SlideShare a Scribd company logo
1 of 33
Download to read offline
Supplier Assurance Has Never Been More Important During
Uncertain Times
14th April 2020
Who are we?
2
Alex Hollis
VP GRC Services
SureCloud
Alex.hollis@surecloud.com
Matthew Davies
Product Marketing Director
SureCloud
Matthew.davies@surecloud.com
Agenda
• Third Party Risk Management Checklist
• What should you be asking your suppliers now?
• Why your fourth parties are so important
• Embedding your risk & control culture in your suppliers
• Using technology to enhance your program
• Q&A
4
Third Party Risk Management Checklist
5
Third Party Risk Management Checklist
 Central list of your vendors
 Identify critical vendors
 Link vendors to business assets
 Prioritise vendors based on budget and time
 Assess vendors
www.surecloud.com © 2020 SureCloud. All rights reserved.
6
Third Party Risk Management Checklist
 Central list of your vendors
 Identify critical vendors
 Link vendors to business assets
 Prioritise vendors based on budget and time
 Assess vendors
But don’t worry if you haven’t operationalised these
processes in a recent TPRM survey;
Most firms are yet to automate inventory updates,
and 89% of organisations are still relying on manual
processes to support their TPRM program.
www.surecloud.com © 2020 SureCloud. All rights reserved.
7
What should you be asking your suppliers now?
8
What should you be asking your suppliers now?
www.surecloud.com © 2020 SureCloud. All rights reserved.
Affected
services or
products
Fourth
parties
Service/
product
locations
TPRM
assurance
Remote
working
Continuity &
recovery
planning
Risk
management
9
What should you be asking your suppliers now?
www.surecloud.com © 2020 SureCloud. All rights reserved.
Affected
services or
products
Fourth
parties
Service/
product
locations
TPRM
assurance
Remote
working
Continuity &
recovery
planning
Risk
management
10
What should you be asking your suppliers now?
www.surecloud.com © 2020 SureCloud. All rights reserved.
Affected
services or
products
Fourth
parties
Service/
product
locations
TPRM
assurance
Remote
working
Continuity &
recovery
planning
Risk
management
11
What should you be asking your suppliers now?
www.surecloud.com © 2020 SureCloud. All rights reserved.
Affected
services or
products
Fourth
parties
Service/
product
locations
TPRM
assurance
Remote
working
Continuity &
recovery
planning
Risk
management
12
What should you be asking your suppliers now?
www.surecloud.com © 2020 SureCloud. All rights reserved.
Affected
services or
products
Fourth
parties
Service/
product
locations
TPRM
assurance
Remote
working
Continuity &
recovery
planning
Risk
management
13
What should you be asking your suppliers now?
www.surecloud.com © 2020 SureCloud. All rights reserved.
Affected
services or
products
Fourth
parties
Service/
product
locations
TPRM
assurance
Remote
working
Continuity &
recovery
planning
Risk
management
14
What should you be asking your suppliers now?
www.surecloud.com © 2020 SureCloud. All rights reserved.
Affected
services or
products
Fourth
parties
Service/
product
locations
TPRM
assurance
Remote
working
Continuity &
recovery
planning
Risk
management
15
Why your fourth parties are so important
16
Security breaches from 3rd and 4th parties
RSA Security:
• April 2011 – via a recruitment company and xls file
• Tens of millions of SecurID hardware tokens would have to be re-issued to clients
British Airways:
• September 2018 – via online payment forms
• Approximately 380,000 transactions were affected and a proposed fine of £183m
www.surecloud.com © 2020 SureCloud. All rights reserved.
17
Why are fourth parties important?
www.surecloud.com © 2020 SureCloud. All rights reserved.
Your
Organisation
18
Why are fourth parties important?
www.surecloud.com © 2020 SureCloud. All rights reserved.
Your
Organisation
Third Party
Vendor
Third Party
Vendor
 What if your third party is also
working with multiple third parties
to provide your services?
19
Why are fourth parties important?
www.surecloud.com © 2020 SureCloud. All rights reserved.
Your
Organisation
Third Party
Vendor
Third Party
Vendor
4th Party
Vendor
4th Party
Vendor
4th Party
Vendor
4th Party
Vendor
4th Party
Vendor
4th Party
Vendor
 Fourth parties can infiltrate a
company’s data through the third
party relationship
 Fourth party risks can arise from
contractors, consultants and other
vendors working with your third-
party vendor
20
How to address fourth parties?
• Targeted questions of your third parties to
understand their fourth parties
www.surecloud.com © 2020 SureCloud. All rights reserved.
21
How to address fourth parties?
• Targeted questions of your third parties to
understand their fourth parties
• Work actively with your third parties to request
information and get a full understanding of the
fourth parties involved
www.surecloud.com © 2020 SureCloud. All rights reserved.
22
How to address fourth parties?
• Targeted questions of your third parties to
understand their fourth parties
• Work actively with your third parties to request
information and get a full understanding of the
fourth parties involved
• Review your third parties own TPRM policies
and practices
www.surecloud.com © 2020 SureCloud. All rights reserved.
23
How to address fourth parties?
• Targeted questions of your third parties to
understand their fourth parties
• Work actively with your third parties to request
information and get a full understanding of the
fourth parties involved
• Review your third parties own TPRM policies
and practices
• Require your third parties contractually commit
to notifying you prior to contracting with a
fourth party vendor
www.surecloud.com © 2020 SureCloud. All rights reserved.
24
How to address fourth parties?
• Targeted questions of your third parties to
understand their fourth parties
• Work actively with your third parties to request
information and get a full understanding of the
fourth parties involved
• Review your third parties own TPRM policies
and practices
• Require your third parties contractually commit
to notifying you prior to contracting with a
fourth party vendor
• Identify trends in fourth parties and conduct
onsite audits if possible
www.surecloud.com © 2020 SureCloud. All rights reserved.
25
Embedding your risk & control culture in your suppliers
26
Embedding your risk and control culture in your suppliers
Current Situation:
• Organisations are conducting point in time assessment which is
often regulatory focused
Changing the mindset:
• Embed your organisation’s risk and compliance processes into
your suppliers
• Actively incentivise suppliers to report risk and compliance
data
• Document and manage the risks and controls that occur from
your supplier relationships
• Track and assign remediation activities to your suppliers
www.surecloud.com © 2020 SureCloud. All rights reserved.
27
Using technology to enhance your program
28
Using technology to enhance visibility of your vendors
Current Situation:
 Your organisations third party risk management
program/solutions isn’t integrated into the wider
organisation.
How to enhance your program:
 What existing technology we have will provide us
with greater insight?
 What other technology will provide us with better
insight?
www.surecloud.com © 2020 SureCloud. All rights reserved.
29
Technology you can leverage
 What existing technology we have will
provide us with greater insight?
www.surecloud.com © 2020 SureCloud. All rights reserved.
 What other technology will provide us with
better insight?
• Incident Data
• IT Assets
• Contract Data
• Risk and Compliance Data
• Financial Stability Data
• Cyber Risk Rating
• Regulatory Data
• Corruption Perceptions Index
30
Q&A
31
Introducing SureCloud's Complimentary Supply Chain Solution
With the free solution you can:
1. Document key processes and assets
2. Document your key 3rd and 4th parties
3. Directly assess your supply chain
4. Contribute to a global insight report
5. Define and manage both issues and exceptions
6. Report results via intuitive dashboards
https://info.surecloud.com/free-supply-chain-solution
www.surecloud.com © 2020 SureCloud. All rights reserved.
Upcoming Webinar: How to Understand and Build the
Resilience of your Supply Chain
32
Get in touch
Carry on the conversation...
- @surecloud
alex.hollis@surecloud.com matthew.davies@surecloud.com
Thank you
www.surecloud.com
sales@surecloud.com

More Related Content

Similar to Supplier Assurance During COVID-19

Vendor Risk Management - Find It Before It Finds You
Vendor Risk Management - Find It Before It Finds YouVendor Risk Management - Find It Before It Finds You
Vendor Risk Management - Find It Before It Finds YouChad Kreimendahl
 
2020 Global Privacy Survey: Emerging Trends, Benchmarking Research and Best P...
2020 Global Privacy Survey: Emerging Trends, Benchmarking Research and Best P...2020 Global Privacy Survey: Emerging Trends, Benchmarking Research and Best P...
2020 Global Privacy Survey: Emerging Trends, Benchmarking Research and Best P...TrustArc
 
OneTrust: Securing the Supply Chain: What Does Compliance Look Like?
OneTrust: Securing the Supply Chain: What Does Compliance Look Like?OneTrust: Securing the Supply Chain: What Does Compliance Look Like?
OneTrust: Securing the Supply Chain: What Does Compliance Look Like?Executive Leaders Network
 
SMCR The Chicken & The Pig with GRC2020 & SureCloud
SMCR The Chicken & The Pig with GRC2020 & SureCloudSMCR The Chicken & The Pig with GRC2020 & SureCloud
SMCR The Chicken & The Pig with GRC2020 & SureCloudSureCloud
 
MMV Webinar 1. GDPR Perspectives. November 2017
MMV Webinar 1. GDPR Perspectives. November 2017MMV Webinar 1. GDPR Perspectives. November 2017
MMV Webinar 1. GDPR Perspectives. November 2017Match-Maker Ventures
 
Cyber TPRM - the journey ahead
Cyber TPRM - the journey aheadCyber TPRM - the journey ahead
Cyber TPRM - the journey aheadKevin Duffey
 
ThirdPartyOversight
ThirdPartyOversightThirdPartyOversight
ThirdPartyOversightMolly Dowdy
 
#FIRMday Manchester - 15 Oct 2015 - Best practice in people screening programmes
#FIRMday Manchester - 15 Oct 2015 - Best practice in people screening programmes#FIRMday Manchester - 15 Oct 2015 - Best practice in people screening programmes
#FIRMday Manchester - 15 Oct 2015 - Best practice in people screening programmesEmma Mirrington
 
#FIRMDAY 15th October 2015 Manchester - Best practice in people screening pro...
#FIRMDAY 15th October 2015 Manchester - Best practice in people screening pro...#FIRMDAY 15th October 2015 Manchester - Best practice in people screening pro...
#FIRMDAY 15th October 2015 Manchester - Best practice in people screening pro...Emma Mirrington
 
How To Integrate Business Risk & IT Risk
How To Integrate Business Risk & IT Risk How To Integrate Business Risk & IT Risk
How To Integrate Business Risk & IT Risk SureCloud
 
Master Data in the Cloud: 5 Security Fundamentals
Master Data in the Cloud: 5 Security FundamentalsMaster Data in the Cloud: 5 Security Fundamentals
Master Data in the Cloud: 5 Security FundamentalsSarah Fane
 
Tackling Compliance When it Becomes Your Biggest Performance Bottleneck.pdf
Tackling Compliance When it Becomes Your Biggest Performance Bottleneck.pdfTackling Compliance When it Becomes Your Biggest Performance Bottleneck.pdf
Tackling Compliance When it Becomes Your Biggest Performance Bottleneck.pdfCraig Saunders
 
Snow SAM presentation March 2018
Snow SAM presentation March 2018Snow SAM presentation March 2018
Snow SAM presentation March 2018Jenny Carroll
 
Fleet Optimization Buyer's Guide
Fleet Optimization Buyer's GuideFleet Optimization Buyer's Guide
Fleet Optimization Buyer's GuideCurtis Serna
 
Best Practices for Channel Data Collection
Best Practices for Channel Data CollectionBest Practices for Channel Data Collection
Best Practices for Channel Data CollectionChannelinsight
 
Escrow Presentation2010
Escrow Presentation2010Escrow Presentation2010
Escrow Presentation2010simongreaves
 
DV 2016: Making Sense of the Current Legal Landscape
DV 2016: Making Sense of the Current Legal LandscapeDV 2016: Making Sense of the Current Legal Landscape
DV 2016: Making Sense of the Current Legal LandscapeTealium
 
Rethinking Trust in Data
Rethinking Trust in Data Rethinking Trust in Data
Rethinking Trust in Data DATAVERSITY
 
ConnectTheGrid Overview Webinar - June 10, 2015
ConnectTheGrid Overview Webinar - June 10, 2015ConnectTheGrid Overview Webinar - June 10, 2015
ConnectTheGrid Overview Webinar - June 10, 2015West Monroe Partners
 

Similar to Supplier Assurance During COVID-19 (20)

Vendor Risk Management - Find It Before It Finds You
Vendor Risk Management - Find It Before It Finds YouVendor Risk Management - Find It Before It Finds You
Vendor Risk Management - Find It Before It Finds You
 
2020 Global Privacy Survey: Emerging Trends, Benchmarking Research and Best P...
2020 Global Privacy Survey: Emerging Trends, Benchmarking Research and Best P...2020 Global Privacy Survey: Emerging Trends, Benchmarking Research and Best P...
2020 Global Privacy Survey: Emerging Trends, Benchmarking Research and Best P...
 
OneTrust: Securing the Supply Chain: What Does Compliance Look Like?
OneTrust: Securing the Supply Chain: What Does Compliance Look Like?OneTrust: Securing the Supply Chain: What Does Compliance Look Like?
OneTrust: Securing the Supply Chain: What Does Compliance Look Like?
 
SMCR The Chicken & The Pig with GRC2020 & SureCloud
SMCR The Chicken & The Pig with GRC2020 & SureCloudSMCR The Chicken & The Pig with GRC2020 & SureCloud
SMCR The Chicken & The Pig with GRC2020 & SureCloud
 
Standards in Third Party Risk - DVV Solutions ISACA North May 19
Standards in Third Party Risk - DVV Solutions ISACA North May 19 Standards in Third Party Risk - DVV Solutions ISACA North May 19
Standards in Third Party Risk - DVV Solutions ISACA North May 19
 
MMV Webinar 1. GDPR Perspectives. November 2017
MMV Webinar 1. GDPR Perspectives. November 2017MMV Webinar 1. GDPR Perspectives. November 2017
MMV Webinar 1. GDPR Perspectives. November 2017
 
Cyber TPRM - the journey ahead
Cyber TPRM - the journey aheadCyber TPRM - the journey ahead
Cyber TPRM - the journey ahead
 
ThirdPartyOversight
ThirdPartyOversightThirdPartyOversight
ThirdPartyOversight
 
#FIRMday Manchester - 15 Oct 2015 - Best practice in people screening programmes
#FIRMday Manchester - 15 Oct 2015 - Best practice in people screening programmes#FIRMday Manchester - 15 Oct 2015 - Best practice in people screening programmes
#FIRMday Manchester - 15 Oct 2015 - Best practice in people screening programmes
 
#FIRMDAY 15th October 2015 Manchester - Best practice in people screening pro...
#FIRMDAY 15th October 2015 Manchester - Best practice in people screening pro...#FIRMDAY 15th October 2015 Manchester - Best practice in people screening pro...
#FIRMDAY 15th October 2015 Manchester - Best practice in people screening pro...
 
How To Integrate Business Risk & IT Risk
How To Integrate Business Risk & IT Risk How To Integrate Business Risk & IT Risk
How To Integrate Business Risk & IT Risk
 
Master Data in the Cloud: 5 Security Fundamentals
Master Data in the Cloud: 5 Security FundamentalsMaster Data in the Cloud: 5 Security Fundamentals
Master Data in the Cloud: 5 Security Fundamentals
 
Tackling Compliance When it Becomes Your Biggest Performance Bottleneck.pdf
Tackling Compliance When it Becomes Your Biggest Performance Bottleneck.pdfTackling Compliance When it Becomes Your Biggest Performance Bottleneck.pdf
Tackling Compliance When it Becomes Your Biggest Performance Bottleneck.pdf
 
Snow SAM presentation March 2018
Snow SAM presentation March 2018Snow SAM presentation March 2018
Snow SAM presentation March 2018
 
Fleet Optimization Buyer's Guide
Fleet Optimization Buyer's GuideFleet Optimization Buyer's Guide
Fleet Optimization Buyer's Guide
 
Best Practices for Channel Data Collection
Best Practices for Channel Data CollectionBest Practices for Channel Data Collection
Best Practices for Channel Data Collection
 
Escrow Presentation2010
Escrow Presentation2010Escrow Presentation2010
Escrow Presentation2010
 
DV 2016: Making Sense of the Current Legal Landscape
DV 2016: Making Sense of the Current Legal LandscapeDV 2016: Making Sense of the Current Legal Landscape
DV 2016: Making Sense of the Current Legal Landscape
 
Rethinking Trust in Data
Rethinking Trust in Data Rethinking Trust in Data
Rethinking Trust in Data
 
ConnectTheGrid Overview Webinar - June 10, 2015
ConnectTheGrid Overview Webinar - June 10, 2015ConnectTheGrid Overview Webinar - June 10, 2015
ConnectTheGrid Overview Webinar - June 10, 2015
 

Recently uploaded

Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Laying the Data Foundations for Artificial Intelligence!
Laying the Data Foundations for Artificial Intelligence!Laying the Data Foundations for Artificial Intelligence!
Laying the Data Foundations for Artificial Intelligence!Memoori
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...Karmanjay Verma
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessWSO2
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
Kuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialKuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialJoão Esperancinha
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...BookNet Canada
 

Recently uploaded (20)

Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Laying the Data Foundations for Artificial Intelligence!
Laying the Data Foundations for Artificial Intelligence!Laying the Data Foundations for Artificial Intelligence!
Laying the Data Foundations for Artificial Intelligence!
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with Platformless
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
Kuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialKuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorial
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
 

Supplier Assurance During COVID-19

  • 1. Supplier Assurance Has Never Been More Important During Uncertain Times 14th April 2020
  • 2. Who are we? 2 Alex Hollis VP GRC Services SureCloud Alex.hollis@surecloud.com Matthew Davies Product Marketing Director SureCloud Matthew.davies@surecloud.com
  • 3. Agenda • Third Party Risk Management Checklist • What should you be asking your suppliers now? • Why your fourth parties are so important • Embedding your risk & control culture in your suppliers • Using technology to enhance your program • Q&A
  • 4. 4 Third Party Risk Management Checklist
  • 5. 5 Third Party Risk Management Checklist  Central list of your vendors  Identify critical vendors  Link vendors to business assets  Prioritise vendors based on budget and time  Assess vendors www.surecloud.com © 2020 SureCloud. All rights reserved.
  • 6. 6 Third Party Risk Management Checklist  Central list of your vendors  Identify critical vendors  Link vendors to business assets  Prioritise vendors based on budget and time  Assess vendors But don’t worry if you haven’t operationalised these processes in a recent TPRM survey; Most firms are yet to automate inventory updates, and 89% of organisations are still relying on manual processes to support their TPRM program. www.surecloud.com © 2020 SureCloud. All rights reserved.
  • 7. 7 What should you be asking your suppliers now?
  • 8. 8 What should you be asking your suppliers now? www.surecloud.com © 2020 SureCloud. All rights reserved. Affected services or products Fourth parties Service/ product locations TPRM assurance Remote working Continuity & recovery planning Risk management
  • 9. 9 What should you be asking your suppliers now? www.surecloud.com © 2020 SureCloud. All rights reserved. Affected services or products Fourth parties Service/ product locations TPRM assurance Remote working Continuity & recovery planning Risk management
  • 10. 10 What should you be asking your suppliers now? www.surecloud.com © 2020 SureCloud. All rights reserved. Affected services or products Fourth parties Service/ product locations TPRM assurance Remote working Continuity & recovery planning Risk management
  • 11. 11 What should you be asking your suppliers now? www.surecloud.com © 2020 SureCloud. All rights reserved. Affected services or products Fourth parties Service/ product locations TPRM assurance Remote working Continuity & recovery planning Risk management
  • 12. 12 What should you be asking your suppliers now? www.surecloud.com © 2020 SureCloud. All rights reserved. Affected services or products Fourth parties Service/ product locations TPRM assurance Remote working Continuity & recovery planning Risk management
  • 13. 13 What should you be asking your suppliers now? www.surecloud.com © 2020 SureCloud. All rights reserved. Affected services or products Fourth parties Service/ product locations TPRM assurance Remote working Continuity & recovery planning Risk management
  • 14. 14 What should you be asking your suppliers now? www.surecloud.com © 2020 SureCloud. All rights reserved. Affected services or products Fourth parties Service/ product locations TPRM assurance Remote working Continuity & recovery planning Risk management
  • 15. 15 Why your fourth parties are so important
  • 16. 16 Security breaches from 3rd and 4th parties RSA Security: • April 2011 – via a recruitment company and xls file • Tens of millions of SecurID hardware tokens would have to be re-issued to clients British Airways: • September 2018 – via online payment forms • Approximately 380,000 transactions were affected and a proposed fine of £183m www.surecloud.com © 2020 SureCloud. All rights reserved.
  • 17. 17 Why are fourth parties important? www.surecloud.com © 2020 SureCloud. All rights reserved. Your Organisation
  • 18. 18 Why are fourth parties important? www.surecloud.com © 2020 SureCloud. All rights reserved. Your Organisation Third Party Vendor Third Party Vendor  What if your third party is also working with multiple third parties to provide your services?
  • 19. 19 Why are fourth parties important? www.surecloud.com © 2020 SureCloud. All rights reserved. Your Organisation Third Party Vendor Third Party Vendor 4th Party Vendor 4th Party Vendor 4th Party Vendor 4th Party Vendor 4th Party Vendor 4th Party Vendor  Fourth parties can infiltrate a company’s data through the third party relationship  Fourth party risks can arise from contractors, consultants and other vendors working with your third- party vendor
  • 20. 20 How to address fourth parties? • Targeted questions of your third parties to understand their fourth parties www.surecloud.com © 2020 SureCloud. All rights reserved.
  • 21. 21 How to address fourth parties? • Targeted questions of your third parties to understand their fourth parties • Work actively with your third parties to request information and get a full understanding of the fourth parties involved www.surecloud.com © 2020 SureCloud. All rights reserved.
  • 22. 22 How to address fourth parties? • Targeted questions of your third parties to understand their fourth parties • Work actively with your third parties to request information and get a full understanding of the fourth parties involved • Review your third parties own TPRM policies and practices www.surecloud.com © 2020 SureCloud. All rights reserved.
  • 23. 23 How to address fourth parties? • Targeted questions of your third parties to understand their fourth parties • Work actively with your third parties to request information and get a full understanding of the fourth parties involved • Review your third parties own TPRM policies and practices • Require your third parties contractually commit to notifying you prior to contracting with a fourth party vendor www.surecloud.com © 2020 SureCloud. All rights reserved.
  • 24. 24 How to address fourth parties? • Targeted questions of your third parties to understand their fourth parties • Work actively with your third parties to request information and get a full understanding of the fourth parties involved • Review your third parties own TPRM policies and practices • Require your third parties contractually commit to notifying you prior to contracting with a fourth party vendor • Identify trends in fourth parties and conduct onsite audits if possible www.surecloud.com © 2020 SureCloud. All rights reserved.
  • 25. 25 Embedding your risk & control culture in your suppliers
  • 26. 26 Embedding your risk and control culture in your suppliers Current Situation: • Organisations are conducting point in time assessment which is often regulatory focused Changing the mindset: • Embed your organisation’s risk and compliance processes into your suppliers • Actively incentivise suppliers to report risk and compliance data • Document and manage the risks and controls that occur from your supplier relationships • Track and assign remediation activities to your suppliers www.surecloud.com © 2020 SureCloud. All rights reserved.
  • 27. 27 Using technology to enhance your program
  • 28. 28 Using technology to enhance visibility of your vendors Current Situation:  Your organisations third party risk management program/solutions isn’t integrated into the wider organisation. How to enhance your program:  What existing technology we have will provide us with greater insight?  What other technology will provide us with better insight? www.surecloud.com © 2020 SureCloud. All rights reserved.
  • 29. 29 Technology you can leverage  What existing technology we have will provide us with greater insight? www.surecloud.com © 2020 SureCloud. All rights reserved.  What other technology will provide us with better insight? • Incident Data • IT Assets • Contract Data • Risk and Compliance Data • Financial Stability Data • Cyber Risk Rating • Regulatory Data • Corruption Perceptions Index
  • 31. 31 Introducing SureCloud's Complimentary Supply Chain Solution With the free solution you can: 1. Document key processes and assets 2. Document your key 3rd and 4th parties 3. Directly assess your supply chain 4. Contribute to a global insight report 5. Define and manage both issues and exceptions 6. Report results via intuitive dashboards https://info.surecloud.com/free-supply-chain-solution www.surecloud.com © 2020 SureCloud. All rights reserved. Upcoming Webinar: How to Understand and Build the Resilience of your Supply Chain
  • 32. 32 Get in touch Carry on the conversation... - @surecloud alex.hollis@surecloud.com matthew.davies@surecloud.com

Editor's Notes

  1. AH – First (Background) MD – Second (Background)
  2. AH – Walkthrough  FYI – we are all remote 
  3. AH – Checklist Key starters for 10 Matt revalidate  And add start to targeted question sets & link to tier or value of contract 
  4. MD – do  Highlight
  5. MD – lead  AH – add (future services) as nature changes
  6. MD – Lead AH – ether move on or add
  7. MD – Lead AH – ether move on or add
  8. MD – Lead AH – ether move on or add
  9. MD – Lead AH – ether move on or add
  10. MD – Lead AH – either move on or add
  11. MD – Lead AH – either move on or add
  12. AH – Lead this 
  13. MD – Lead
  14. MD – Lead
  15. MD – Lead AH – example  Marketing Agencies – Freelance  IT Provider – Services  Consulting Firms -  Specialist Staff  SaaS providers – Infrastructure and Libraries 
  16. AH – Lead 
  17. AH – Lead 
  18. AH – Lead 
  19. AH – Lead 
  20. AH – Lead Matt Comment  - point 3  - good coms and relationship with vendors AH – Ask matt (Level of Trust) do you need to pay for trust? Size one man band vs large service company  If its too good to be true it normally is Ask for references
  21. MD/AH - discuss "As is" AH - this wasn't designed for where we are today e.g. cloud  MD points - Accountable & report things into group risk? How does this happen?  Telling you about Risk
  22. AH - lead
  23. AH/MD  Alex lead  MD comments more informed