The document discusses supplier risk assessment and provides a framework for assessing and managing risk from suppliers. It defines supplier risk, outlines risk considerations and criteria, discusses developing supplier access profiles and a risk classification model. It then describes the supplier risk assessment process, which includes assessing suppliers' data lifecycles, policies and procedures. The framework also includes regular supplier review processes to ensure ongoing risk management. The goal is to take a methodical approach to examining supplier risk and mitigating issues through a consistent, baseline process.
3. What is Supplier Risk? Risk Considerations Risk Criteria Business Security Goals Supplier Access Profile Risk Classification Model Supplier Risk Process for Data Lifecycle Supplier Risk Assessment Process Supplier Review Process Conclusions What We’ll Cover Today 3 KRAA Security - www.kraasecurity.com
4. Suppliers pose a challenge to any organization People – contractors in and out of the company, reliance of Supplier background checks (if any) Process – each department can manage the Supplier relationship different, IT may not be fully informed Technology – Supplier connectivity based on convenience and IT processes rather than security requirements What have we focused our security dollars on? Firewall, antivirus, vulnerability management, IDS, policies Little if any allocation for testing, reviewing, monitoring Supplier No follow-up as relationships change or Suppliers internal structures change (i.e. acquisition) Doing a SAS70 II in some cases (expensive!) Website Penetration testing What is Supplier/Partner Risk? 4 KRAA Security - www.kraasecurity.com
5. Asset management systems are frequently inaccurate, no owners Manual processes used (emails, word documents, phone calls) Inconsistent cataloging of data across different Suppliers Large companies have a challenge with Business Units, time zones, regulations No ownership of the security relationship No consistant application testing methods What is Supplier/Partner Risk? 5 KRAA Security - www.kraasecurity.com
6. Almost no accountability by the Supplier or the company for Data Lifecycle Management Creation – who creates/manages Usage – what limitations are on the Supplier Storage – what controls are in place for storage Transportation – how is data transmitted Destruction – what is the validation and verification process What is Supplier Risk? 6 KRAA Security - www.kraasecurity.com
7. What is Supplier/Partner Risk? Risk Considerations Risk Criteria Business Security Goals Supplier Access Profile Risk Classification Model Supplier Risk Process for Data Lifecycle Supplier Risk Assessment Process Supplier Review Process Conclusions What We’ll Cover Today 7 KRAA Security - www.kraasecurity.com
8. Risk assessment should be thought of as an ongoing process Need model for risk assessment follow Secure Development Life Cycle Conduct Supplier detailed information risk assessment, strong commitment from upper management Technology and Business process risks considered Define process for all Supplier access and data exchanges Risk Considerations 8 KRAA Security - www.kraasecurity.com
9. Development of awareness of inherent risks Prioritize risk considerations over time and for all future projects Prepare Risk Profile of each Supplier Define reporting and update process Provide assessments based on your regulatory requirements (PCI, CoBIT, COSO, HIPAA, SOX, FFIEC, NIST, SAS70, etc) Risk Considerations 9 KRAA Security - www.kraasecurity.com
11. What is Supplier/Partner Risk? Risk Considerations Risk Criteria Business Security Goals Supplier Access Profile Risk Classification Model Supplier Risk Process for Data Lifecycle Supplier Risk Assessment Process Supplier Review Process Conclusions What We’ll Cover Today 11 KRAA Security - www.kraasecurity.com
12. Identify Assets at risk from Suppliers, network, file, storage, business processes, locations Define value of assets Define criticality of assets Prioritize security requirements of assets used by Suppliers Identify current security requirements and perform Gap Analysis Identify Vulnerabilities from Suppliers and from External environment Complete data classification model implementation Define Risk Criteria 12 KRAA Security - www.kraasecurity.com
13. What is Supplier/Partner Risk? Risk Considerations Risk Criteria Business Security Goals Supplier Access Profile Risk Classification Model Supplier Risk Process for Data Lifecycle Supplier Risk Assessment Process Supplier Review Process Conclusions What We’ll Cover Today 13 KRAA Security - www.kraasecurity.com
14. Identify Business goals affected by Suppliers Define baseline security standards for Supplier access Define regulatory requirements of Supplier access to resources Acceptable risk of Business management What are financial impacts? DEFINE BUSINESS SECURITY GOALS 14 KRAA Security - www.kraasecurity.com
16. What is Supplier/Partner Risk? Risk Considerations Risk Criteria Business Security Goals Supplier Access Profile Risk Classification Model Supplier Risk Process for Data Lifecycle Supplier Risk Assessment Process Supplier Review Process Conclusions What We’ll Cover Today 16 KRAA Security - www.kraasecurity.com
17. Develop complete profile through interview and documentation service contracts analysis of supplier industry risks business risk of supplier access controls currently in place over supplier access reports generated on supplier access, activities Prioritize operational supplier tasks What operational parameters are impacted? What is potential risk to operations? Define threats, impact and probability DEFINE OPERATIONAL RISK OF Supplier ACCESS - PROFILE 17 KRAA Security - www.kraasecurity.com
18. Define audit trails Define mission critical staff that interact with suppliers Define mitigation strategy for operational weaknesses Define acceptance criteria for risk Define action plans for Suppliers and responsibility matrix DEFINE OPERATIONAL RISK OF Supplier ACCESS - PROFILE 18 KRAA Security - www.kraasecurity.com
19. What is Supplier/Partner Risk? Risk Considerations Risk Criteria Business Security Goals Supplier Access Profile Risk Classification Model Supplier Risk Process for Data Lifecycle Supplier Risk Assessment Process Supplier Review Process Conclusions What We’ll Cover Today 19 KRAA Security - www.kraasecurity.com
21. What is Supplier/Partner Risk? Risk Considerations Risk Criteria Business Security Goals Supplier Access Profile Risk Classification Model Supplier Risk Process for Data Lifecycle Supplier Risk Assessment Process Supplier Review Process Conclusions What We’ll Cover Today 21 KRAA Security - www.kraasecurity.com
22. Supplier RISK PROCESSES FOR DATA LIFECYCLE Supplier: Marketing Company LLC (MC), provides marketing information, customer data surveys, reports about competitors, is linked to corporate Email, received customer lists 22 KRAA Security - www.kraasecurity.com
23. Risk Process Event Review Track all Supplier related security events and operational risk events 23 KRAA Security - www.kraasecurity.com
24. What is Supplier/Partner Risk? Risk Considerations Risk Criteria Business Security Goals Supplier Access Profile Risk Classification Model Supplier Risk Process for Data Lifecycle Project Risk Supplier Assessment Process Supplier Review Process Conclusions What We’ll Cover Today 24 KRAA Security - www.kraasecurity.com
27. What is Supplier/Partner Risk? Risk Considerations Risk Criteria Business Security Goals Supplier Access Profile Risk Classification Model Supplier Risk Process for Data Lifecycle Supplier Assessment Process Supplier Review Process Conclusions What We’ll Cover Today 27 KRAA Security - www.kraasecurity.com
28. Quarterly Meeting CIO and Direct Reports Regulatory Impact Review IT Risk Considerations Update IT Risk Summary and New Mitigation Strategies Review Significant Events During the Quarter Define Action Items for Next Quarter Supplier REVIEW PROCESSES 28 KRAA Security - www.kraasecurity.com
30. Identification of Key relevant risk Consistent process for planning and mitigating Supplier risk Focus on identifiable risk and utilization of budget efficiently Methodical approach for examining the risk in a Supplier Common framework for all categories of Suppliers Baseline acceptable risk Improved planning for future risk mitigation projects CONCLUSIONS 30 KRAA Security - www.kraasecurity.com
31. Questions and Answers Gary Bahadur CEO KRAA Security info@kraasecurity.com 888-KRAA-911 www.kraasecurity.com Blog.kraasecurity.com Twitter.com/kraasecurity *Managed Security Services *Vulnerability Management *Compliance & Policy Development *PGP Security 31 KRAA Security - www.kraasecurity.com