against Advanced Threats-Addressing the Cyber Kill Chain_FINAL
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINALMichael Bunn
 
Cyber risks in supply chains
Cyber risks in supply chains Cyber risks in supply chains
Cyber risks in supply chains Aparajita Banerjee
 
The Changing Security Landscape
The Changing Security LandscapeThe Changing Security Landscape
The Changing Security LandscapeArrow ECS UK
 
To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?
To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?
To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?NetEnrich, Inc.
 
ThreatAlytics Compliance Monitoring CADSI 23 Nov_rev3
ThreatAlytics Compliance Monitoring CADSI 23 Nov_rev3ThreatAlytics Compliance Monitoring CADSI 23 Nov_rev3
ThreatAlytics Compliance Monitoring CADSI 23 Nov_rev3Edward Johnson
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center FundamentalAmir Hossein Zargaran
 
Understanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loopUnderstanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loopDavid Sweigert
 
Cyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedCyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedSounil Yu
 
Critical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You BuyCritical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You BuyFidelis Cybersecurity
 
F5 networks the_expectation_of_ssl_everywhere
F5 networks the_expectation_of_ssl_everywhereF5 networks the_expectation_of_ssl_everywhere
F5 networks the_expectation_of_ssl_everywhereF5 Networks
 
A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...Judith Beckhard Cardoso
 
Two-factor authentication- A sample writing _Zaman
Two-factor authentication- A sample writing _ZamanTwo-factor authentication- A sample writing _Zaman
Two-factor authentication- A sample writing _ZamanAsad Zaman
 
Case study
Case studyCase study
Case studyShehrevar Davierwala
 
Clearswift f5 integration
Clearswift f5 integrationClearswift f5 integration
Clearswift f5 integrationMarco Essomba
 
Cisco Managed Security
Cisco Managed SecurityCisco Managed Security
Cisco Managed SecuritySrivatsan Desikan
 
Application Security: Safeguarding Data, Protecting Reputations
Application Security: Safeguarding Data, Protecting ReputationsApplication Security: Safeguarding Data, Protecting Reputations
Application Security: Safeguarding Data, Protecting ReputationsCognizant
 
Cyber Ethics: Cyber Security Services | VAPT and WAPT
Cyber Ethics: Cyber Security Services | VAPT and WAPT Cyber Ethics: Cyber Security Services | VAPT and WAPT
Cyber Ethics: Cyber Security Services | VAPT and WAPTSaeelRelekar
 
Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...
Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...
Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...Cristian Garcia G.
 
Decision criteria and analysis for hardware-based encryption
Decision criteria and analysis for hardware-based encryptionDecision criteria and analysis for hardware-based encryption
Decision criteria and analysis for hardware-based encryptionThales e-Security
 
Partner Zymbian & Fortinet webinar on Web2.0 security
Partner Zymbian & Fortinet webinar on Web2.0 securityPartner Zymbian & Fortinet webinar on Web2.0 security
Partner Zymbian & Fortinet webinar on Web2.0 securityZymbian
 
CMMC rollout: How CMMC will impact your organization
CMMC rollout: How CMMC will impact your organizationCMMC rollout: How CMMC will impact your organization
CMMC rollout: How CMMC will impact your organizationInfosec
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
VAPT- A Service on Eucalyptus Cloud
VAPT- A Service on Eucalyptus CloudVAPT- A Service on Eucalyptus Cloud
VAPT- A Service on Eucalyptus CloudSwapna Shetye
 
Risk & Advisory Services: Quarterly Risk Advisor Nov. 2015
Risk & Advisory Services: Quarterly Risk Advisor Nov. 2015Risk & Advisory Services: Quarterly Risk Advisor Nov. 2015
Risk & Advisory Services: Quarterly Risk Advisor Nov. 2015CBIZ, Inc.
 
Digital defence ds-vciso-supplychain
Digital defence ds-vciso-supplychainDigital defence ds-vciso-supplychain
Digital defence ds-vciso-supplychainShawn Brown
 

More Related Content

What's hot

To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?
To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?
To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?NetEnrich, Inc.
 
ThreatAlytics Compliance Monitoring CADSI 23 Nov_rev3
ThreatAlytics Compliance Monitoring CADSI 23 Nov_rev3ThreatAlytics Compliance Monitoring CADSI 23 Nov_rev3
ThreatAlytics Compliance Monitoring CADSI 23 Nov_rev3Edward Johnson
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center FundamentalAmir Hossein Zargaran
 
Understanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loopUnderstanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loopDavid Sweigert
 
Cyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedCyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedSounil Yu
 
Critical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You BuyCritical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You BuyFidelis Cybersecurity
 
F5 networks the_expectation_of_ssl_everywhere
F5 networks the_expectation_of_ssl_everywhereF5 networks the_expectation_of_ssl_everywhere
F5 networks the_expectation_of_ssl_everywhereF5 Networks
 
A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...Judith Beckhard Cardoso
 
Two-factor authentication- A sample writing _Zaman
Two-factor authentication- A sample writing _ZamanTwo-factor authentication- A sample writing _Zaman
Two-factor authentication- A sample writing _ZamanAsad Zaman
 
Clearswift f5 integration
Clearswift f5 integrationClearswift f5 integration
Clearswift f5 integrationMarco Essomba
 
Application Security: Safeguarding Data, Protecting Reputations
Application Security: Safeguarding Data, Protecting ReputationsApplication Security: Safeguarding Data, Protecting Reputations
Application Security: Safeguarding Data, Protecting ReputationsCognizant
 
Cyber Ethics: Cyber Security Services | VAPT and WAPT
Cyber Ethics: Cyber Security Services | VAPT and WAPT Cyber Ethics: Cyber Security Services | VAPT and WAPT
Cyber Ethics: Cyber Security Services | VAPT and WAPTSaeelRelekar
 
Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...
Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...
Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...Cristian Garcia G.
 
Decision criteria and analysis for hardware-based encryption
Decision criteria and analysis for hardware-based encryptionDecision criteria and analysis for hardware-based encryption
Decision criteria and analysis for hardware-based encryptionThales e-Security
 
Partner Zymbian & Fortinet webinar on Web2.0 security
Partner Zymbian & Fortinet webinar on Web2.0 securityPartner Zymbian & Fortinet webinar on Web2.0 security
Partner Zymbian & Fortinet webinar on Web2.0 securityZymbian
 
CMMC rollout: How CMMC will impact your organization
CMMC rollout: How CMMC will impact your organizationCMMC rollout: How CMMC will impact your organization
CMMC rollout: How CMMC will impact your organizationInfosec
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
VAPT- A Service on Eucalyptus Cloud
VAPT- A Service on Eucalyptus CloudVAPT- A Service on Eucalyptus Cloud
VAPT- A Service on Eucalyptus CloudSwapna Shetye
 

What's hot (20)

To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?
To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?
To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?
 
ThreatAlytics Compliance Monitoring CADSI 23 Nov_rev3
ThreatAlytics Compliance Monitoring CADSI 23 Nov_rev3ThreatAlytics Compliance Monitoring CADSI 23 Nov_rev3
ThreatAlytics Compliance Monitoring CADSI 23 Nov_rev3
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
 
Understanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loopUnderstanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loop
 
Cyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedCyber Defense Matrix: Reloaded
Cyber Defense Matrix: Reloaded
 
Critical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You BuyCritical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You Buy
 
F5 networks the_expectation_of_ssl_everywhere
F5 networks the_expectation_of_ssl_everywhereF5 networks the_expectation_of_ssl_everywhere
F5 networks the_expectation_of_ssl_everywhere
 
A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...
 
Two-factor authentication- A sample writing _Zaman
Two-factor authentication- A sample writing _ZamanTwo-factor authentication- A sample writing _Zaman
Two-factor authentication- A sample writing _Zaman
 
Case study
Case studyCase study
Case study
 
Clearswift f5 integration
Clearswift f5 integrationClearswift f5 integration
Clearswift f5 integration
 
Cisco Managed Security
Cisco Managed SecurityCisco Managed Security
Cisco Managed Security
 
Application Security: Safeguarding Data, Protecting Reputations
Application Security: Safeguarding Data, Protecting ReputationsApplication Security: Safeguarding Data, Protecting Reputations
Application Security: Safeguarding Data, Protecting Reputations
 
Cyber Ethics: Cyber Security Services | VAPT and WAPT
Cyber Ethics: Cyber Security Services | VAPT and WAPT Cyber Ethics: Cyber Security Services | VAPT and WAPT
Cyber Ethics: Cyber Security Services | VAPT and WAPT
 
Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...
Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...
Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...
 
Decision criteria and analysis for hardware-based encryption
Decision criteria and analysis for hardware-based encryptionDecision criteria and analysis for hardware-based encryption
Decision criteria and analysis for hardware-based encryption
 
Partner Zymbian & Fortinet webinar on Web2.0 security
Partner Zymbian & Fortinet webinar on Web2.0 securityPartner Zymbian & Fortinet webinar on Web2.0 security
Partner Zymbian & Fortinet webinar on Web2.0 security
 
CMMC rollout: How CMMC will impact your organization
CMMC rollout: How CMMC will impact your organizationCMMC rollout: How CMMC will impact your organization
CMMC rollout: How CMMC will impact your organization
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
 
VAPT- A Service on Eucalyptus Cloud
VAPT- A Service on Eucalyptus CloudVAPT- A Service on Eucalyptus Cloud
VAPT- A Service on Eucalyptus Cloud
 

Similar to Comprehensive Approach to Third Party Risk Management

Risk & Advisory Services: Quarterly Risk Advisor Nov. 2015
Risk & Advisory Services: Quarterly Risk Advisor Nov. 2015Risk & Advisory Services: Quarterly Risk Advisor Nov. 2015
Risk & Advisory Services: Quarterly Risk Advisor Nov. 2015CBIZ, Inc.
 
Digital defence ds-vciso-supplychain
Digital defence ds-vciso-supplychainDigital defence ds-vciso-supplychain
Digital defence ds-vciso-supplychainShawn Brown
 
security-team-guide-reducing-operational-risk.pdf
security-team-guide-reducing-operational-risk.pdfsecurity-team-guide-reducing-operational-risk.pdf
security-team-guide-reducing-operational-risk.pdfgokuforhelp
 
Cyber TPRM - the journey ahead
Cyber TPRM - the journey aheadCyber TPRM - the journey ahead
Cyber TPRM - the journey aheadKevin Duffey
 
How Third Party Risk is Becoming More Challenging in 2023
How Third Party Risk is Becoming More Challenging in 2023How Third Party Risk is Becoming More Challenging in 2023
How Third Party Risk is Becoming More Challenging in 2023360factors
 
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment QuestionnairesThird-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment QuestionnairesCorporater
 
Power your businesswith risk informed decisions
Power your businesswith risk informed decisionsPower your businesswith risk informed decisions
Power your businesswith risk informed decisionsAlireza Ghahrood
 
Copy of The Ongoing Threat of Ransomware on Small to Medium-Si
Copy of The Ongoing Threat of Ransomware on Small to Medium-SiCopy of The Ongoing Threat of Ransomware on Small to Medium-Si
Copy of The Ongoing Threat of Ransomware on Small to Medium-SiAlleneMcclendon878
 
What CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityWhat CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityKaryl Scott
 
Review on 3rd-party Cyber Risk Assessment and Scoring Tools
Review on 3rd-party Cyber Risk Assessment and Scoring ToolsReview on 3rd-party Cyber Risk Assessment and Scoring Tools
Review on 3rd-party Cyber Risk Assessment and Scoring ToolsNormShield
 
The Security Circle- Services Offered
The Security Circle- Services OfferedThe Security Circle- Services Offered
The Security Circle- Services OfferedRachel Anne Carter
 
Third party risk management with cyber threat intelligence
Third party risk management with cyber threat intelligenceThird party risk management with cyber threat intelligence
Third party risk management with cyber threat intelligenceCharles Steve
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfAnil
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfAnil
 
ZSAH Security - Web
ZSAH Security - WebZSAH Security - Web
ZSAH Security - WebFahd Khan
 
InformationSecurity_11141
InformationSecurity_11141InformationSecurity_11141
InformationSecurity_11141sraina2
 
200606_NWC_Strategic Security
200606_NWC_Strategic Security200606_NWC_Strategic Security
200606_NWC_Strategic SecurityChad Korosec
 
8242015 Combating cyber risk in the supply chain ­ Print Art.docx
8242015 Combating cyber risk in the supply chain ­ Print Art.docx8242015 Combating cyber risk in the supply chain ­ Print Art.docx
8242015 Combating cyber risk in the supply chain ­ Print Art.docxevonnehoggarth79783
 

Similar to Comprehensive Approach to Third Party Risk Management (20)

Risk & Advisory Services: Quarterly Risk Advisor Nov. 2015
Risk & Advisory Services: Quarterly Risk Advisor Nov. 2015Risk & Advisory Services: Quarterly Risk Advisor Nov. 2015
Risk & Advisory Services: Quarterly Risk Advisor Nov. 2015
 
Digital defence ds-vciso-supplychain
Digital defence ds-vciso-supplychainDigital defence ds-vciso-supplychain
Digital defence ds-vciso-supplychain
 
security-team-guide-reducing-operational-risk.pdf
security-team-guide-reducing-operational-risk.pdfsecurity-team-guide-reducing-operational-risk.pdf
security-team-guide-reducing-operational-risk.pdf
 
Cyber TPRM - the journey ahead
Cyber TPRM - the journey aheadCyber TPRM - the journey ahead
Cyber TPRM - the journey ahead
 
How Third Party Risk is Becoming More Challenging in 2023
How Third Party Risk is Becoming More Challenging in 2023How Third Party Risk is Becoming More Challenging in 2023
How Third Party Risk is Becoming More Challenging in 2023
 
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment QuestionnairesThird-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
 
Power your businesswith risk informed decisions
Power your businesswith risk informed decisionsPower your businesswith risk informed decisions
Power your businesswith risk informed decisions
 
Copy of The Ongoing Threat of Ransomware on Small to Medium-Si
Copy of The Ongoing Threat of Ransomware on Small to Medium-SiCopy of The Ongoing Threat of Ransomware on Small to Medium-Si
Copy of The Ongoing Threat of Ransomware on Small to Medium-Si
 
What CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityWhat CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber Security
 
Review on 3rd-party Cyber Risk Assessment and Scoring Tools
Review on 3rd-party Cyber Risk Assessment and Scoring ToolsReview on 3rd-party Cyber Risk Assessment and Scoring Tools
Review on 3rd-party Cyber Risk Assessment and Scoring Tools
 
The Security Circle- Services Offered
The Security Circle- Services OfferedThe Security Circle- Services Offered
The Security Circle- Services Offered
 
Third party risk management with cyber threat intelligence
Third party risk management with cyber threat intelligenceThird party risk management with cyber threat intelligence
Third party risk management with cyber threat intelligence
 
Internal Audit
Internal AuditInternal Audit
Internal Audit
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdf
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdf
 
ZSAH Security - Web
ZSAH Security - WebZSAH Security - Web
ZSAH Security - Web
 
Information Security
Information SecurityInformation Security
Information Security
 
InformationSecurity_11141
InformationSecurity_11141InformationSecurity_11141
InformationSecurity_11141
 
200606_NWC_Strategic Security
200606_NWC_Strategic Security200606_NWC_Strategic Security
200606_NWC_Strategic Security
 
8242015 Combating cyber risk in the supply chain ­ Print Art.docx
8242015 Combating cyber risk in the supply chain ­ Print Art.docx8242015 Combating cyber risk in the supply chain ­ Print Art.docx
8242015 Combating cyber risk in the supply chain ­ Print Art.docx
 

More from DVV Solutions Third Party Risk Management

Building the Business Case for TPRM - DVV Solutions Breakfast Briefing March ...
Building the Business Case for TPRM - DVV Solutions Breakfast Briefing March ...Building the Business Case for TPRM - DVV Solutions Breakfast Briefing March ...
Building the Business Case for TPRM - DVV Solutions Breakfast Briefing March ...DVV Solutions Third Party Risk Management
 
DVV Solutions Central Bank of Ireland Outsourcing discussion paper response 1...
DVV Solutions Central Bank of Ireland Outsourcing discussion paper response 1...DVV Solutions Central Bank of Ireland Outsourcing discussion paper response 1...
DVV Solutions Central Bank of Ireland Outsourcing discussion paper response 1...DVV Solutions Third Party Risk Management
 
Third Party Risk Assessment Due Diligence - Managed Service as Best Practice
Third Party Risk Assessment Due Diligence - Managed Service as Best PracticeThird Party Risk Assessment Due Diligence - Managed Service as Best Practice
Third Party Risk Assessment Due Diligence - Managed Service as Best PracticeDVV Solutions Third Party Risk Management
 

More from DVV Solutions Third Party Risk Management (9)

Standards in Third Party Risk - DVV Solutions ISACA North May 19
Standards in Third Party Risk - DVV Solutions ISACA North May 19 Standards in Third Party Risk - DVV Solutions ISACA North May 19
Standards in Third Party Risk - DVV Solutions ISACA North May 19
 
Building the Business Case for TPRM - DVV Solutions Breakfast Briefing March ...
Building the Business Case for TPRM - DVV Solutions Breakfast Briefing March ...Building the Business Case for TPRM - DVV Solutions Breakfast Briefing March ...
Building the Business Case for TPRM - DVV Solutions Breakfast Briefing March ...
 
The State of TPRM in the UK - DVV Solutions Breakfast Briefing March 2019
The State of TPRM in the UK - DVV Solutions Breakfast Briefing March 2019The State of TPRM in the UK - DVV Solutions Breakfast Briefing March 2019
The State of TPRM in the UK - DVV Solutions Breakfast Briefing March 2019
 
DVV Solutions Central Bank of Ireland Outsourcing discussion paper response 1...
DVV Solutions Central Bank of Ireland Outsourcing discussion paper response 1...DVV Solutions Central Bank of Ireland Outsourcing discussion paper response 1...
DVV Solutions Central Bank of Ireland Outsourcing discussion paper response 1...
 
Third Party Network Webinar Slide Deck 110718 FINAL
Third Party Network Webinar Slide Deck 110718 FINALThird Party Network Webinar Slide Deck 110718 FINAL
Third Party Network Webinar Slide Deck 110718 FINAL
 
Data Protection & GDPR Health Check Service Overview
Data Protection & GDPR Health Check Service OverviewData Protection & GDPR Health Check Service Overview
Data Protection & GDPR Health Check Service Overview
 
DVV Solutions Legal Vendor Network White Paper April 2016
DVV Solutions Legal Vendor Network White Paper April 2016DVV Solutions Legal Vendor Network White Paper April 2016
DVV Solutions Legal Vendor Network White Paper April 2016
 
DVV Solutions About Us Datasheet
DVV Solutions About Us DatasheetDVV Solutions About Us Datasheet
DVV Solutions About Us Datasheet
 
Third Party Risk Assessment Due Diligence - Managed Service as Best Practice
Third Party Risk Assessment Due Diligence - Managed Service as Best PracticeThird Party Risk Assessment Due Diligence - Managed Service as Best Practice
Third Party Risk Assessment Due Diligence - Managed Service as Best Practice
 

Recently uploaded

Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 

Recently uploaded (20)

Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 

Comprehensive Approach to Third Party Risk Management

  • 1. A Comprehensive Approach To Third Party Risk Management WHITE PAPER
  • 2. DVV Solutions Limited Grosvenor House, St. Thomas’s Place, Stockport, Cheshire, SK1 3TZ, United Kingdom Tel: +44 (0) 161 476 8700 Email: enquiries@dvvs.co.uk Web: www.dvvs.co.uk Contact Us What’s The Purpose Of Third Party Risk Management? Your company deploys advanced IT security controls and follows best practices to prevent unauthorised access to your systems and protect sensitive company and customer data. Unfortunately, it’s not enough. It’s not enough because there is an entire spectrum of risks you don’t directly control – access to your systems and sensitive data by your suppliers. Simply stated: the overall security of your data and systems is dependent on the risk controls provided by your suppliers. on average, are accessing a company’s network every week enforce policies around Third Party access of companies said they know the number of log-ins that could be attributed to suppliers said they definitely or possibly suffered a security breach resulting from supplier access in the past year 89 46% 51% 69%SUPPLIERS ONLY ONLY A recent Vulnerability Index research report released by Privileged Identity Management company Bomgar, showed that breaches¹ occurring from third parties account for two-thirds of the total number of reported breaches. In addition, the study found that: Studies like this and many others over the past few years have driven the consensus among security professionals that the risk posed by third parties is not only substantial, but it is increasing, and there is no “one size fits all” solution to the problem. 1 Bomgar. Vendor Vulnerability Index brings security risk of third-parties to light, April 2016 This is why you need a comprehensive approach to your Third Party Risk Management (TPRM) program that allows you to: Identify the security controls a supplier must have based on the services they provide Determine if they are maintaining those controls Develop plans for corrective action to be taken by the supplier Monitor the supplier’s threat environment for additional external risks and operational issues Reduce collection time by leveraging shared, standardised risk information collected for other companies who utilise the same supplier  
  • 3. DVV Solutions Limited Grosvenor House, St. Thomas’s Place, Stockport, Cheshire, SK1 3TZ, United Kingdom Tel: +44 (0) 161 476 8700 Email: enquiries@dvvs.co.uk Web: www.dvvs.co.uk Contact Us Why Is Third Party Risk Management So Complicated? TPRM is a growing concern for the CISO, CIO, CEO, and even Board-level stakeholders. In fact, Gartner recently stated in their 2017 Magic Quadrant for IT Vendor Risk Management that by 2020, 75% of Fortune Global 500 companies will treat supplier risk management as a board-level initiative to mitigate brand and reputation risk². In addition, with the introduction of the Internet of Things (IoT), organisations are quickly realising that they are not prepared, and according to a recent Poneman and Shared Assessments study, are still “relying on technologies and governance practices that have not evolved to address emergent IoT threat vectors.” Even though 25% of respondents in this study stated that their board of directors require assurances that IoT risk among third parties is being assessed, managed, and monitored appropriately, only 27% said they have the resources to support it³. The reality is that once your data is under the control of your suppliers, it’s still YOUR data. It is up to you to ensure your suppliers have adequate security controls in place and that they keep those controls current based on the ongoing changes to the threat environment. Further complicating this, are many supplier variables that you need to consider, such as: • Whether the supplier has custody of, or access to, your sensitive information • Whether the supplier has access to your company’s network • Size of the supplier • Location of the supplier • Sophistication of the supplier’s IT and security teams • If the supplier itself outsources services • The supplier’s product or service • Regulations IoT risks in the next two years Very likely, somewhat likely & likely responses combined Other factors to consider include geography, recent events relating to the supplier (e.g. a data breach, bankruptcy filing, lawsuit, leadership change), and any number of other variables unique to the millions of suppliers in business globally. What does this supplier relationship complexity mean for security professionals responsible for third party risk management? In short, they need several tools to efficiently gain visibility into and manage the risk of their supplier ecosystem. A security incident related to unsecured loT devices or applications could be catastrophic The loss or theft of data caused by unsecured loT devices or applications Cyber attack caused by unsecured loT devices or applications 94% 78% 76% 2 Gartner. Magic Quadrant for IT Vendor Risk Management, June 2017 3 Poneman Institute. The Internet of Things (IoT): A New Era of Third- Party Risk, May 2017
  • 4. DVV Solutions Limited Grosvenor House, St. Thomas’s Place, Stockport, Cheshire, SK1 3TZ, United Kingdom Tel: +44 (0) 161 476 8700 Email: enquiries@dvvs.co.uk Web: www.dvvs.co.uk Contact Us One Size Doesn’t Fit All Supplier assessment must be ‘fine-tuned’ to the type of data involved, the systems being accessed, and the nature of the services provided by the supplier. For example, would you ask a 15-person law firm that handles your patent filings and litigation to complete the same comprehensive questionnaire they send to a cloud-based application provider? Would a healthcare company ask their laboratory analysis suppliers the same set of risk questions they would their payroll company? How much do you really care about the security controls of the supplier that landscapes your company grounds? Software Development Life Cycle (SDLC) processes are obviously important for suppliers delivering applications embedded in your organisation’s operations, but they’re irrelevant to a claims processing supplier of a car insurance company. Once the proper scope is established, assessment due diligence must be requested from the supplier, validated, and then analysed. Upon completion, decisions are then made about risk acceptance and/or mitigation. Results must be consolidated and reports generated to senior management that define outsourcing risk and the operational efficiency of the TPRM process. This effort - extended over dozens, hundreds, or even thousands of suppliers - is essentially impossible to conduct without software automation. Assessment has become the go-to word in the third party risk world, but whether a formal Assessment is appropriate for a supplier or not, the requirement to assess (evaluate, appraise, gauge, estimate, determine, etc.) the risk of the supplier doesn’t go away. Multiple options are needed to have a successful TPRM program. Fortunately, technology is evolving to provide exactly such options for the growing third party risk community. First, automated assessment tools are significantly more sophisticated than their predecessor generations. Today’s Third Party risk management software offers the kinds of features that enable supplier content tuning, including: • Ability to “tier” suppliers, or determine which surveys and other requests to make of suppliers based on their relationship to the organisation • Ability to pull completed and reviewed standard content from supplier evidence networks, saving both the suppliers and your organisation countless hours of time • Ability to build custom, supplemental surveys that address the gaps in standard content • Risk score flexibility to enable users to customise to their risk needs within the tools • Shipping with off-the-shelf, industry-accepted standard content • Built-in workflows that provide automated and auditable interaction with suppliers to facilitate remediation and/or provide greater risk visibility into your supplier ecosystem Third Party Assessment Software
  • 5. DVV Solutions Limited Grosvenor House, St. Thomas’s Place, Stockport, Cheshire, SK1 3TZ, United Kingdom Tel: +44 (0) 161 476 8700 Email: enquiries@dvvs.co.uk Web: www.dvvs.co.uk Contact Us Unlike first generation continuous monitoring offerings, contemporary services provide a holistic view of supplier risk as determined by external events and internal security posture. Rather than focusing exclusively on outdated measures of security provided by external network scans, today’s monitoring products gather risk event data from several sources on an on-going basis to form a risk picture across the supplier’s entire spectrum of potential threats to your organisation. Data breaches are just one way in which your relationship with a supplier can negatively impact your operations and external network scans provide little insight into a supplier’s vulnerability in today’s sophisticated threat environment. Financial risk events, operational challenges (such as natural disasters or leadership shake-ups), regulatory citations, fraudulent practice claims, and lawsuits are just a few examples of the kinds of events that can greatly impact the risk of a supplier to your organisation. Fortunately, options exist in advanced TPRM solutions for third party risk professionals to keep track of their suppliers on a daily basis, beyond the narrow focus of first-generation monitoring tools with a narrow-minded view of risk. One of the challenges that has traditionally faced the third party risk community is the inability to gauge the risk of small suppliers, those with only 2 to 100 employees. Compounding the challenge is the increasing importance of these small suppliers to the operations of many organisations and their resulting exposure to sensitive data. Small law firms, local printing companies, production studios, small PR organisations, or family-run claims processing companies are just a few examples of suppliers who can comprise a small number of employees, but require access to a large organisation’s sensitive information. The risk associated with this segment of suppliers continues to grow as they increasingly become targets for hackers. Lacking the resources and skill sets of larger organisations, criminals rightfully identify them as easier targets than their customers. According to a recent Symantec⁴ study almost one-half of all cyber-attacks (43%) last year were against small businesses with a 2017 Webroot Cyber Threat report finding that IT decision makers at 96% of SMBs in the US, UK, and Australia believe their organisations will be susceptible to external cybersecurity threats this year⁵. Until recently, evaluating the risk of these small suppliers has been an elusive goal. However, with advanced TPRM solutions, automated inspection and risk evaluation solutions are available to benefit both the small supplier, as well as their large and medium size customers. Low-footprint agents gather information on the endpoint security state of a small supplier, process the information, and generate security deficiency reports. In addition, recommendations are made for the supplier to improve their security profile. Your organisation now has a means to assess and help mitigate the risk of very small, essential suppliers, and the suppliers – often too small to employ IT resources, let alone security professionals – have a tool to help them improve their security and keep your sensitive data safe. Continuous Threat Monitoring Small Business Supplier Inspection 4 Symantec. Internet Security Threat Report, 2017 5 Webroot. Cyber Threat to Small – and Medium-Sized Businesses in 2017, 2017
  • 6. DVV Solutions Limited Grosvenor House, St. Thomas’s Place, Stockport, Cheshire, SK1 3TZ, United Kingdom Tel: +44 (0) 161 476 8700 Email: enquiries@dvvs.co.uk Web: www.dvvs.co.uk Contact Us A relatively new innovation in third party risk is providing third party risk managers with all of the benefits of the traditional Assessment process, but with much less aggravation. The advent of Supplier Evidence Sharing Networks is making completed, verified, standard surveys available to organisations while eliminating the tedious time-and-resource consuming process of collecting accurate data from suppliers. The “Complete-Once, Share-Many” model of supplier sharing networks means the burden on suppliers is similarly alleviated. By greatly reducing the effort required to collect or complete surveys, it means that both first and third parties can spend much less time gathering controls data and much more time on what’s important: working together to decrease control gaps and reduce overall risk. Evidence network sharing is a feature built into advanced supplier risk management software, so that users can not only leverage advanced workflows, reporting, scoring, and other features of these enterprise software solutions, but can also augment that rich functionality with “off-the-shelf” supplier evidence that can instantly form the foundation of a comprehensive and effective third party risk management program. Evidence Sharing Networks Mixing and Matching Capabilities to Meet Your Program Needs Today and Tomorrow Very rarely will only one of the four solutions discussed in this whitepaper satisfy the TPRM needs of an organisation with such diverse suppliers - and that’s exactly the point. Having the access to all four components is necessary to build a highly-functioning, efficient third party risk program - and Prevalent is the only solution provider in the market today that can deliver all four advanced solutions. Prevalent developed the first purpose-built Third Party Risk Management cloud-based platform in 2012 and is the only company that offers a complete, integrated suite of solutions that includes automated assessment software, continuous threat monitoring, leading-edge SMB inspection, and innovative supplier evidence sharing networks.
  • 7. DVV Solutions Limited Grosvenor House, St. Thomas’s Place, Stockport, Cheshire, SK1 3TZ, United Kingdom Tel: +44 (0) 161 476 8700 Email: enquiries@dvvs.co.uk Web: www.dvvs.co.uk Contact Us About DVV Solutions DVV Solutions was established in 1999, and has become one of the UK’s leading providers in the design, implementation and management of Third Party Risk Management (TPRM) and IT Security services. We have a proven model for Third Party risk reduction and mitigation. Our suite of consultative and managed services improve your ability to manage increasing numbers and complexity of outsourced supplier risk backed by leading risk intelligence and automation platforms. Our ethos is to provide you the best value for money by offering the highest quality of service within a clear and consistent cost model. We do this by leveraging our extensive experience in the IT services sector and our best-of- breed technology and service partners. As a Shared Assessments program member and registered Assessment Firm we utilise industry-standard practices including Standardised Information Gathering (SIG) questionnaires and Standardised Control Assessment (SCA) for onsite assessments. www.sharedassessments.org Our channel partnership agreement with Prevalent Inc. enables DVV Solutions to deliver and support Prevalent technologies to UK and European customers and add significant value to their Third Party Risk Assessment capabilities. Recently named a Leader in the Gartner Magic Quadrant for IT Supplier Risk Management, Prevalent helps global organisations manage and monitor the security threats and risks associated with Third and Fourth Party suppliers. www.prevalent.net Please note: This White Paper contains excerpts used, with kind permission, from Prevalent Inc. Registered trademarks acknowledged. All rights reserved.