Supplier Risk Assessment

30,951 views

Published on

A supply chain has many vendors that need to be assessed for the risk they pose to the organization. A vendor risk analysis process should be in place to determine where weaknesses are from a technology point of view in the supply chain.

Published in: Technology

Supplier Risk Assessment

  1. 1. Supplier Risk Assessment<br />Gary Bahadur<br />CEO KRAA <br />KRAA Security<br />info@kraasecurity.com<br />888-KRAA-911<br />October 7th, 2009<br />
  2. 2. Supplier Risk - Overview<br />2<br />KRAA Security - www.kraasecurity.com<br />
  3. 3. What is Supplier Risk?<br />Risk Considerations<br />Risk Criteria<br />Business Security Goals<br />Supplier Access Profile<br />Risk Classification Model<br />Supplier Risk Process for Data Lifecycle<br />Supplier Risk Assessment Process<br />Supplier Review Process<br />Conclusions<br />What We’ll Cover Today<br />3<br />KRAA Security - www.kraasecurity.com<br />
  4. 4. Suppliers pose a challenge to any organization <br />People – contractors in and out of the company, reliance of Supplier background checks (if any)<br />Process – each department can manage the Supplier relationship different, IT may not be fully informed<br />Technology – Supplier connectivity based on convenience and IT processes rather than security requirements<br />What have we focused our security dollars on?<br />Firewall, antivirus, vulnerability management, IDS, policies<br />Little if any allocation for testing, reviewing, monitoring Supplier<br />No follow-up as relationships change or Suppliers internal structures change (i.e. acquisition)<br />Doing a SAS70 II in some cases (expensive!)<br />Website Penetration testing<br />What is Supplier/Partner Risk?<br />4<br />KRAA Security - www.kraasecurity.com<br />
  5. 5. Asset management systems are frequently inaccurate, no owners<br />Manual processes used (emails, word documents, phone calls) <br />Inconsistent cataloging of data across different Suppliers<br />Large companies have a challenge with Business Units, time zones, regulations<br />No ownership of the security relationship<br />No consistant application testing methods<br />What is Supplier/Partner Risk?<br />5<br />KRAA Security - www.kraasecurity.com<br />
  6. 6. Almost no accountability by the Supplier or the company for Data Lifecycle Management <br />Creation – who creates/manages <br />Usage – what limitations are on the Supplier<br />Storage – what controls are in place for storage <br />Transportation – how is data transmitted<br />Destruction – what is the validation and verification process<br />What is Supplier Risk?<br />6<br />KRAA Security - www.kraasecurity.com<br />
  7. 7. What is Supplier/Partner Risk?<br />Risk Considerations<br />Risk Criteria<br />Business Security Goals<br />Supplier Access Profile<br />Risk Classification Model<br />Supplier Risk Process for Data Lifecycle<br />Supplier Risk Assessment Process<br />Supplier Review Process<br />Conclusions<br />What We’ll Cover Today<br />7<br />KRAA Security - www.kraasecurity.com<br />
  8. 8. Risk assessment should be thought of as an ongoing process<br />Need model for risk assessment follow Secure Development Life Cycle<br />Conduct Supplier detailed information risk assessment, strong commitment from upper management<br />Technology and Business process risks considered <br />Define process for all Supplier access and data exchanges <br />Risk Considerations<br />8<br />KRAA Security - www.kraasecurity.com<br />
  9. 9. Development of awareness of inherent risks<br />Prioritize risk considerations over time and for all future projects<br />Prepare Risk Profile of each Supplier<br />Define reporting and update process<br />Provide assessments based on your regulatory requirements (PCI, CoBIT, COSO, HIPAA, SOX, FFIEC, NIST, SAS70, etc)<br />Risk Considerations<br />9<br />KRAA Security - www.kraasecurity.com<br />
  10. 10. Supplier Risk Process<br />10<br />KRAA Security - www.kraasecurity.com<br />
  11. 11. What is Supplier/Partner Risk?<br />Risk Considerations<br />Risk Criteria<br />Business Security Goals<br />Supplier Access Profile<br />Risk Classification Model<br />Supplier Risk Process for Data Lifecycle<br />Supplier Risk Assessment Process<br />Supplier Review Process<br />Conclusions<br />What We’ll Cover Today<br />11<br />KRAA Security - www.kraasecurity.com<br />
  12. 12. Identify Assets at risk from Suppliers, network, file, storage, business processes, locations<br />Define value of assets<br />Define criticality of assets<br />Prioritize security requirements of assets used by Suppliers<br />Identify current security requirements and perform Gap Analysis<br />Identify Vulnerabilities from Suppliers and from External environment<br />Complete data classification model implementation<br />Define Risk Criteria<br />12<br />KRAA Security - www.kraasecurity.com<br />
  13. 13. What is Supplier/Partner Risk?<br />Risk Considerations<br />Risk Criteria<br />Business Security Goals<br />Supplier Access Profile<br />Risk Classification Model<br />Supplier Risk Process for Data Lifecycle<br />Supplier Risk Assessment Process<br />Supplier Review Process<br />Conclusions<br />What We’ll Cover Today<br />13<br />KRAA Security - www.kraasecurity.com<br />
  14. 14. Identify Business goals affected by Suppliers<br />Define baseline security standards for Supplier access<br />Define regulatory requirements of Supplier access to resources<br />Acceptable risk of Business management<br />What are financial impacts?<br />DEFINE BUSINESS SECURITY GOALS<br />14<br />KRAA Security - www.kraasecurity.com<br />
  15. 15. DEFINE BUSINESS SECURITY GOALSExample<br />15<br />KRAA Security - www.kraasecurity.com<br />
  16. 16. What is Supplier/Partner Risk?<br />Risk Considerations<br />Risk Criteria<br />Business Security Goals<br />Supplier Access Profile<br />Risk Classification Model<br />Supplier Risk Process for Data Lifecycle<br />Supplier Risk Assessment Process<br />Supplier Review Process<br />Conclusions<br />What We’ll Cover Today<br />16<br />KRAA Security - www.kraasecurity.com<br />
  17. 17. Develop complete profile through <br />interview and documentation<br />service contracts<br />analysis of supplier industry risks<br />business risk of supplier access<br />controls currently in place over supplier access<br />reports generated on supplier access, activities<br />Prioritize operational supplier tasks<br />What operational parameters are impacted?<br />What is potential risk to operations?<br />Define threats, impact and probability<br />DEFINE OPERATIONAL RISK OF Supplier ACCESS - PROFILE<br />17<br />KRAA Security - www.kraasecurity.com<br />
  18. 18. Define audit trails<br />Define mission critical staff that interact with suppliers<br />Define mitigation strategy for operational weaknesses<br />Define acceptance criteria for risk<br />Define action plans for Suppliers and responsibility matrix<br />DEFINE OPERATIONAL RISK OF Supplier ACCESS - PROFILE<br />18<br />KRAA Security - www.kraasecurity.com<br />
  19. 19. What is Supplier/Partner Risk?<br />Risk Considerations<br />Risk Criteria<br />Business Security Goals<br />Supplier Access Profile<br />Risk Classification Model<br />Supplier Risk Process for Data Lifecycle<br />Supplier Risk Assessment Process<br />Supplier Review Process<br />Conclusions<br />What We’ll Cover Today<br />19<br />KRAA Security - www.kraasecurity.com<br />
  20. 20. RISK CLASSIFICATION MODELExample<br />20<br />KRAA Security - www.kraasecurity.com<br />
  21. 21. What is Supplier/Partner Risk?<br />Risk Considerations<br />Risk Criteria<br />Business Security Goals<br />Supplier Access Profile<br />Risk Classification Model<br />Supplier Risk Process for Data Lifecycle<br />Supplier Risk Assessment Process<br />Supplier Review Process<br />Conclusions<br />What We’ll Cover Today<br />21<br />KRAA Security - www.kraasecurity.com<br />
  22. 22. Supplier RISK PROCESSES FOR DATA LIFECYCLE<br />Supplier: Marketing Company LLC (MC), provides marketing information, customer data surveys, reports about competitors, is linked to corporate Email, received customer lists<br />22<br />KRAA Security - www.kraasecurity.com<br />
  23. 23. Risk Process Event Review<br />Track all Supplier related security events and operational risk events<br />23<br />KRAA Security - www.kraasecurity.com<br />
  24. 24. What is Supplier/Partner Risk?<br />Risk Considerations<br />Risk Criteria<br />Business Security Goals<br />Supplier Access Profile<br />Risk Classification Model<br />Supplier Risk Process for Data Lifecycle<br />Project Risk<br />Supplier Assessment Process<br />Supplier Review Process<br />Conclusions<br />What We’ll Cover Today<br />24<br />KRAA Security - www.kraasecurity.com<br />
  25. 25. Supplier ASSESSMENT PROCESS<br />25<br />KRAA Security - www.kraasecurity.com<br />
  26. 26. Supplier ASSESSMENT PROCESS – Policies and Procedures Example<br />26<br />KRAA Security - www.kraasecurity.com<br />
  27. 27. What is Supplier/Partner Risk?<br />Risk Considerations<br />Risk Criteria<br />Business Security Goals<br />Supplier Access Profile<br />Risk Classification Model<br />Supplier Risk Process for Data Lifecycle<br />Supplier Assessment Process<br />Supplier Review Process<br />Conclusions<br />What We’ll Cover Today<br />27<br />KRAA Security - www.kraasecurity.com<br />
  28. 28. Quarterly Meeting<br />CIO and Direct Reports<br />Regulatory Impact<br />Review IT Risk Considerations<br />Update IT Risk Summary and New Mitigation Strategies<br />Review Significant Events During the Quarter<br />Define Action Items for Next Quarter<br />Supplier REVIEW PROCESSES<br />28<br />KRAA Security - www.kraasecurity.com<br />
  29. 29. Supplier Risk Process-recap<br />29<br />KRAA Security - www.kraasecurity.com<br />
  30. 30. Identification of Key relevant risk<br />Consistent process for planning and mitigating Supplier risk<br />Focus on identifiable risk and utilization of budget efficiently<br />Methodical approach for examining the risk in a Supplier<br />Common framework for all categories of Suppliers<br />Baseline acceptable risk<br />Improved planning for future risk mitigation projects<br />CONCLUSIONS<br />30<br />KRAA Security - www.kraasecurity.com<br />
  31. 31. Questions and Answers<br />Gary Bahadur<br />CEO KRAA Security<br />info@kraasecurity.com<br />888-KRAA-911<br />www.kraasecurity.com<br />Blog.kraasecurity.com<br />Twitter.com/kraasecurity<br />*Managed Security Services<br />*Vulnerability Management<br />*Compliance & Policy Development<br />*PGP Security<br />31<br />KRAA Security - www.kraasecurity.com<br />

×