SlideShare a Scribd company logo

Vendor Security Risk Management - How to Handle the New Normal

Download as PPTX, PDF
Argyle Executive Forum
Argyle Executive Forum

Joe Filer, Vice President and Chief Information Security Officer (CISO) at Harland Clarke, discussed the future of vendor management during his presentation at the 2014 CISO Leadership Forum in Dallas on Oct. 2. In his presentation, “Vendor Security Risk Management – How to Handle the New Normal,” Filer noted vendor security risk management is important, and auditing and validation is key to avoid security issues with vendors. According to Filer, documentation plays a vital role in vendor security risk management. If a vendor develops effective risk management processes, Filer said, it can minimize and prevent security issues: “The key component for the vendor security risk management piece for me has always been the documentation part of it. How do I develop something when I’m doing effective vendor security risk management that allows me to document my thought processes associated with performing that risk assessment of an individual vendor so I can provide that to whoever’s interested in seeing it?” Filer also pointed out consistent security risk management guidelines can have far-flung effects on an organization. In addition, an organization that understands the impact of these guidelines, Filer said, can avoid unnecessary risks: ” There are some real inconsistent guidelines to the management process out there and it’s important to put something together that allows you to continue to be subjected to the cost effective and efficiency space. You have to have a confident sense of the security posture of your key vendors, though, and it has to be one where you’ve been able to build that in a way that doesn’t push them into a place where they don’t want to be a part of the process.” - See more at: http://www.argylejournal.com/chief-information-security-officer/vendor-security-risk-management-how-to-handle-the-new-normal-joe-filer-vice-president-chief-information-security-officer-harland-clarke/#sthash.9bNU6U4O.dpuf

Technology
1 of 22
October 2014 Vendor Security Risk Management - How to Handle the New Normal “Some Important Lessons Learned From Both Directions” Presented By: Joe Filer, CISSP, PMP, CRISC
Who is this Guy?  BA in Math, Masters in Operations Research  Over 20 years as an information security professional –Increasing levels of global security leadership with extensive compliance focus  CISSP/CRISC – Security and Risk Experience  PMP – Project Management Experience  ISSA Distinguished Fellow  Currently – VP, CISO at Harland Clarke Holdings Corp. –Multi-company, global footprint  Resident of San Antonio, TX (almost 30 years) 2
Ground Rules  Some of the information provided will be identified as “my personal or professional opinion” and should not be considered as reflective of my employer’s position.  Any aspect of this presentation that might be considered to address legal issues reflect summaries and should not be considered legal advice. 3
Overview  What is Vendor Security Risk Management?  Overview of the Key Concepts  Perspective/Premise  Changing Landscape and Forecasts  Issues and Lessons Learned  Solutions  Conclusions 4
Definition Vendor Security Risk Management  Structured approach to ensure that relevant vendor security risk postures are understood, documented and validated to an appropriate level 5
Key components of effective VSRM Vendor Security Risk Management  Required confidentiality components in contracts  Confidence that all “relevant” vendors are subjected to program’s oversight  Approach where vendor security postures are understood, documented and validated when appropriate  Feedback to the vendor to facilitate remediation when required 6
Key Concepts  Risk – potential harm that could occur from a future event  Risk Management – the process of understanding risk and determining how best to handle exposure  Compliance – meeting all the requirements of a standard  Certification – authority attesting to a level of compliance 7
Unique Perspective  Own Vendor Security Risk Management for ~50 Critical Vendors My Team  Support client requirements as a Critical Vendor to hundreds of Financial Institutions 8
Premise - As an industry we need to recognize the importance of doing vendor security risk management better…. “Vendor Security Risk Management (VSRM/Due Diligence) efforts can be very costly and may not lead to confident visibility into the security posture of our critical vendor relationships.” “We have not embraced the key lessons learned from doing VSRM for several years.” “There has to be a better (cost effective) way to meet this important objective.” 9
Changing Landscapes and Forecasts  OCC Guidelines Oct 2013 –Establishes clear requirement for 3rd party oversight –Emphasis on risk management and due diligence –Considered somewhat ambiguous and subject to misinterpretation  The weaknesses associated with “Payment Card Industry approach” will be addressed –Expect more comprehensive requirements including vendor security management –More stringent assessor expectations –VISA Validation effort – Jan 2015 10
Changing Landscape and Forecasts  Consumers are sick of “holding the bag” –Companies will be held accountable for security decision-making –Too many vendors do not have a good “history”…. –Class action lawsuits  Federal legislation is Coming! –Tech savvy generation in leadership influencing direction –Lots of new regulations (See OCC 10/2013) –Legislation has been “bubbling under the surface” for several years (See http://fas.org/sgp/crs/natsec/R42114.pdf) –Response to consumer lack of confidence 11
Issues/Lessons Learned #1 Vendors are not your enemy! They are not trying to hide things from you and you should not fear them.  Lesson: If we need to be “afraid” of our vendors, why have them? –Build relationships with good partners. –Invest in good up-front vetting that starts the process on a solid footing. –There is too much focus on people trying to “pull the wool over our eyes”. 12
Issues/Lessons Learned #2 The PROCESS is not more important than the objective.  Lesson: We need to recognize the impact that this process has on our vendors and our business elements –Excessively burdensome requirements can impact the willingness of the vendor to “participate” in the effort –We don’t all have unlimited security budgets and “Time is Money” –Vendors are not impressed by fancy collection tools, overly comprehensive surveys, etc. 13
Issues/Lessons Learned #3 Inconsistent guidance to Vendor Security Management is reflected in extraordinary document requests  Lesson: Vendor Security Management has lost sight of the original objective – Confidence with the security posture of key vendors –Piles of documents cannot really support an effective evaluation of security posture –Approach probably increases overall risk as many documents reflect SENSITIVE information on their own 14
Issues/Lessons Learned #4 Not every “gap” is HIGH risk……….  Lesson: We need to be realistic about the sensitivity we attach to risk issues. –Threat consideration is a key piece of the process –Effective risk assessment allows for business prioritization and remediation –Credibility with the business is at stake 15
Issues/Lessons Learned #5 Compliance has become a CheckBox exercise in many cases.  Lesson: We have lost sight of something learned long ago - “There is no such thing as One Size Fits All Security” –PCI and “compliance versus security” failures –The “qualitative” aspect of reviews began to erode with SOX reviews –Risk context is very important 16
Issues/Lessons Learned #6 SOC 2 could be the best thing to happen to VSRM in some time…….  Lesson: We have to rely on comprehensive security reviews whenever possible. –SAS70 was not the answer – not always measured to same level –SOC 2 is a viable solution for non-validated control visibility – a good, cost effective starting point for vendor security awareness –Mentioned directly in OCC Guidelines as viable oversight 17
Solutions  Maintain the focus on Security Risk Management – Keep process on target and in a “Box” –We cannot over-rotate on parts of the issue (e.g., scanning) –Limit document exposure – Trust but Verify while keeping validation at an appropriate level…….  We do NOT need to Re-invent the Wheel –Effective Vendor Security Risk Management has been going on for over 15 years….. –Success starts with Clear Requirements in Contracts –Understand and respect the impact on the vendor  Be proactive as a Vendor – “Build Once, Use Many” documents provide efficient visibility –Confidence goes a long way –Stand firm when you have to 18
Solutions (Generally)  Focus on Effective Security Posture NOT Compliance –Comprehensive and secure programs lead to compliance BUT not the other way around……. –Recognize the Importance that Risk Plays in the Process  Document the Risk Management Decision Process –Capture why things were (or were not) done –Ensure the Business owns/drives the risk-based decision –Security should be a Consultant in the process –Understand and advocate for your vendors/clients/customers  Own your Compliance/Audit Relationships –Push them beyond the CheckBox mentality –Think quality –And, make them add value to your awareness 19
Conclusions • Vendor Security Risk Management is an absolute requirement today and we must do it right • Working together as “partners” is essential • Process is an enabler not the objective • As an industry, we have to get better at understanding and leveraging Risk Management • There is no such thing as “One Size Fits All Security” • We must address the rising “CheckBox Mindset” and its impact on Security /Compliance • Solid security programs reflect foundation for Compliance successes – Not the other way around • We must determine some alternatives – SOC 2 – YES! • Fundamental Philosophy has not changed – Effective Security Must Enable the Business 20
21 Questions
22 For more information… Joe Filer, CISSP, PMP, CRISC VP, Chief Information Security Officer 10931 Laureate Drive San Antonio, TX 78249 210.694.1560 (office) 210.475.1920 (cell) joseph.filer@harlandclarke.com

Recommended

Building an Effective Supply Chain Security Program
Building an Effective Supply Chain Security ProgramBuilding an Effective Supply Chain Security Program
Building an Effective Supply Chain Security ProgramPriyanka Aash
 
Patent: A presentation on "Patent Drafting" by Ms. Vinita Radhakrishnan - Ban...
Patent: A presentation on "Patent Drafting" by Ms. Vinita Radhakrishnan - Ban...Patent: A presentation on "Patent Drafting" by Ms. Vinita Radhakrishnan - Ban...
Patent: A presentation on "Patent Drafting" by Ms. Vinita Radhakrishnan - Ban...BananaIP Counsels
 
Patent drafting
Patent draftingPatent drafting
Patent draftingSupport to Research & Technological Development & Innovation Initiatives and Strategies in Jordan
 
ppt on Quality assuranse
ppt on Quality assuranseppt on Quality assuranse
ppt on Quality assuranseDr Ashok dhaka Bishnoi
 
Crash course on claim drafting (with exercises)
Crash course on claim drafting (with exercises)Crash course on claim drafting (with exercises)
Crash course on claim drafting (with exercises)Caezar Angelito E Arceo
 
Patent Search & Drafting Patent Claims
Patent Search & Drafting Patent ClaimsPatent Search & Drafting Patent Claims
Patent Search & Drafting Patent ClaimsProf. Dr. Basavaraj Nanjwade
 
How to Draft a Patent
How to Draft a PatentHow to Draft a Patent
How to Draft a PatentMaRS Discovery District
 
Outsourcing and Vendor management
Outsourcing and Vendor managementOutsourcing and Vendor management
Outsourcing and Vendor managementRaminder Pal Singh
 

Recommended

Building an Effective Supply Chain Security Program
Building an Effective Supply Chain Security ProgramBuilding an Effective Supply Chain Security Program
Building an Effective Supply Chain Security ProgramPriyanka Aash
 
Patent: A presentation on "Patent Drafting" by Ms. Vinita Radhakrishnan - Ban...
Patent: A presentation on "Patent Drafting" by Ms. Vinita Radhakrishnan - Ban...Patent: A presentation on "Patent Drafting" by Ms. Vinita Radhakrishnan - Ban...
Patent: A presentation on "Patent Drafting" by Ms. Vinita Radhakrishnan - Ban...BananaIP Counsels
 
Patent drafting
Patent draftingPatent drafting
Patent draftingSupport to Research & Technological Development & Innovation Initiatives and Strategies in Jordan
 
ppt on Quality assuranse
ppt on Quality assuranseppt on Quality assuranse
ppt on Quality assuranseDr Ashok dhaka Bishnoi
 
Crash course on claim drafting (with exercises)
Crash course on claim drafting (with exercises)Crash course on claim drafting (with exercises)
Crash course on claim drafting (with exercises)Caezar Angelito E Arceo
 
Patent Search & Drafting Patent Claims
Patent Search & Drafting Patent ClaimsPatent Search & Drafting Patent Claims
Patent Search & Drafting Patent ClaimsProf. Dr. Basavaraj Nanjwade
 
How to Draft a Patent
How to Draft a PatentHow to Draft a Patent
How to Draft a PatentMaRS Discovery District
 
Outsourcing and Vendor management
Outsourcing and Vendor managementOutsourcing and Vendor management
Outsourcing and Vendor managementRaminder Pal Singh
 
Rethink App Delivery with Workspace as a Service
Rethink App Delivery with Workspace as a ServiceRethink App Delivery with Workspace as a Service
Rethink App Delivery with Workspace as a ServiceArgyle Executive Forum
 
Global Megatrends in Cybersecurity – A Survey of 1,000 CxOs
Global Megatrends in Cybersecurity – A Survey of 1,000 CxOsGlobal Megatrends in Cybersecurity – A Survey of 1,000 CxOs
Global Megatrends in Cybersecurity – A Survey of 1,000 CxOsArgyle Executive Forum
 
Become the CEO: An Employee Excitement Survey
Become the CEO: An Employee Excitement SurveyBecome the CEO: An Employee Excitement Survey
Become the CEO: An Employee Excitement SurveyArgyle Executive Forum
 
Social Support and Total Community
Social Support and Total CommunitySocial Support and Total Community
Social Support and Total CommunityArgyle Executive Forum
 
Marketing to the Power of ONE!
Marketing to the Power of ONE!Marketing to the Power of ONE!
Marketing to the Power of ONE!Argyle Executive Forum
 
The New Era of Engagement Marketing
The New Era of Engagement MarketingThe New Era of Engagement Marketing
The New Era of Engagement MarketingArgyle Executive Forum
 
Re-Think App Delivery with Workspace as a Service
Re-Think App Delivery with Workspace as a ServiceRe-Think App Delivery with Workspace as a Service
Re-Think App Delivery with Workspace as a ServiceArgyle Executive Forum
 
Delighting Customers with Information Technology
Delighting Customers with Information TechnologyDelighting Customers with Information Technology
Delighting Customers with Information TechnologyArgyle Executive Forum
 
Top 12 Threats to Enterprise
Top 12 Threats to EnterpriseTop 12 Threats to Enterprise
Top 12 Threats to EnterpriseArgyle Executive Forum
 
9.35am presentation - john landy
9.35am presentation - john landy9.35am presentation - john landy
9.35am presentation - john landyArgyle Executive Forum
 
Keeping a Seat at the Table: Remaining Relevant
Keeping a Seat at the Table: Remaining RelevantKeeping a Seat at the Table: Remaining Relevant
Keeping a Seat at the Table: Remaining RelevantArgyle Executive Forum
 
Succession Matters: Effective Succession Management Planning
Succession Matters: Effective Succession Management PlanningSuccession Matters: Effective Succession Management Planning
Succession Matters: Effective Succession Management PlanningArgyle Executive Forum
 
It's a Balancing Act
It's a Balancing ActIt's a Balancing Act
It's a Balancing ActArgyle Executive Forum
 
Getting to the Heart of your Customer
Getting to the Heart of your CustomerGetting to the Heart of your Customer
Getting to the Heart of your CustomerArgyle Executive Forum
 
9.35am robert humphrey
9.35am robert humphrey9.35am robert humphrey
9.35am robert humphreyArgyle Executive Forum
 
Cloud Securiy: A Vendor Risk Management Perspective
Cloud Securiy: A Vendor Risk Management PerspectiveCloud Securiy: A Vendor Risk Management Perspective
Cloud Securiy: A Vendor Risk Management PerspectiveArgyle Executive Forum
 
Deliver any app to any device in 60 minutes
Deliver any app to any device in 60 minutesDeliver any app to any device in 60 minutes
Deliver any app to any device in 60 minutesArgyle Executive Forum
 
Enabling Opportunity to Transform Company Culture
Enabling Opportunity to Transform Company CultureEnabling Opportunity to Transform Company Culture
Enabling Opportunity to Transform Company CultureArgyle Executive Forum
 
The Future of Work
The Future of WorkThe Future of Work
The Future of WorkArgyle Executive Forum
 
The Challenge of Information Self-Service
The Challenge of Information Self-ServiceThe Challenge of Information Self-Service
The Challenge of Information Self-ServiceArgyle Executive Forum
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 

More Related Content

More from Argyle Executive Forum

Rethink App Delivery with Workspace as a Service
Rethink App Delivery with Workspace as a ServiceRethink App Delivery with Workspace as a Service
Rethink App Delivery with Workspace as a ServiceArgyle Executive Forum
 
Global Megatrends in Cybersecurity – A Survey of 1,000 CxOs
Global Megatrends in Cybersecurity – A Survey of 1,000 CxOsGlobal Megatrends in Cybersecurity – A Survey of 1,000 CxOs
Global Megatrends in Cybersecurity – A Survey of 1,000 CxOsArgyle Executive Forum
 
Become the CEO: An Employee Excitement Survey
Become the CEO: An Employee Excitement SurveyBecome the CEO: An Employee Excitement Survey
Become the CEO: An Employee Excitement SurveyArgyle Executive Forum
 
Re-Think App Delivery with Workspace as a Service
Re-Think App Delivery with Workspace as a ServiceRe-Think App Delivery with Workspace as a Service
Re-Think App Delivery with Workspace as a ServiceArgyle Executive Forum
 
Delighting Customers with Information Technology
Delighting Customers with Information TechnologyDelighting Customers with Information Technology
Delighting Customers with Information TechnologyArgyle Executive Forum
 
Keeping a Seat at the Table: Remaining Relevant
Keeping a Seat at the Table: Remaining RelevantKeeping a Seat at the Table: Remaining Relevant
Keeping a Seat at the Table: Remaining RelevantArgyle Executive Forum
 
Succession Matters: Effective Succession Management Planning
Succession Matters: Effective Succession Management PlanningSuccession Matters: Effective Succession Management Planning
Succession Matters: Effective Succession Management PlanningArgyle Executive Forum
 
Cloud Securiy: A Vendor Risk Management Perspective
Cloud Securiy: A Vendor Risk Management PerspectiveCloud Securiy: A Vendor Risk Management Perspective
Cloud Securiy: A Vendor Risk Management PerspectiveArgyle Executive Forum
 
Deliver any app to any device in 60 minutes
Deliver any app to any device in 60 minutesDeliver any app to any device in 60 minutes
Deliver any app to any device in 60 minutesArgyle Executive Forum
 
Enabling Opportunity to Transform Company Culture
Enabling Opportunity to Transform Company CultureEnabling Opportunity to Transform Company Culture
Enabling Opportunity to Transform Company CultureArgyle Executive Forum
 
The Challenge of Information Self-Service
The Challenge of Information Self-ServiceThe Challenge of Information Self-Service
The Challenge of Information Self-ServiceArgyle Executive Forum
 

More from Argyle Executive Forum (20)

Rethink App Delivery with Workspace as a Service
Rethink App Delivery with Workspace as a ServiceRethink App Delivery with Workspace as a Service
Rethink App Delivery with Workspace as a Service
 
Global Megatrends in Cybersecurity – A Survey of 1,000 CxOs
Global Megatrends in Cybersecurity – A Survey of 1,000 CxOsGlobal Megatrends in Cybersecurity – A Survey of 1,000 CxOs
Global Megatrends in Cybersecurity – A Survey of 1,000 CxOs
 
Become the CEO: An Employee Excitement Survey
Become the CEO: An Employee Excitement SurveyBecome the CEO: An Employee Excitement Survey
Become the CEO: An Employee Excitement Survey
 
Social Support and Total Community
Social Support and Total CommunitySocial Support and Total Community
Social Support and Total Community
 
Marketing to the Power of ONE!
Marketing to the Power of ONE!Marketing to the Power of ONE!
Marketing to the Power of ONE!
 
The New Era of Engagement Marketing
The New Era of Engagement MarketingThe New Era of Engagement Marketing
The New Era of Engagement Marketing
 
Re-Think App Delivery with Workspace as a Service
Re-Think App Delivery with Workspace as a ServiceRe-Think App Delivery with Workspace as a Service
Re-Think App Delivery with Workspace as a Service
 
Delighting Customers with Information Technology
Delighting Customers with Information TechnologyDelighting Customers with Information Technology
Delighting Customers with Information Technology
 
Top 12 Threats to Enterprise
Top 12 Threats to EnterpriseTop 12 Threats to Enterprise
Top 12 Threats to Enterprise
 
9.35am presentation - john landy
9.35am presentation - john landy9.35am presentation - john landy
9.35am presentation - john landy
 
Keeping a Seat at the Table: Remaining Relevant
Keeping a Seat at the Table: Remaining RelevantKeeping a Seat at the Table: Remaining Relevant
Keeping a Seat at the Table: Remaining Relevant
 
Succession Matters: Effective Succession Management Planning
Succession Matters: Effective Succession Management PlanningSuccession Matters: Effective Succession Management Planning
Succession Matters: Effective Succession Management Planning
 
It's a Balancing Act
It's a Balancing ActIt's a Balancing Act
It's a Balancing Act
 
Getting to the Heart of your Customer
Getting to the Heart of your CustomerGetting to the Heart of your Customer
Getting to the Heart of your Customer
 
9.35am robert humphrey
9.35am robert humphrey9.35am robert humphrey
9.35am robert humphrey
 
Cloud Securiy: A Vendor Risk Management Perspective
Cloud Securiy: A Vendor Risk Management PerspectiveCloud Securiy: A Vendor Risk Management Perspective
Cloud Securiy: A Vendor Risk Management Perspective
 
Deliver any app to any device in 60 minutes
Deliver any app to any device in 60 minutesDeliver any app to any device in 60 minutes
Deliver any app to any device in 60 minutes
 
Enabling Opportunity to Transform Company Culture
Enabling Opportunity to Transform Company CultureEnabling Opportunity to Transform Company Culture
Enabling Opportunity to Transform Company Culture
 
The Future of Work
The Future of WorkThe Future of Work
The Future of Work
 
The Challenge of Information Self-Service
The Challenge of Information Self-ServiceThe Challenge of Information Self-Service
The Challenge of Information Self-Service
 

Recently uploaded

Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 

Recently uploaded (20)

Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 

Vendor Security Risk Management - How to Handle the New Normal

  • 1. October 2014 Vendor Security Risk Management - How to Handle the New Normal “Some Important Lessons Learned From Both Directions” Presented By: Joe Filer, CISSP, PMP, CRISC
  • 2. Who is this Guy?  BA in Math, Masters in Operations Research  Over 20 years as an information security professional –Increasing levels of global security leadership with extensive compliance focus  CISSP/CRISC – Security and Risk Experience  PMP – Project Management Experience  ISSA Distinguished Fellow  Currently – VP, CISO at Harland Clarke Holdings Corp. –Multi-company, global footprint  Resident of San Antonio, TX (almost 30 years) 2
  • 3. Ground Rules  Some of the information provided will be identified as “my personal or professional opinion” and should not be considered as reflective of my employer’s position.  Any aspect of this presentation that might be considered to address legal issues reflect summaries and should not be considered legal advice. 3
  • 4. Overview  What is Vendor Security Risk Management?  Overview of the Key Concepts  Perspective/Premise  Changing Landscape and Forecasts  Issues and Lessons Learned  Solutions  Conclusions 4
  • 5. Definition Vendor Security Risk Management  Structured approach to ensure that relevant vendor security risk postures are understood, documented and validated to an appropriate level 5
  • 6. Key components of effective VSRM Vendor Security Risk Management  Required confidentiality components in contracts  Confidence that all “relevant” vendors are subjected to program’s oversight  Approach where vendor security postures are understood, documented and validated when appropriate  Feedback to the vendor to facilitate remediation when required 6
  • 7. Key Concepts  Risk – potential harm that could occur from a future event  Risk Management – the process of understanding risk and determining how best to handle exposure  Compliance – meeting all the requirements of a standard  Certification – authority attesting to a level of compliance 7
  • 8. Unique Perspective  Own Vendor Security Risk Management for ~50 Critical Vendors My Team  Support client requirements as a Critical Vendor to hundreds of Financial Institutions 8
  • 9. Premise - As an industry we need to recognize the importance of doing vendor security risk management better…. “Vendor Security Risk Management (VSRM/Due Diligence) efforts can be very costly and may not lead to confident visibility into the security posture of our critical vendor relationships.” “We have not embraced the key lessons learned from doing VSRM for several years.” “There has to be a better (cost effective) way to meet this important objective.” 9
  • 10. Changing Landscapes and Forecasts  OCC Guidelines Oct 2013 –Establishes clear requirement for 3rd party oversight –Emphasis on risk management and due diligence –Considered somewhat ambiguous and subject to misinterpretation  The weaknesses associated with “Payment Card Industry approach” will be addressed –Expect more comprehensive requirements including vendor security management –More stringent assessor expectations –VISA Validation effort – Jan 2015 10
  • 11. Changing Landscape and Forecasts  Consumers are sick of “holding the bag” –Companies will be held accountable for security decision-making –Too many vendors do not have a good “history”…. –Class action lawsuits  Federal legislation is Coming! –Tech savvy generation in leadership influencing direction –Lots of new regulations (See OCC 10/2013) –Legislation has been “bubbling under the surface” for several years (See http://fas.org/sgp/crs/natsec/R42114.pdf) –Response to consumer lack of confidence 11
  • 12. Issues/Lessons Learned #1 Vendors are not your enemy! They are not trying to hide things from you and you should not fear them.  Lesson: If we need to be “afraid” of our vendors, why have them? –Build relationships with good partners. –Invest in good up-front vetting that starts the process on a solid footing. –There is too much focus on people trying to “pull the wool over our eyes”. 12
  • 13. Issues/Lessons Learned #2 The PROCESS is not more important than the objective.  Lesson: We need to recognize the impact that this process has on our vendors and our business elements –Excessively burdensome requirements can impact the willingness of the vendor to “participate” in the effort –We don’t all have unlimited security budgets and “Time is Money” –Vendors are not impressed by fancy collection tools, overly comprehensive surveys, etc. 13
  • 14. Issues/Lessons Learned #3 Inconsistent guidance to Vendor Security Management is reflected in extraordinary document requests  Lesson: Vendor Security Management has lost sight of the original objective – Confidence with the security posture of key vendors –Piles of documents cannot really support an effective evaluation of security posture –Approach probably increases overall risk as many documents reflect SENSITIVE information on their own 14
  • 15. Issues/Lessons Learned #4 Not every “gap” is HIGH risk……….  Lesson: We need to be realistic about the sensitivity we attach to risk issues. –Threat consideration is a key piece of the process –Effective risk assessment allows for business prioritization and remediation –Credibility with the business is at stake 15
  • 16. Issues/Lessons Learned #5 Compliance has become a CheckBox exercise in many cases.  Lesson: We have lost sight of something learned long ago - “There is no such thing as One Size Fits All Security” –PCI and “compliance versus security” failures –The “qualitative” aspect of reviews began to erode with SOX reviews –Risk context is very important 16
  • 17. Issues/Lessons Learned #6 SOC 2 could be the best thing to happen to VSRM in some time…….  Lesson: We have to rely on comprehensive security reviews whenever possible. –SAS70 was not the answer – not always measured to same level –SOC 2 is a viable solution for non-validated control visibility – a good, cost effective starting point for vendor security awareness –Mentioned directly in OCC Guidelines as viable oversight 17
  • 18. Solutions  Maintain the focus on Security Risk Management – Keep process on target and in a “Box” –We cannot over-rotate on parts of the issue (e.g., scanning) –Limit document exposure – Trust but Verify while keeping validation at an appropriate level…….  We do NOT need to Re-invent the Wheel –Effective Vendor Security Risk Management has been going on for over 15 years….. –Success starts with Clear Requirements in Contracts –Understand and respect the impact on the vendor  Be proactive as a Vendor – “Build Once, Use Many” documents provide efficient visibility –Confidence goes a long way –Stand firm when you have to 18
  • 19. Solutions (Generally)  Focus on Effective Security Posture NOT Compliance –Comprehensive and secure programs lead to compliance BUT not the other way around……. –Recognize the Importance that Risk Plays in the Process  Document the Risk Management Decision Process –Capture why things were (or were not) done –Ensure the Business owns/drives the risk-based decision –Security should be a Consultant in the process –Understand and advocate for your vendors/clients/customers  Own your Compliance/Audit Relationships –Push them beyond the CheckBox mentality –Think quality –And, make them add value to your awareness 19
  • 20. Conclusions • Vendor Security Risk Management is an absolute requirement today and we must do it right • Working together as “partners” is essential • Process is an enabler not the objective • As an industry, we have to get better at understanding and leveraging Risk Management • There is no such thing as “One Size Fits All Security” • We must address the rising “CheckBox Mindset” and its impact on Security /Compliance • Solid security programs reflect foundation for Compliance successes – Not the other way around • We must determine some alternatives – SOC 2 – YES! • Fundamental Philosophy has not changed – Effective Security Must Enable the Business 20
  • 22. 22 For more information… Joe Filer, CISSP, PMP, CRISC VP, Chief Information Security Officer 10931 Laureate Drive San Antonio, TX 78249 210.694.1560 (office) 210.475.1920 (cell) joseph.filer@harlandclarke.com