SlideShare a Scribd company logo

Supplier Risk Assessment Process Overview

Download as PPTX, PDF
Gary Bahadur
Gary Bahadur

The document discusses supplier risk assessment and provides a framework for assessing and managing risk from suppliers. It defines supplier risk, outlines risk considerations and criteria, discusses developing supplier access profiles and a risk classification model. It then describes the supplier risk assessment process, which includes assessing suppliers' data lifecycles, policies and procedures. The framework also includes regular supplier review processes to ensure ongoing risk management. The goal is to take a methodical approach to examining supplier risk and mitigating issues through a consistent, baseline process.

Technology
1 of 31
Supplier Risk Assessment Gary Bahadur CEO KRAA KRAA Security info@kraasecurity.com 888-KRAA-911 October 7th, 2009
Supplier Risk - Overview 2 KRAA Security - www.kraasecurity.com
What is Supplier Risk? Risk Considerations Risk Criteria Business Security Goals Supplier Access Profile Risk Classification Model Supplier Risk Process for Data Lifecycle Supplier Risk Assessment Process Supplier Review Process Conclusions What We’ll Cover Today 3 KRAA Security - www.kraasecurity.com
Suppliers pose a challenge to any organization People – contractors in and out of the company, reliance of Supplier background checks (if any) Process – each department can manage the Supplier relationship different, IT may not be fully informed Technology – Supplier connectivity based on convenience and IT processes rather than security requirements What have we focused our security dollars on? Firewall, antivirus, vulnerability management, IDS, policies Little if any allocation for testing, reviewing, monitoring Supplier No follow-up as relationships change or Suppliers internal structures change (i.e. acquisition) Doing a SAS70 II in some cases (expensive!) Website Penetration testing What is Supplier/Partner Risk? 4 KRAA Security - www.kraasecurity.com
Asset management systems are frequently inaccurate, no owners Manual processes used (emails, word documents, phone calls) Inconsistent cataloging of data across different Suppliers Large companies have a challenge with Business Units, time zones, regulations No ownership of the security relationship No consistant application testing methods What is Supplier/Partner Risk? 5 KRAA Security - www.kraasecurity.com
Almost no accountability by the Supplier or the company for Data Lifecycle Management Creation – who creates/manages Usage – what limitations are on the Supplier Storage – what controls are in place for storage Transportation – how is data transmitted Destruction – what is the validation and verification process What is Supplier Risk? 6 KRAA Security - www.kraasecurity.com
What is Supplier/Partner Risk? Risk Considerations Risk Criteria Business Security Goals Supplier Access Profile Risk Classification Model Supplier Risk Process for Data Lifecycle Supplier Risk Assessment Process Supplier Review Process Conclusions What We’ll Cover Today 7 KRAA Security - www.kraasecurity.com
Risk assessment should be thought of as an ongoing process Need model for risk assessment follow Secure Development Life Cycle Conduct Supplier detailed information risk assessment, strong commitment from upper management Technology and Business process risks considered Define process for all Supplier access and data exchanges Risk Considerations 8 KRAA Security - www.kraasecurity.com
Development of awareness of inherent risks Prioritize risk considerations over time and for all future projects Prepare Risk Profile of each Supplier Define reporting and update process Provide assessments based on your regulatory requirements (PCI, CoBIT, COSO, HIPAA, SOX, FFIEC, NIST, SAS70, etc) Risk Considerations 9 KRAA Security - www.kraasecurity.com
Supplier Risk Process 10 KRAA Security - www.kraasecurity.com
What is Supplier/Partner Risk? Risk Considerations Risk Criteria Business Security Goals Supplier Access Profile Risk Classification Model Supplier Risk Process for Data Lifecycle Supplier Risk Assessment Process Supplier Review Process Conclusions What We’ll Cover Today 11 KRAA Security - www.kraasecurity.com
Identify Assets at risk from Suppliers, network, file, storage, business processes, locations Define value of assets Define criticality of assets Prioritize security requirements of assets used by Suppliers Identify current security requirements and perform Gap Analysis Identify Vulnerabilities from Suppliers and from External environment Complete data classification model implementation Define Risk Criteria 12 KRAA Security - www.kraasecurity.com
What is Supplier/Partner Risk? Risk Considerations Risk Criteria Business Security Goals Supplier Access Profile Risk Classification Model Supplier Risk Process for Data Lifecycle Supplier Risk Assessment Process Supplier Review Process Conclusions What We’ll Cover Today 13 KRAA Security - www.kraasecurity.com
Identify Business goals affected by Suppliers Define baseline security standards for Supplier access Define regulatory requirements of Supplier access to resources Acceptable risk of Business management What are financial impacts? DEFINE BUSINESS SECURITY GOALS 14 KRAA Security - www.kraasecurity.com
DEFINE BUSINESS SECURITY GOALSExample 15 KRAA Security - www.kraasecurity.com
What is Supplier/Partner Risk? Risk Considerations Risk Criteria Business Security Goals Supplier Access Profile Risk Classification Model Supplier Risk Process for Data Lifecycle Supplier Risk Assessment Process Supplier Review Process Conclusions What We’ll Cover Today 16 KRAA Security - www.kraasecurity.com
Develop complete profile through interview and documentation service contracts analysis of supplier industry risks business risk of supplier access controls currently in place over supplier access reports generated on supplier access, activities Prioritize operational supplier tasks What operational parameters are impacted? What is potential risk to operations? Define threats, impact and probability DEFINE OPERATIONAL RISK OF Supplier ACCESS - PROFILE 17 KRAA Security - www.kraasecurity.com
Define audit trails Define mission critical staff that interact with suppliers Define mitigation strategy for operational weaknesses Define acceptance criteria for risk Define action plans for Suppliers and responsibility matrix DEFINE OPERATIONAL RISK OF Supplier ACCESS - PROFILE 18 KRAA Security - www.kraasecurity.com
What is Supplier/Partner Risk? Risk Considerations Risk Criteria Business Security Goals Supplier Access Profile Risk Classification Model Supplier Risk Process for Data Lifecycle Supplier Risk Assessment Process Supplier Review Process Conclusions What We’ll Cover Today 19 KRAA Security - www.kraasecurity.com
RISK CLASSIFICATION MODELExample 20 KRAA Security - www.kraasecurity.com
What is Supplier/Partner Risk? Risk Considerations Risk Criteria Business Security Goals Supplier Access Profile Risk Classification Model Supplier Risk Process for Data Lifecycle Supplier Risk Assessment Process Supplier Review Process Conclusions What We’ll Cover Today 21 KRAA Security - www.kraasecurity.com
Supplier RISK PROCESSES FOR DATA LIFECYCLE Supplier: Marketing Company LLC (MC), provides marketing information, customer data surveys, reports about competitors, is linked to corporate Email, received customer lists 22 KRAA Security - www.kraasecurity.com
Risk Process Event Review Track all Supplier related security events and operational risk events 23 KRAA Security - www.kraasecurity.com
What is Supplier/Partner Risk? Risk Considerations Risk Criteria Business Security Goals Supplier Access Profile Risk Classification Model Supplier Risk Process for Data Lifecycle Project Risk Supplier Assessment Process Supplier Review Process Conclusions What We’ll Cover Today 24 KRAA Security - www.kraasecurity.com
Supplier ASSESSMENT PROCESS 25 KRAA Security - www.kraasecurity.com
Supplier ASSESSMENT PROCESS – Policies and Procedures Example 26 KRAA Security - www.kraasecurity.com
What is Supplier/Partner Risk? Risk Considerations Risk Criteria Business Security Goals Supplier Access Profile Risk Classification Model Supplier Risk Process for Data Lifecycle Supplier Assessment Process Supplier Review Process Conclusions What We’ll Cover Today 27 KRAA Security - www.kraasecurity.com
Quarterly Meeting CIO and Direct Reports Regulatory Impact Review IT Risk Considerations Update IT Risk Summary and New Mitigation Strategies Review Significant Events During the Quarter Define Action Items for Next Quarter Supplier REVIEW PROCESSES 28 KRAA Security - www.kraasecurity.com
Supplier Risk Process-recap 29 KRAA Security - www.kraasecurity.com
Identification of Key relevant risk Consistent process for planning and mitigating Supplier risk Focus on identifiable risk and utilization of budget efficiently Methodical approach for examining the risk in a Supplier Common framework for all categories of Suppliers Baseline acceptable risk Improved planning for future risk mitigation projects CONCLUSIONS 30 KRAA Security - www.kraasecurity.com
Questions and Answers Gary Bahadur CEO KRAA Security info@kraasecurity.com 888-KRAA-911 www.kraasecurity.com Blog.kraasecurity.com Twitter.com/kraasecurity *Managed Security Services *Vulnerability Management *Compliance & Policy Development *PGP Security 31 KRAA Security - www.kraasecurity.com

Recommended

Supply chain management
Supply chain managementSupply chain management
Supply chain managementPRIYABAMBALE
 
Procurement Risk Management PowerPoint Presentation Slides
Procurement Risk Management PowerPoint Presentation SlidesProcurement Risk Management PowerPoint Presentation Slides
Procurement Risk Management PowerPoint Presentation SlidesSlideTeam
 
Supply Chain Management Resilience
Supply Chain Management ResilienceSupply Chain Management Resilience
Supply Chain Management ResilienceTom Craig
 
Strategic Procurement
Strategic ProcurementStrategic Procurement
Strategic ProcurementSyed Ali Roshaan Raza
 
Supply Chain Risk
Supply Chain RiskSupply Chain Risk
Supply Chain RiskJan Husdal
 
Procurement Strategy by Derek Hendrikz
Procurement Strategy by Derek HendrikzProcurement Strategy by Derek Hendrikz
Procurement Strategy by Derek HendrikzDerek Hendrikz
 
Vendor Management
Vendor ManagementVendor Management
Vendor ManagementAnand Subramaniam
 
Supply chain management ppt MBA
Supply chain management ppt MBA Supply chain management ppt MBA
Supply chain management ppt MBA Babasab Patil
 

Recommended

Supply chain management
Supply chain managementSupply chain management
Supply chain managementPRIYABAMBALE
 
Procurement Risk Management PowerPoint Presentation Slides
Procurement Risk Management PowerPoint Presentation SlidesProcurement Risk Management PowerPoint Presentation Slides
Procurement Risk Management PowerPoint Presentation SlidesSlideTeam
 
Supply Chain Management Resilience
Supply Chain Management ResilienceSupply Chain Management Resilience
Supply Chain Management ResilienceTom Craig
 
Strategic Procurement
Strategic ProcurementStrategic Procurement
Strategic ProcurementSyed Ali Roshaan Raza
 
Supply Chain Risk
Supply Chain RiskSupply Chain Risk
Supply Chain RiskJan Husdal
 
Procurement Strategy by Derek Hendrikz
Procurement Strategy by Derek HendrikzProcurement Strategy by Derek Hendrikz
Procurement Strategy by Derek HendrikzDerek Hendrikz
 
Vendor Management
Vendor ManagementVendor Management
Vendor ManagementAnand Subramaniam
 
Supply chain management ppt MBA
Supply chain management ppt MBA Supply chain management ppt MBA
Supply chain management ppt MBA Babasab Patil
 
Strategic Sourcing
Strategic Sourcing Strategic Sourcing
Strategic Sourcing mubarak2009
 
Risk Management in the Supply Chain
Risk Management in the Supply ChainRisk Management in the Supply Chain
Risk Management in the Supply ChainBravoSolution
 
Logistics & Logistics Management
Logistics & Logistics ManagementLogistics & Logistics Management
Logistics & Logistics ManagementFahad Ali
 
Procurement: Strategies | Best Practices
Procurement: Strategies | Best PracticesProcurement: Strategies | Best Practices
Procurement: Strategies | Best PracticesMarcel (Alex) Mesanza, PMP, CSSBB
 
Supply chain management
Supply chain managementSupply chain management
Supply chain managementwahyudisandy
 
Strategic Sourcing & E Procurement
Strategic Sourcing & E ProcurementStrategic Sourcing & E Procurement
Strategic Sourcing & E ProcurementAnand Subramaniam
 
Methods for selecting suppliers in international procurement
Methods for selecting suppliers in international procurementMethods for selecting suppliers in international procurement
Methods for selecting suppliers in international procurementAnkit
 
Introduction to Supply Chain Management
Introduction to Supply Chain Management Introduction to Supply Chain Management
Introduction to Supply Chain Management Qamar Farooq
 
Pwc supplier-relationship-management
Pwc supplier-relationship-managementPwc supplier-relationship-management
Pwc supplier-relationship-managementDr Lendy Spires
 
GRC
GRCGRC
GRCMaryam Hidayatallah CPFA,MIPA,MA,CICA
 
International procurement strategies
International procurement strategiesInternational procurement strategies
International procurement strategiesNext Level Purchasing
 
Sourcing and Materials Management Presentation
Sourcing and Materials Management PresentationSourcing and Materials Management Presentation
Sourcing and Materials Management Presentationjeremymcarter
 
Supply Chain Management Outline Powerpoint Presentation Slides
Supply Chain Management Outline Powerpoint Presentation SlidesSupply Chain Management Outline Powerpoint Presentation Slides
Supply Chain Management Outline Powerpoint Presentation SlidesSlideTeam
 
Strategic Sourcing - A High level overview
Strategic Sourcing - A High level overviewStrategic Sourcing - A High level overview
Strategic Sourcing - A High level overviewRam Raghuraman
 
Strategic Purchasing Supply Initiatives
Strategic Purchasing Supply InitiativesStrategic Purchasing Supply Initiatives
Strategic Purchasing Supply Initiativesignasuhe
 
Standard Operating Procedure (SOP) for Information Technology (IT) Operations
Standard Operating Procedure (SOP) for Information Technology (IT) OperationsStandard Operating Procedure (SOP) for Information Technology (IT) Operations
Standard Operating Procedure (SOP) for Information Technology (IT) OperationsRonald Bartels
 
Supply chain management
Supply chain managementSupply chain management
Supply chain managementUPENDRA '
 
Supply Chain Management
Supply Chain ManagementSupply Chain Management
Supply Chain ManagementRam Dutt Shukla
 
Scoring High on the Supply Chain Maturity Model
Scoring High on the Supply Chain Maturity ModelScoring High on the Supply Chain Maturity Model
Scoring High on the Supply Chain Maturity Modelaconris
 
Supply Chain Management And Logistics PowerPoint Presentation Slides
Supply Chain Management And Logistics PowerPoint Presentation SlidesSupply Chain Management And Logistics PowerPoint Presentation Slides
Supply Chain Management And Logistics PowerPoint Presentation SlidesSlideTeam
 
How Enterprises Are Modernizing Their Security, Risk Management, & Compliance...
How Enterprises Are Modernizing Their Security, Risk Management, & Compliance...How Enterprises Are Modernizing Their Security, Risk Management, & Compliance...
How Enterprises Are Modernizing Their Security, Risk Management, & Compliance...Amazon Web Services
 
Bsi scm-brochure
Bsi scm-brochureBsi scm-brochure
Bsi scm-brochureUdomsak Suntithikavong
 

More Related Content

What's hot

Strategic Sourcing
Strategic Sourcing Strategic Sourcing
Strategic Sourcing mubarak2009
 
Risk Management in the Supply Chain
Risk Management in the Supply ChainRisk Management in the Supply Chain
Risk Management in the Supply ChainBravoSolution
 
Logistics & Logistics Management
Logistics & Logistics ManagementLogistics & Logistics Management
Logistics & Logistics ManagementFahad Ali
 
Supply chain management
Supply chain managementSupply chain management
Supply chain managementwahyudisandy
 
Strategic Sourcing & E Procurement
Strategic Sourcing & E ProcurementStrategic Sourcing & E Procurement
Strategic Sourcing & E ProcurementAnand Subramaniam
 
Methods for selecting suppliers in international procurement
Methods for selecting suppliers in international procurementMethods for selecting suppliers in international procurement
Methods for selecting suppliers in international procurementAnkit
 
Introduction to Supply Chain Management
Introduction to Supply Chain Management Introduction to Supply Chain Management
Introduction to Supply Chain Management Qamar Farooq
 
Pwc supplier-relationship-management
Pwc supplier-relationship-managementPwc supplier-relationship-management
Pwc supplier-relationship-managementDr Lendy Spires
 
International procurement strategies
International procurement strategiesInternational procurement strategies
International procurement strategiesNext Level Purchasing
 
Sourcing and Materials Management Presentation
Sourcing and Materials Management PresentationSourcing and Materials Management Presentation
Sourcing and Materials Management Presentationjeremymcarter
 
Supply Chain Management Outline Powerpoint Presentation Slides
Supply Chain Management Outline Powerpoint Presentation SlidesSupply Chain Management Outline Powerpoint Presentation Slides
Supply Chain Management Outline Powerpoint Presentation SlidesSlideTeam
 
Strategic Sourcing - A High level overview
Strategic Sourcing - A High level overviewStrategic Sourcing - A High level overview
Strategic Sourcing - A High level overviewRam Raghuraman
 
Strategic Purchasing Supply Initiatives
Strategic Purchasing Supply InitiativesStrategic Purchasing Supply Initiatives
Strategic Purchasing Supply Initiativesignasuhe
 
Standard Operating Procedure (SOP) for Information Technology (IT) Operations
Standard Operating Procedure (SOP) for Information Technology (IT) OperationsStandard Operating Procedure (SOP) for Information Technology (IT) Operations
Standard Operating Procedure (SOP) for Information Technology (IT) OperationsRonald Bartels
 
Supply chain management
Supply chain managementSupply chain management
Supply chain managementUPENDRA '
 
Scoring High on the Supply Chain Maturity Model
Scoring High on the Supply Chain Maturity ModelScoring High on the Supply Chain Maturity Model
Scoring High on the Supply Chain Maturity Modelaconris
 
Supply Chain Management And Logistics PowerPoint Presentation Slides
Supply Chain Management And Logistics PowerPoint Presentation SlidesSupply Chain Management And Logistics PowerPoint Presentation Slides
Supply Chain Management And Logistics PowerPoint Presentation SlidesSlideTeam
 

What's hot (20)

Strategic Sourcing
Strategic Sourcing Strategic Sourcing
Strategic Sourcing
 
Risk Management in the Supply Chain
Risk Management in the Supply ChainRisk Management in the Supply Chain
Risk Management in the Supply Chain
 
Logistics & Logistics Management
Logistics & Logistics ManagementLogistics & Logistics Management
Logistics & Logistics Management
 
Procurement: Strategies | Best Practices
Procurement: Strategies | Best PracticesProcurement: Strategies | Best Practices
Procurement: Strategies | Best Practices
 
Supply chain management
Supply chain managementSupply chain management
Supply chain management
 
Strategic Sourcing & E Procurement
Strategic Sourcing & E ProcurementStrategic Sourcing & E Procurement
Strategic Sourcing & E Procurement
 
Methods for selecting suppliers in international procurement
Methods for selecting suppliers in international procurementMethods for selecting suppliers in international procurement
Methods for selecting suppliers in international procurement
 
Introduction to Supply Chain Management
Introduction to Supply Chain Management Introduction to Supply Chain Management
Introduction to Supply Chain Management
 
Pwc supplier-relationship-management
Pwc supplier-relationship-managementPwc supplier-relationship-management
Pwc supplier-relationship-management
 
GRC
GRCGRC
GRC
 
International procurement strategies
International procurement strategiesInternational procurement strategies
International procurement strategies
 
Sourcing and Materials Management Presentation
Sourcing and Materials Management PresentationSourcing and Materials Management Presentation
Sourcing and Materials Management Presentation
 
Supply Chain Management Outline Powerpoint Presentation Slides
Supply Chain Management Outline Powerpoint Presentation SlidesSupply Chain Management Outline Powerpoint Presentation Slides
Supply Chain Management Outline Powerpoint Presentation Slides
 
Strategic Sourcing - A High level overview
Strategic Sourcing - A High level overviewStrategic Sourcing - A High level overview
Strategic Sourcing - A High level overview
 
Strategic Purchasing Supply Initiatives
Strategic Purchasing Supply InitiativesStrategic Purchasing Supply Initiatives
Strategic Purchasing Supply Initiatives
 
Standard Operating Procedure (SOP) for Information Technology (IT) Operations
Standard Operating Procedure (SOP) for Information Technology (IT) OperationsStandard Operating Procedure (SOP) for Information Technology (IT) Operations
Standard Operating Procedure (SOP) for Information Technology (IT) Operations
 
Supply chain management
Supply chain managementSupply chain management
Supply chain management
 
Supply Chain Management
Supply Chain ManagementSupply Chain Management
Supply Chain Management
 
Scoring High on the Supply Chain Maturity Model
Scoring High on the Supply Chain Maturity ModelScoring High on the Supply Chain Maturity Model
Scoring High on the Supply Chain Maturity Model
 
Supply Chain Management And Logistics PowerPoint Presentation Slides
Supply Chain Management And Logistics PowerPoint Presentation SlidesSupply Chain Management And Logistics PowerPoint Presentation Slides
Supply Chain Management And Logistics PowerPoint Presentation Slides
 

Similar to Supplier Risk Assessment Process Overview

How Enterprises Are Modernizing Their Security, Risk Management, & Compliance...
How Enterprises Are Modernizing Their Security, Risk Management, & Compliance...How Enterprises Are Modernizing Their Security, Risk Management, & Compliance...
How Enterprises Are Modernizing Their Security, Risk Management, & Compliance...Amazon Web Services
 
Assuring the Security of the Supply Chain - Designing best practices for cybe...
Assuring the Security of the Supply Chain - Designing best practices for cybe...Assuring the Security of the Supply Chain - Designing best practices for cybe...
Assuring the Security of the Supply Chain - Designing best practices for cybe...Ollie Whitehouse
 
Vendor risk management webinar 10022019 v1
Vendor risk management webinar 10022019 v1Vendor risk management webinar 10022019 v1
Vendor risk management webinar 10022019 v1ControlCase
 
PCI Compliance - Delving Deeper In The Standard
PCI Compliance - Delving Deeper In The StandardPCI Compliance - Delving Deeper In The Standard
PCI Compliance - Delving Deeper In The StandardJohn Bedrick
 
Emerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and SecurityEmerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and SecurityJessica Santamaria
 
Emerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and SecurityEmerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and SecurityJessica Santamaria
 
Leveraging compliance to raise the bar on security
Leveraging compliance to raise the bar on securityLeveraging compliance to raise the bar on security
Leveraging compliance to raise the bar on securityMike Lemire
 
Understanding New Technology and Security Risks as you respond to COVID-19
Understanding New Technology and Security Risks as you respond to COVID-19Understanding New Technology and Security Risks as you respond to COVID-19
Understanding New Technology and Security Risks as you respond to COVID-19Emma Kelly
 
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfAdaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfawish11
 
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...Happiest Minds Technologies
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECKimberly Simon MBA
 
Vendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIEC
Vendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIECVendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIEC
Vendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIECControlCase
 
Secrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance ProjectsSecrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance ProjectsChristopher Foot
 
Navigating the SOC 2 Certification Maze: What You Need to Know
Navigating the SOC 2 Certification Maze: What You Need to KnowNavigating the SOC 2 Certification Maze: What You Need to Know
Navigating the SOC 2 Certification Maze: What You Need to KnowShyamMishra72
 
Risk Mgt in Today's World
Risk Mgt in Today's WorldRisk Mgt in Today's World
Risk Mgt in Today's Worldfmbabs
 
Behind the Scenes of Vendor Security Reviews in the Enterprise
Behind the Scenes of Vendor Security Reviews in the EnterpriseBehind the Scenes of Vendor Security Reviews in the Enterprise
Behind the Scenes of Vendor Security Reviews in the EnterpriseAtlassian
 

Similar to Supplier Risk Assessment Process Overview (20)

How Enterprises Are Modernizing Their Security, Risk Management, & Compliance...
How Enterprises Are Modernizing Their Security, Risk Management, & Compliance...How Enterprises Are Modernizing Their Security, Risk Management, & Compliance...
How Enterprises Are Modernizing Their Security, Risk Management, & Compliance...
 
Bsi scm-brochure
Bsi scm-brochureBsi scm-brochure
Bsi scm-brochure
 
Assuring the Security of the Supply Chain - Designing best practices for cybe...
Assuring the Security of the Supply Chain - Designing best practices for cybe...Assuring the Security of the Supply Chain - Designing best practices for cybe...
Assuring the Security of the Supply Chain - Designing best practices for cybe...
 
Third Party Network Webinar Slide Deck 110718 FINAL
Third Party Network Webinar Slide Deck 110718 FINALThird Party Network Webinar Slide Deck 110718 FINAL
Third Party Network Webinar Slide Deck 110718 FINAL
 
Vendor risk management webinar 10022019 v1
Vendor risk management webinar 10022019 v1Vendor risk management webinar 10022019 v1
Vendor risk management webinar 10022019 v1
 
PCI Compliance - Delving Deeper In The Standard
PCI Compliance - Delving Deeper In The StandardPCI Compliance - Delving Deeper In The Standard
PCI Compliance - Delving Deeper In The Standard
 
SOC for Cybersecurity Overview
SOC for Cybersecurity OverviewSOC for Cybersecurity Overview
SOC for Cybersecurity Overview
 
Emerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and SecurityEmerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and Security
 
Emerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and SecurityEmerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and Security
 
Leveraging compliance to raise the bar on security
Leveraging compliance to raise the bar on securityLeveraging compliance to raise the bar on security
Leveraging compliance to raise the bar on security
 
Understanding New Technology and Security Risks as you respond to COVID-19
Understanding New Technology and Security Risks as you respond to COVID-19Understanding New Technology and Security Risks as you respond to COVID-19
Understanding New Technology and Security Risks as you respond to COVID-19
 
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfAdaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
 
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
 
Vendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIEC
Vendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIECVendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIEC
Vendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIEC
 
Enterprise governance risk_compliance_fcm slides
Enterprise governance risk_compliance_fcm slidesEnterprise governance risk_compliance_fcm slides
Enterprise governance risk_compliance_fcm slides
 
Secrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance ProjectsSecrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance Projects
 
Navigating the SOC 2 Certification Maze: What You Need to Know
Navigating the SOC 2 Certification Maze: What You Need to KnowNavigating the SOC 2 Certification Maze: What You Need to Know
Navigating the SOC 2 Certification Maze: What You Need to Know
 
Risk Mgt in Today's World
Risk Mgt in Today's WorldRisk Mgt in Today's World
Risk Mgt in Today's World
 
Behind the Scenes of Vendor Security Reviews in the Enterprise
Behind the Scenes of Vendor Security Reviews in the EnterpriseBehind the Scenes of Vendor Security Reviews in the Enterprise
Behind the Scenes of Vendor Security Reviews in the Enterprise
 

Recently uploaded

Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 

Recently uploaded (20)

Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 

Supplier Risk Assessment Process Overview

  • 1. Supplier Risk Assessment Gary Bahadur CEO KRAA KRAA Security info@kraasecurity.com 888-KRAA-911 October 7th, 2009
  • 2. Supplier Risk - Overview 2 KRAA Security - www.kraasecurity.com
  • 3. What is Supplier Risk? Risk Considerations Risk Criteria Business Security Goals Supplier Access Profile Risk Classification Model Supplier Risk Process for Data Lifecycle Supplier Risk Assessment Process Supplier Review Process Conclusions What We’ll Cover Today 3 KRAA Security - www.kraasecurity.com
  • 4. Suppliers pose a challenge to any organization People – contractors in and out of the company, reliance of Supplier background checks (if any) Process – each department can manage the Supplier relationship different, IT may not be fully informed Technology – Supplier connectivity based on convenience and IT processes rather than security requirements What have we focused our security dollars on? Firewall, antivirus, vulnerability management, IDS, policies Little if any allocation for testing, reviewing, monitoring Supplier No follow-up as relationships change or Suppliers internal structures change (i.e. acquisition) Doing a SAS70 II in some cases (expensive!) Website Penetration testing What is Supplier/Partner Risk? 4 KRAA Security - www.kraasecurity.com
  • 5. Asset management systems are frequently inaccurate, no owners Manual processes used (emails, word documents, phone calls) Inconsistent cataloging of data across different Suppliers Large companies have a challenge with Business Units, time zones, regulations No ownership of the security relationship No consistant application testing methods What is Supplier/Partner Risk? 5 KRAA Security - www.kraasecurity.com
  • 6. Almost no accountability by the Supplier or the company for Data Lifecycle Management Creation – who creates/manages Usage – what limitations are on the Supplier Storage – what controls are in place for storage Transportation – how is data transmitted Destruction – what is the validation and verification process What is Supplier Risk? 6 KRAA Security - www.kraasecurity.com
  • 7. What is Supplier/Partner Risk? Risk Considerations Risk Criteria Business Security Goals Supplier Access Profile Risk Classification Model Supplier Risk Process for Data Lifecycle Supplier Risk Assessment Process Supplier Review Process Conclusions What We’ll Cover Today 7 KRAA Security - www.kraasecurity.com
  • 8. Risk assessment should be thought of as an ongoing process Need model for risk assessment follow Secure Development Life Cycle Conduct Supplier detailed information risk assessment, strong commitment from upper management Technology and Business process risks considered Define process for all Supplier access and data exchanges Risk Considerations 8 KRAA Security - www.kraasecurity.com
  • 9. Development of awareness of inherent risks Prioritize risk considerations over time and for all future projects Prepare Risk Profile of each Supplier Define reporting and update process Provide assessments based on your regulatory requirements (PCI, CoBIT, COSO, HIPAA, SOX, FFIEC, NIST, SAS70, etc) Risk Considerations 9 KRAA Security - www.kraasecurity.com
  • 10. Supplier Risk Process 10 KRAA Security - www.kraasecurity.com
  • 11. What is Supplier/Partner Risk? Risk Considerations Risk Criteria Business Security Goals Supplier Access Profile Risk Classification Model Supplier Risk Process for Data Lifecycle Supplier Risk Assessment Process Supplier Review Process Conclusions What We’ll Cover Today 11 KRAA Security - www.kraasecurity.com
  • 12. Identify Assets at risk from Suppliers, network, file, storage, business processes, locations Define value of assets Define criticality of assets Prioritize security requirements of assets used by Suppliers Identify current security requirements and perform Gap Analysis Identify Vulnerabilities from Suppliers and from External environment Complete data classification model implementation Define Risk Criteria 12 KRAA Security - www.kraasecurity.com
  • 13. What is Supplier/Partner Risk? Risk Considerations Risk Criteria Business Security Goals Supplier Access Profile Risk Classification Model Supplier Risk Process for Data Lifecycle Supplier Risk Assessment Process Supplier Review Process Conclusions What We’ll Cover Today 13 KRAA Security - www.kraasecurity.com
  • 14. Identify Business goals affected by Suppliers Define baseline security standards for Supplier access Define regulatory requirements of Supplier access to resources Acceptable risk of Business management What are financial impacts? DEFINE BUSINESS SECURITY GOALS 14 KRAA Security - www.kraasecurity.com
  • 15. DEFINE BUSINESS SECURITY GOALSExample 15 KRAA Security - www.kraasecurity.com
  • 16. What is Supplier/Partner Risk? Risk Considerations Risk Criteria Business Security Goals Supplier Access Profile Risk Classification Model Supplier Risk Process for Data Lifecycle Supplier Risk Assessment Process Supplier Review Process Conclusions What We’ll Cover Today 16 KRAA Security - www.kraasecurity.com
  • 17. Develop complete profile through interview and documentation service contracts analysis of supplier industry risks business risk of supplier access controls currently in place over supplier access reports generated on supplier access, activities Prioritize operational supplier tasks What operational parameters are impacted? What is potential risk to operations? Define threats, impact and probability DEFINE OPERATIONAL RISK OF Supplier ACCESS - PROFILE 17 KRAA Security - www.kraasecurity.com
  • 18. Define audit trails Define mission critical staff that interact with suppliers Define mitigation strategy for operational weaknesses Define acceptance criteria for risk Define action plans for Suppliers and responsibility matrix DEFINE OPERATIONAL RISK OF Supplier ACCESS - PROFILE 18 KRAA Security - www.kraasecurity.com
  • 19. What is Supplier/Partner Risk? Risk Considerations Risk Criteria Business Security Goals Supplier Access Profile Risk Classification Model Supplier Risk Process for Data Lifecycle Supplier Risk Assessment Process Supplier Review Process Conclusions What We’ll Cover Today 19 KRAA Security - www.kraasecurity.com
  • 20. RISK CLASSIFICATION MODELExample 20 KRAA Security - www.kraasecurity.com
  • 21. What is Supplier/Partner Risk? Risk Considerations Risk Criteria Business Security Goals Supplier Access Profile Risk Classification Model Supplier Risk Process for Data Lifecycle Supplier Risk Assessment Process Supplier Review Process Conclusions What We’ll Cover Today 21 KRAA Security - www.kraasecurity.com
  • 22. Supplier RISK PROCESSES FOR DATA LIFECYCLE Supplier: Marketing Company LLC (MC), provides marketing information, customer data surveys, reports about competitors, is linked to corporate Email, received customer lists 22 KRAA Security - www.kraasecurity.com
  • 23. Risk Process Event Review Track all Supplier related security events and operational risk events 23 KRAA Security - www.kraasecurity.com
  • 24. What is Supplier/Partner Risk? Risk Considerations Risk Criteria Business Security Goals Supplier Access Profile Risk Classification Model Supplier Risk Process for Data Lifecycle Project Risk Supplier Assessment Process Supplier Review Process Conclusions What We’ll Cover Today 24 KRAA Security - www.kraasecurity.com
  • 25. Supplier ASSESSMENT PROCESS 25 KRAA Security - www.kraasecurity.com
  • 26. Supplier ASSESSMENT PROCESS – Policies and Procedures Example 26 KRAA Security - www.kraasecurity.com
  • 27. What is Supplier/Partner Risk? Risk Considerations Risk Criteria Business Security Goals Supplier Access Profile Risk Classification Model Supplier Risk Process for Data Lifecycle Supplier Assessment Process Supplier Review Process Conclusions What We’ll Cover Today 27 KRAA Security - www.kraasecurity.com
  • 28. Quarterly Meeting CIO and Direct Reports Regulatory Impact Review IT Risk Considerations Update IT Risk Summary and New Mitigation Strategies Review Significant Events During the Quarter Define Action Items for Next Quarter Supplier REVIEW PROCESSES 28 KRAA Security - www.kraasecurity.com
  • 29. Supplier Risk Process-recap 29 KRAA Security - www.kraasecurity.com
  • 30. Identification of Key relevant risk Consistent process for planning and mitigating Supplier risk Focus on identifiable risk and utilization of budget efficiently Methodical approach for examining the risk in a Supplier Common framework for all categories of Suppliers Baseline acceptable risk Improved planning for future risk mitigation projects CONCLUSIONS 30 KRAA Security - www.kraasecurity.com
  • 31. Questions and Answers Gary Bahadur CEO KRAA Security info@kraasecurity.com 888-KRAA-911 www.kraasecurity.com Blog.kraasecurity.com Twitter.com/kraasecurity *Managed Security Services *Vulnerability Management *Compliance & Policy Development *PGP Security 31 KRAA Security - www.kraasecurity.com