SlideShare a Scribd company logo

Cyber Security Vendor Risk Management /Supply Chain Risk Management

Mafazo: Digital Solutions
Mafazo: Digital Solutions

Supply Chain Risk Management - The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support risk decisions associated with managing supply chain risk. The organization has in place the processes to identify, assess and manage supply chain risks. ID.SC-2: Identify, prioritize and assess suppliers and partners of critical information systems, components and services using a cyber supply chain risk assessment process.

Technology
1 of 19
Download to read offline
Vendor Risk – Cyber Security Perspective March 15th, 2017
P A G E 2 © 2016 Mafazo | All Rights Reserved Introductions Shannon Glass - Fisher Practice Director, Information Security Afidence shannon.glass@afidence.com Max Aulakh Information Security Professional MAFAZO Cyber Security max@mafazo.com
P A G E 3 © 2016 Mafazo | All Rights Reserved Agenda Business Case Process Overview Vendor Classification Inherent Risk Building your assessment Manual Process Process Automation Monitoring Stage
P A G E 4 © 2016 Mafazo | All Rights Reserved Business Case | Headlines Target Hackers Used Stolen Vendor Credentials – Wall Street Journal, January 2014 Bank says a failure on vendor's part to correctly fix an identified instability within the bank's storage system led to the seven- hour service outage last week. – By Eileen Yu, ZDNet Asia on July 14, 2010 New York Tightens Screws on 3rd Party Cyber-Risk – By Chris Kentouris, FinOps Report on March 8, 2017 “It is abundantly clear that, in many respects,” Mr. Lawsky (New York State’s top financial regulator) said in the letter, “a firm’s level of cybersecurity is only as good as the security of its vendors.” NYTimes.com: After JPMorgan Cyberattack, a Push to Fortify Wall Street Banks 10/21/14
P A G E 5 © 2016 Mafazo | All Rights Reserved Business Case | Regulatory Pressure 1996, HIPAA Passed July, 01 GLBA Nov, 01 OCC Bulletin 2001-47 Aug, 03 CS Privacy SB 1386 May, 02 OCC Bulletin 2002-16 May, 07 HF 1758 MN Plastic Card Security Act Nov, 09 HITECH Act Jan, 10 NRS 603 NV Data Security Mar, 10 201 MA Code Reg 17 Jul ‘10 WA HB 1149 Jan ‘11 PCI DSS 2 Mar ‘12 CFPB Bulletin 2012-03 Mar ‘13 Omnibus HIPAA Rule Oct ’13 OCC Bulletin 2013-29 May ‘14 PCI DSS 3 Oct‘16 DFARs 204.73 Companies often face direct financial impact! 3rd Parties are major source of data breaches!
P A G E 6 © 2016 Mafazo | All Rights Reserved Vendor Risk Process Overview Inventory Vendors Classify Vendor Assessment Type Coordinate Self Assess Review On Phone Review On Site Generate Issues Finalize Corrective Plan Monitor
P A G E 7 © 2016 Mafazo | All Rights Reserved Vendor Classification • Scheme allows you to: ✓ Prioritize your vendors ✓ Build a relevant assessment for particular vendor ✓ Understand Inherent risk posed by your vendors ✓ Allows for a flexible scoring system/model • Many schemes with several factors • Total Spend • Financial Performance • Criticality of the vendor’s service to the continuation of the client’s services • Critical data being shared
P A G E 8 © 2016 Mafazo | All Rights Reserved Vendor Classification | Inherent Inherent Risk Strategic Factors High Medium Low Vendor Criticality High Medium Low Regulations HIPAA Business Associate SOX 404 DFARS Type Cloud On-Prem Development Data Amount 100-200 Records 200 – 300 Records 1000 – 2000 Records
P A G E 9 © 2016 Mafazo | All Rights Reserved Vendor Classification | Inherent
P A G E 10 © 2016 Mafazo | All Rights Reserved Assessment Building  Free Control Inventories ◦ NIST Cyber Security Framework ◦ NIST Risk Management Framework (900+ Controls) ◦ HIPAA Security Rule ◦ FedRAMP ◦ Custom Controls ◦ FFIEC Framework ◦ IT Examiner Handbook  Lower cost inventories (almost free) ◦ ISO 27000 ◦ PCI-DSS  Overpriced Controls Data ◦ Shared Assessment/SIG ◦ Unified Compliance ◦ HITRUST “a firm’s level of cybersecurity is only as good as the security of its vendors.”
P A G E 11 © 2016 Mafazo | All Rights Reserved Building an Assessment  Most vendors are assessed based on “standardized questions” ◦ Would you ever ask a janitorial service if they have a Chief Security Officer?  Too many questions that are not- relevant incentivizes the vendor to “quickly” get through the assessment so they can conduct business.  Take vendor “fatigue” in to consideration.
P A G E 12 © 2016 Mafazo | All Rights Reserved Assessment Auto-Tailoring  Software can automate much of these tasks to not only build but automate type of questions you should be asking.  Certain industries require some standardized questions regardless of size of the vendor – FedRAMP  Too many questions that are not-relevant incentivizes the vendor to “quickly” get through the assessment so they can conduct business.  Take technical stack elements (database, operating systems, etc..) into consideration when tailoring. ◦ Don’t just accept “ISO or PCI” certifications – those are generally siloed efforts not global
P A G E 13 © 2016 Mafazo | All Rights Reserved Vendor Residual Risk  What if vendor cyber security risk/residual risk remains too high after the assessment? ◦ Do you still conduct business with them?  What can we do to de-risk your vendors from cyber security perspective? ◦ Supply chain experts use “The Beer Game” to illustrate power of data sharing to manage product spikes & distribution to protect both the vendor and client.
P A G E 14 © 2016 Mafazo | All Rights Reserved Manual Assessment Process NIST RMF Or Custom Controls List Framework/Spreadsheet 1 1. Compliance Officer › Manually extracted into MSWORD or EXCEL 3. Security Officer › Creates multiple compliance spreadsheet − 5 - 10 Columns, 100 - 200 Rows − Multi-user input Email System 4. Sent to Vendors › Reviews Spreadsheet − Data collection − Multiple inputs Vendor Risk Requirements Finalized/Spreadsheet 2 2. Security Officer & Legal › Select or Create Security Framework link to Non-Voluntary Requirements − SIG, NIST, etc… Multiple Spreadsheets › By Vendor › By Year › By Change
P A G E 15 © 2016 Mafazo | All Rights Reserved Automation  1 FTE is expected to manage cyber risk of 1000+ vendors while managing everything else internally. ◦ What would you do if you had to manage 100s of different vendor cyber security risk?  1 FTE is expected to build cyber assessments on the fly based on the “risk” ◦ Look for the ability to build out any assessment with any inventory  Automation serves as a force-multiplier ◦ Reduction of man-hours and reduction of errors  Vendor cyber security automation can be almost as easy as a “password reset self service” but for your vendors. ◦ Incentivization ◦ Gaming engine to measure risk
P A G E 16 © 2016 Mafazo | All Rights Reserved Monitoring  Monitoring allows you to gather assessment trend data & breach data about your vendor.  Develop a plan for your vendor to reduce cyber risk over time.  Share relevant resources with your vendor (de-risk).  Co-develop a “Target Risk” Profile ◦ Set of requirements/controls/questions that should be met.
P A G E 17 © 2016 Mafazo | All Rights Reserved Summary Business Case Process Overview Vendor Classification Inherent Risk Building your assessment Manual Process Process Automation Monitoring Stage
P A G E 18 © 2016 Mafazo | All Rights Reserved Q&A Shannon Glass - Fisher Practice Director, Information Security Afidence shannon.glass@afidence.com Max Aulakh Information Security Professional MAFAZO Cyber Security max@mafazo.com 937-789-4216 www.mafazo.com
P A G E 19 © 2016 Mafazo | All Rights Reserved Back up| About Tryump • Cyber Compliance automation & orchestration platform • Cyber security framework builder, manager and auto-mapper • Manage use case complexity, scale and speed of assessment delivery • Automate compliance testing & link technical results (pen-testing & other data).

Recommended

Supply Chain Risk Management corrected - Whitepaper
Supply Chain Risk Management corrected - WhitepaperSupply Chain Risk Management corrected - Whitepaper
Supply Chain Risk Management corrected - WhitepaperNIIT Technologies
 
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...PECB
 
Business Continuity, Data Privacy, and Information Security: How do they link?
Business Continuity, Data Privacy, and Information Security: How do they link?Business Continuity, Data Privacy, and Information Security: How do they link?
Business Continuity, Data Privacy, and Information Security: How do they link?PECB
 
Cyber Crime Threat Landscape - A Focus on the Financial Industry
Cyber Crime Threat Landscape - A Focus on the Financial IndustryCyber Crime Threat Landscape - A Focus on the Financial Industry
Cyber Crime Threat Landscape - A Focus on the Financial IndustryWilliam McBorrough
 
Cyber security
Cyber securityCyber security
Cyber securityVaibhav Jain
 
New CISO - The First 90 Days
New CISO - The First 90 DaysNew CISO - The First 90 Days
New CISO - The First 90 DaysResilient Systems
 
Cybersecurity solution-guide
Cybersecurity solution-guideCybersecurity solution-guide
Cybersecurity solution-guideAdilsonSuende
 
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...PECB
 

Recommended

Supply Chain Risk Management corrected - Whitepaper
Supply Chain Risk Management corrected - WhitepaperSupply Chain Risk Management corrected - Whitepaper
Supply Chain Risk Management corrected - WhitepaperNIIT Technologies
 
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...PECB
 
Business Continuity, Data Privacy, and Information Security: How do they link?
Business Continuity, Data Privacy, and Information Security: How do they link?Business Continuity, Data Privacy, and Information Security: How do they link?
Business Continuity, Data Privacy, and Information Security: How do they link?PECB
 
Cyber Crime Threat Landscape - A Focus on the Financial Industry
Cyber Crime Threat Landscape - A Focus on the Financial IndustryCyber Crime Threat Landscape - A Focus on the Financial Industry
Cyber Crime Threat Landscape - A Focus on the Financial IndustryWilliam McBorrough
 
Cyber security
Cyber securityCyber security
Cyber securityVaibhav Jain
 
New CISO - The First 90 Days
New CISO - The First 90 DaysNew CISO - The First 90 Days
New CISO - The First 90 DaysResilient Systems
 
Cybersecurity solution-guide
Cybersecurity solution-guideCybersecurity solution-guide
Cybersecurity solution-guideAdilsonSuende
 
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...PECB
 
A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityErnest Staats
 
Data Risks In A Digital Age
Data Risks In A Digital Age Data Risks In A Digital Age
Data Risks In A Digital Age padler01
 
Protecting the "Crown Jewels" by Henrik Bodskov, IBM
Protecting the "Crown Jewels" by Henrik Bodskov, IBMProtecting the "Crown Jewels" by Henrik Bodskov, IBM
Protecting the "Crown Jewels" by Henrik Bodskov, IBMInfinIT - Innovationsnetværket for it
 
Cyber risks in supply chains
Cyber risks in supply chains Cyber risks in supply chains
Cyber risks in supply chains Aparajita Banerjee
 
10 Critical Corporate Cyber Security Risks
10 Critical Corporate Cyber Security Risks10 Critical Corporate Cyber Security Risks
10 Critical Corporate Cyber Security RisksHeimdal Security
 
Cybersecurity Risks for Businesses
Cybersecurity Risks for BusinessesCybersecurity Risks for Businesses
Cybersecurity Risks for BusinessesAlex Rudie
 
Cyber Security Transformation - A New Approach for 2015 & Beyond - Daryl Pereira
Cyber Security Transformation - A New Approach for 2015 & Beyond - Daryl PereiraCyber Security Transformation - A New Approach for 2015 & Beyond - Daryl Pereira
Cyber Security Transformation - A New Approach for 2015 & Beyond - Daryl PereiraKnowledge Group
 
Integrating Cybersecurity into Supply Chain Risk Management
Integrating Cybersecurity into Supply Chain Risk ManagementIntegrating Cybersecurity into Supply Chain Risk Management
Integrating Cybersecurity into Supply Chain Risk ManagementPriyanka Aash
 
Threat Intelligence Market
Threat Intelligence MarketThreat Intelligence Market
Threat Intelligence MarketDatsun Arnold
 
Securing Your "Crown Jewels": Do You Have What it Takes?
Securing Your "Crown Jewels": Do You Have What it Takes?Securing Your "Crown Jewels": Do You Have What it Takes?
Securing Your "Crown Jewels": Do You Have What it Takes?IBM Security
 
Cybersecurity in the Boardroom
Cybersecurity in the BoardroomCybersecurity in the Boardroom
Cybersecurity in the BoardroomMarko Suswanto
 
Cybersecurity Risk Management for Financial Institutions
Cybersecurity Risk Management for Financial InstitutionsCybersecurity Risk Management for Financial Institutions
Cybersecurity Risk Management for Financial InstitutionsSarah Cirelli
 
How an Integrated Management system helps you comply with new Cyber Laws and ...
How an Integrated Management system helps you comply with new Cyber Laws and ...How an Integrated Management system helps you comply with new Cyber Laws and ...
How an Integrated Management system helps you comply with new Cyber Laws and ...PECB
 
Cyber Security for Financial Institutions
Cyber Security for Financial InstitutionsCyber Security for Financial Institutions
Cyber Security for Financial InstitutionsKhawar Nehal khawar.nehal@atrc.net.pk
 
Protecting the Crown Jewels – Enlist the Beefeaters
Protecting the Crown Jewels – Enlist the BeefeatersProtecting the Crown Jewels – Enlist the Beefeaters
Protecting the Crown Jewels – Enlist the BeefeatersJack Nichelson
 
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA RegulationTop 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA RegulationPECB
 
Total Digital Security Introduction 4.2
Total Digital Security Introduction 4.2Total Digital Security Introduction 4.2
Total Digital Security Introduction 4.2Brad Deflin
 
5 Steps to Securing Your Company's Crown Jewels
5 Steps to Securing Your Company's Crown Jewels5 Steps to Securing Your Company's Crown Jewels
5 Steps to Securing Your Company's Crown JewelsIBM Security
 
Emerging Trends in Information Security and Privacy
Emerging Trends in Information Security and PrivacyEmerging Trends in Information Security and Privacy
Emerging Trends in Information Security and Privacylgcdcpas
 
2011 FCC CSRIC WG2A Cyber Security Best Practices Final Report
2011 FCC CSRIC WG2A Cyber Security Best Practices Final Report2011 FCC CSRIC WG2A Cyber Security Best Practices Final Report
2011 FCC CSRIC WG2A Cyber Security Best Practices Final ReportPhil Agcaoili
 
Is Cyber Security the Elephant in the Boardroom?
Is Cyber Security the Elephant in the Boardroom? Is Cyber Security the Elephant in the Boardroom?
Is Cyber Security the Elephant in the Boardroom? Rahul Neel Mani
 
The evolving threats and the challenges of the modern CISO
The evolving threats and the challenges of the modern CISOThe evolving threats and the challenges of the modern CISO
The evolving threats and the challenges of the modern CISOisc2-hellenic
 

More Related Content

What's hot

A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityErnest Staats
 
Data Risks In A Digital Age
Data Risks In A Digital Age Data Risks In A Digital Age
Data Risks In A Digital Age padler01
 
10 Critical Corporate Cyber Security Risks
10 Critical Corporate Cyber Security Risks10 Critical Corporate Cyber Security Risks
10 Critical Corporate Cyber Security RisksHeimdal Security
 
Cybersecurity Risks for Businesses
Cybersecurity Risks for BusinessesCybersecurity Risks for Businesses
Cybersecurity Risks for BusinessesAlex Rudie
 
Cyber Security Transformation - A New Approach for 2015 & Beyond - Daryl Pereira
Cyber Security Transformation - A New Approach for 2015 & Beyond - Daryl PereiraCyber Security Transformation - A New Approach for 2015 & Beyond - Daryl Pereira
Cyber Security Transformation - A New Approach for 2015 & Beyond - Daryl PereiraKnowledge Group
 
Integrating Cybersecurity into Supply Chain Risk Management
Integrating Cybersecurity into Supply Chain Risk ManagementIntegrating Cybersecurity into Supply Chain Risk Management
Integrating Cybersecurity into Supply Chain Risk ManagementPriyanka Aash
 
Threat Intelligence Market
Threat Intelligence MarketThreat Intelligence Market
Threat Intelligence MarketDatsun Arnold
 
Securing Your "Crown Jewels": Do You Have What it Takes?
Securing Your "Crown Jewels": Do You Have What it Takes?Securing Your "Crown Jewels": Do You Have What it Takes?
Securing Your "Crown Jewels": Do You Have What it Takes?IBM Security
 
Cybersecurity in the Boardroom
Cybersecurity in the BoardroomCybersecurity in the Boardroom
Cybersecurity in the BoardroomMarko Suswanto
 
Cybersecurity Risk Management for Financial Institutions
Cybersecurity Risk Management for Financial InstitutionsCybersecurity Risk Management for Financial Institutions
Cybersecurity Risk Management for Financial InstitutionsSarah Cirelli
 
How an Integrated Management system helps you comply with new Cyber Laws and ...
How an Integrated Management system helps you comply with new Cyber Laws and ...How an Integrated Management system helps you comply with new Cyber Laws and ...
How an Integrated Management system helps you comply with new Cyber Laws and ...PECB
 
Protecting the Crown Jewels – Enlist the Beefeaters
Protecting the Crown Jewels – Enlist the BeefeatersProtecting the Crown Jewels – Enlist the Beefeaters
Protecting the Crown Jewels – Enlist the BeefeatersJack Nichelson
 
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA RegulationTop 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA RegulationPECB
 
Total Digital Security Introduction 4.2
Total Digital Security Introduction 4.2Total Digital Security Introduction 4.2
Total Digital Security Introduction 4.2Brad Deflin
 
5 Steps to Securing Your Company's Crown Jewels
5 Steps to Securing Your Company's Crown Jewels5 Steps to Securing Your Company's Crown Jewels
5 Steps to Securing Your Company's Crown JewelsIBM Security
 
Emerging Trends in Information Security and Privacy
Emerging Trends in Information Security and PrivacyEmerging Trends in Information Security and Privacy
Emerging Trends in Information Security and Privacylgcdcpas
 
2011 FCC CSRIC WG2A Cyber Security Best Practices Final Report
2011 FCC CSRIC WG2A Cyber Security Best Practices Final Report2011 FCC CSRIC WG2A Cyber Security Best Practices Final Report
2011 FCC CSRIC WG2A Cyber Security Best Practices Final ReportPhil Agcaoili
 

What's hot (20)

A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber Security
 
Data Risks In A Digital Age
Data Risks In A Digital Age Data Risks In A Digital Age
Data Risks In A Digital Age
 
Protecting the "Crown Jewels" by Henrik Bodskov, IBM
Protecting the "Crown Jewels" by Henrik Bodskov, IBMProtecting the "Crown Jewels" by Henrik Bodskov, IBM
Protecting the "Crown Jewels" by Henrik Bodskov, IBM
 
Cyber risks in supply chains
Cyber risks in supply chains Cyber risks in supply chains
Cyber risks in supply chains
 
10 Critical Corporate Cyber Security Risks
10 Critical Corporate Cyber Security Risks10 Critical Corporate Cyber Security Risks
10 Critical Corporate Cyber Security Risks
 
Cybersecurity Risks for Businesses
Cybersecurity Risks for BusinessesCybersecurity Risks for Businesses
Cybersecurity Risks for Businesses
 
Cyber Security Transformation - A New Approach for 2015 & Beyond - Daryl Pereira
Cyber Security Transformation - A New Approach for 2015 & Beyond - Daryl PereiraCyber Security Transformation - A New Approach for 2015 & Beyond - Daryl Pereira
Cyber Security Transformation - A New Approach for 2015 & Beyond - Daryl Pereira
 
Integrating Cybersecurity into Supply Chain Risk Management
Integrating Cybersecurity into Supply Chain Risk ManagementIntegrating Cybersecurity into Supply Chain Risk Management
Integrating Cybersecurity into Supply Chain Risk Management
 
Threat Intelligence Market
Threat Intelligence MarketThreat Intelligence Market
Threat Intelligence Market
 
Securing Your "Crown Jewels": Do You Have What it Takes?
Securing Your "Crown Jewels": Do You Have What it Takes?Securing Your "Crown Jewels": Do You Have What it Takes?
Securing Your "Crown Jewels": Do You Have What it Takes?
 
Cybersecurity in the Boardroom
Cybersecurity in the BoardroomCybersecurity in the Boardroom
Cybersecurity in the Boardroom
 
Cybersecurity Risk Management for Financial Institutions
Cybersecurity Risk Management for Financial InstitutionsCybersecurity Risk Management for Financial Institutions
Cybersecurity Risk Management for Financial Institutions
 
How an Integrated Management system helps you comply with new Cyber Laws and ...
How an Integrated Management system helps you comply with new Cyber Laws and ...How an Integrated Management system helps you comply with new Cyber Laws and ...
How an Integrated Management system helps you comply with new Cyber Laws and ...
 
Cyber Security for Financial Institutions
Cyber Security for Financial InstitutionsCyber Security for Financial Institutions
Cyber Security for Financial Institutions
 
Protecting the Crown Jewels – Enlist the Beefeaters
Protecting the Crown Jewels – Enlist the BeefeatersProtecting the Crown Jewels – Enlist the Beefeaters
Protecting the Crown Jewels – Enlist the Beefeaters
 
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA RegulationTop 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
 
Total Digital Security Introduction 4.2
Total Digital Security Introduction 4.2Total Digital Security Introduction 4.2
Total Digital Security Introduction 4.2
 
5 Steps to Securing Your Company's Crown Jewels
5 Steps to Securing Your Company's Crown Jewels5 Steps to Securing Your Company's Crown Jewels
5 Steps to Securing Your Company's Crown Jewels
 
Emerging Trends in Information Security and Privacy
Emerging Trends in Information Security and PrivacyEmerging Trends in Information Security and Privacy
Emerging Trends in Information Security and Privacy
 
2011 FCC CSRIC WG2A Cyber Security Best Practices Final Report
2011 FCC CSRIC WG2A Cyber Security Best Practices Final Report2011 FCC CSRIC WG2A Cyber Security Best Practices Final Report
2011 FCC CSRIC WG2A Cyber Security Best Practices Final Report
 

Viewers also liked

Is Cyber Security the Elephant in the Boardroom?
Is Cyber Security the Elephant in the Boardroom? Is Cyber Security the Elephant in the Boardroom?
Is Cyber Security the Elephant in the Boardroom? Rahul Neel Mani
 
The evolving threats and the challenges of the modern CISO
The evolving threats and the challenges of the modern CISOThe evolving threats and the challenges of the modern CISO
The evolving threats and the challenges of the modern CISOisc2-hellenic
 
ISACA State of Cyber Security 2017
ISACA State of Cyber Security 2017ISACA State of Cyber Security 2017
ISACA State of Cyber Security 2017ISACA
 
Cybersecurity: Mock Cyberwar Game
Cybersecurity: Mock Cyberwar Game Cybersecurity: Mock Cyberwar Game
Cybersecurity: Mock Cyberwar Game Rahul Neel Mani
 
Supply Chain Risk Management
Supply Chain Risk ManagementSupply Chain Risk Management
Supply Chain Risk ManagementAnand Subramaniam
 
Your Money or Your Data: Ransomware, Cyber Security and Today’s Threat Landsc...
Your Money or Your Data: Ransomware, Cyber Security and Today’s Threat Landsc...Your Money or Your Data: Ransomware, Cyber Security and Today’s Threat Landsc...
Your Money or Your Data: Ransomware, Cyber Security and Today’s Threat Landsc...Roger Hagedorn
 
Cyber Security Expect the Unexpected
Cyber Security Expect the UnexpectedCyber Security Expect the Unexpected
Cyber Security Expect the Unexpectedisc2-hellenic
 
Industrial Control System Cyber Security and the Employment of Industrial Fir...
Industrial Control System Cyber Security and the Employment of Industrial Fir...Industrial Control System Cyber Security and the Employment of Industrial Fir...
Industrial Control System Cyber Security and the Employment of Industrial Fir...Schneider Electric
 
Cyber Security for Your Clients: Business Lawyers Advising Business Clients
Cyber Security for Your Clients: Business Lawyers Advising Business ClientsCyber Security for Your Clients: Business Lawyers Advising Business Clients
Cyber Security for Your Clients: Business Lawyers Advising Business ClientsShawn Tuma
 
"Case Studies from the Field: Putting Cyber Security Strategies into Action" ...
"Case Studies from the Field: Putting Cyber Security Strategies into Action" ..."Case Studies from the Field: Putting Cyber Security Strategies into Action" ...
"Case Studies from the Field: Putting Cyber Security Strategies into Action" ...Health IT Conference – iHT2
 
Event Report - Informatica Informatica World 2016
Event Report - Informatica Informatica World 2016Event Report - Informatica Informatica World 2016
Event Report - Informatica Informatica World 2016Holger Mueller
 
Arex 2 q15 results presentation
Arex 2 q15 results presentationArex 2 q15 results presentation
Arex 2 q15 results presentationApproachResources
 
Q3 2015 investor presentation
Q3 2015 investor presentationQ3 2015 investor presentation
Q3 2015 investor presentationteradata2014
 
Q2 fy15 atento earnings presentation final
Q2 fy15 atento earnings presentation finalQ2 fy15 atento earnings presentation final
Q2 fy15 atento earnings presentation finalinvestorsatento
 
Role of CFO in the Economic Turnaround - Manufacturing Sector Growth Rate - P...
Role of CFO in the Economic Turnaround - Manufacturing Sector Growth Rate - P...Role of CFO in the Economic Turnaround - Manufacturing Sector Growth Rate - P...
Role of CFO in the Economic Turnaround - Manufacturing Sector Growth Rate - P...Resurgent India
 
H1 2015 Venture Capital Financing in Canada
H1 2015 Venture Capital Financing in CanadaH1 2015 Venture Capital Financing in Canada
H1 2015 Venture Capital Financing in CanadaAmir Bashir
 

Viewers also liked (20)

Is Cyber Security the Elephant in the Boardroom?
Is Cyber Security the Elephant in the Boardroom? Is Cyber Security the Elephant in the Boardroom?
Is Cyber Security the Elephant in the Boardroom?
 
The evolving threats and the challenges of the modern CISO
The evolving threats and the challenges of the modern CISOThe evolving threats and the challenges of the modern CISO
The evolving threats and the challenges of the modern CISO
 
ISACA State of Cyber Security 2017
ISACA State of Cyber Security 2017ISACA State of Cyber Security 2017
ISACA State of Cyber Security 2017
 
Cybersecurity: Mock Cyberwar Game
Cybersecurity: Mock Cyberwar Game Cybersecurity: Mock Cyberwar Game
Cybersecurity: Mock Cyberwar Game
 
Supply Chain Risk Management
Supply Chain Risk ManagementSupply Chain Risk Management
Supply Chain Risk Management
 
Your Money or Your Data: Ransomware, Cyber Security and Today’s Threat Landsc...
Your Money or Your Data: Ransomware, Cyber Security and Today’s Threat Landsc...Your Money or Your Data: Ransomware, Cyber Security and Today’s Threat Landsc...
Your Money or Your Data: Ransomware, Cyber Security and Today’s Threat Landsc...
 
The AppSec Path to Enlightenment
The AppSec Path to EnlightenmentThe AppSec Path to Enlightenment
The AppSec Path to Enlightenment
 
Cyber Security Expect the Unexpected
Cyber Security Expect the UnexpectedCyber Security Expect the Unexpected
Cyber Security Expect the Unexpected
 
Industrial Control System Cyber Security and the Employment of Industrial Fir...
Industrial Control System Cyber Security and the Employment of Industrial Fir...Industrial Control System Cyber Security and the Employment of Industrial Fir...
Industrial Control System Cyber Security and the Employment of Industrial Fir...
 
Cyber Security for Your Clients: Business Lawyers Advising Business Clients
Cyber Security for Your Clients: Business Lawyers Advising Business ClientsCyber Security for Your Clients: Business Lawyers Advising Business Clients
Cyber Security for Your Clients: Business Lawyers Advising Business Clients
 
Get the Basics Right
Get the Basics RightGet the Basics Right
Get the Basics Right
 
Automation lec3
Automation lec3Automation lec3
Automation lec3
 
"Case Studies from the Field: Putting Cyber Security Strategies into Action" ...
"Case Studies from the Field: Putting Cyber Security Strategies into Action" ..."Case Studies from the Field: Putting Cyber Security Strategies into Action" ...
"Case Studies from the Field: Putting Cyber Security Strategies into Action" ...
 
Sumit dhar
Sumit dharSumit dhar
Sumit dhar
 
Event Report - Informatica Informatica World 2016
Event Report - Informatica Informatica World 2016Event Report - Informatica Informatica World 2016
Event Report - Informatica Informatica World 2016
 
Arex 2 q15 results presentation
Arex 2 q15 results presentationArex 2 q15 results presentation
Arex 2 q15 results presentation
 
Q3 2015 investor presentation
Q3 2015 investor presentationQ3 2015 investor presentation
Q3 2015 investor presentation
 
Q2 fy15 atento earnings presentation final
Q2 fy15 atento earnings presentation finalQ2 fy15 atento earnings presentation final
Q2 fy15 atento earnings presentation final
 
Role of CFO in the Economic Turnaround - Manufacturing Sector Growth Rate - P...
Role of CFO in the Economic Turnaround - Manufacturing Sector Growth Rate - P...Role of CFO in the Economic Turnaround - Manufacturing Sector Growth Rate - P...
Role of CFO in the Economic Turnaround - Manufacturing Sector Growth Rate - P...
 
H1 2015 Venture Capital Financing in Canada
H1 2015 Venture Capital Financing in CanadaH1 2015 Venture Capital Financing in Canada
H1 2015 Venture Capital Financing in Canada
 

Similar to Cyber Security Vendor Risk Management /Supply Chain Risk Management

Unrestricted - Complex Regulation Practical Security FINAL
Unrestricted - Complex Regulation Practical Security FINALUnrestricted - Complex Regulation Practical Security FINAL
Unrestricted - Complex Regulation Practical Security FINALWayne Anderson
 
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)Salesforce Partners
 
#askSAP GRC Innovations Community Call: Cybersecurity Risk and Governance
#askSAP GRC Innovations Community Call: Cybersecurity Risk and Governance#askSAP GRC Innovations Community Call: Cybersecurity Risk and Governance
#askSAP GRC Innovations Community Call: Cybersecurity Risk and GovernanceSAP Analytics
 
Solving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial servicesSolving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial servicesNowSecure
 
Protect Your Customers Data from Cyberattacks
Protect Your Customers Data from CyberattacksProtect Your Customers Data from Cyberattacks
Protect Your Customers Data from CyberattacksSAP Customer Experience
 
Deliver the ‘Right’ Customer Experience without Compromising Data Security
Deliver the ‘Right’ Customer Experience without Compromising Data SecurityDeliver the ‘Right’ Customer Experience without Compromising Data Security
Deliver the ‘Right’ Customer Experience without Compromising Data SecuritySPLICE Software
 
Guardian analytics vs. actimize 2016
Guardian analytics vs. actimize 2016Guardian analytics vs. actimize 2016
Guardian analytics vs. actimize 2016Laurent Pacalin
 
Presentation Flow Part A – The Challenge
Presentation Flow Part A – The ChallengePresentation Flow Part A – The Challenge
Presentation Flow Part A – The Challengewebhostingguy
 
Presentation Flow Part A – The Challenge
Presentation Flow Part A – The ChallengePresentation Flow Part A – The Challenge
Presentation Flow Part A – The Challengewebhostingguy
 
Nikhil wagholikar _risk_based_penetration_testing - ClubHack2009
Nikhil wagholikar _risk_based_penetration_testing - ClubHack2009Nikhil wagholikar _risk_based_penetration_testing - ClubHack2009
Nikhil wagholikar _risk_based_penetration_testing - ClubHack2009ClubHack
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Security Teams & Tech In A Cloud World
Security Teams & Tech In A Cloud WorldSecurity Teams & Tech In A Cloud World
Security Teams & Tech In A Cloud WorldMark Nunnikhoven
 
What to Expect in 2016: Top 5 Predictions for Security and Access Control
What to Expect in 2016: Top 5 Predictions for Security and Access ControlWhat to Expect in 2016: Top 5 Predictions for Security and Access Control
What to Expect in 2016: Top 5 Predictions for Security and Access ControlSecureAuth
 
SanerNow a platform for Endpoint security and systems Management
SanerNow a platform for Endpoint security and systems ManagementSanerNow a platform for Endpoint security and systems Management
SanerNow a platform for Endpoint security and systems ManagementSecPod Technologies
 
Compliance in the mobile enterprise: 5 tips to prepare for your next audit
Compliance in the mobile enterprise: 5 tips to prepare for your next auditCompliance in the mobile enterprise: 5 tips to prepare for your next audit
Compliance in the mobile enterprise: 5 tips to prepare for your next auditNowSecure
 
Passwords don't work multifactor controls do!
Passwords don't work multifactor controls do!Passwords don't work multifactor controls do!
Passwords don't work multifactor controls do!FitCEO, Inc. (FCI)
 

Similar to Cyber Security Vendor Risk Management /Supply Chain Risk Management (20)

Unrestricted - Complex Regulation Practical Security FINAL
Unrestricted - Complex Regulation Practical Security FINALUnrestricted - Complex Regulation Practical Security FINAL
Unrestricted - Complex Regulation Practical Security FINAL
 
Fortify technology
Fortify technologyFortify technology
Fortify technology
 
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
 
#askSAP GRC Innovations Community Call: Cybersecurity Risk and Governance
#askSAP GRC Innovations Community Call: Cybersecurity Risk and Governance#askSAP GRC Innovations Community Call: Cybersecurity Risk and Governance
#askSAP GRC Innovations Community Call: Cybersecurity Risk and Governance
 
Solving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial servicesSolving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial services
 
Protect Your Customers Data from Cyberattacks
Protect Your Customers Data from CyberattacksProtect Your Customers Data from Cyberattacks
Protect Your Customers Data from Cyberattacks
 
Deliver the ‘Right’ Customer Experience without Compromising Data Security
Deliver the ‘Right’ Customer Experience without Compromising Data SecurityDeliver the ‘Right’ Customer Experience without Compromising Data Security
Deliver the ‘Right’ Customer Experience without Compromising Data Security
 
Many products-no-security (1)
Many products-no-security (1)Many products-no-security (1)
Many products-no-security (1)
 
Guardian analytics vs. actimize 2016
Guardian analytics vs. actimize 2016Guardian analytics vs. actimize 2016
Guardian analytics vs. actimize 2016
 
Presentation Flow Part A – The Challenge
Presentation Flow Part A – The ChallengePresentation Flow Part A – The Challenge
Presentation Flow Part A – The Challenge
 
Presentation Flow Part A – The Challenge
Presentation Flow Part A – The ChallengePresentation Flow Part A – The Challenge
Presentation Flow Part A – The Challenge
 
Nikhil wagholikar _risk_based_penetration_testing - ClubHack2009
Nikhil wagholikar _risk_based_penetration_testing - ClubHack2009Nikhil wagholikar _risk_based_penetration_testing - ClubHack2009
Nikhil wagholikar _risk_based_penetration_testing - ClubHack2009
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 
CPX 2016 Moti Sagey Security Vendor Landscape
CPX 2016 Moti Sagey Security Vendor LandscapeCPX 2016 Moti Sagey Security Vendor Landscape
CPX 2016 Moti Sagey Security Vendor Landscape
 
Security Teams & Tech In A Cloud World
Security Teams & Tech In A Cloud WorldSecurity Teams & Tech In A Cloud World
Security Teams & Tech In A Cloud World
 
What to Expect in 2016: Top 5 Predictions for Security and Access Control
What to Expect in 2016: Top 5 Predictions for Security and Access ControlWhat to Expect in 2016: Top 5 Predictions for Security and Access Control
What to Expect in 2016: Top 5 Predictions for Security and Access Control
 
Core.co.enterprise.deck.06.16.10
Core.co.enterprise.deck.06.16.10Core.co.enterprise.deck.06.16.10
Core.co.enterprise.deck.06.16.10
 
SanerNow a platform for Endpoint security and systems Management
SanerNow a platform for Endpoint security and systems ManagementSanerNow a platform for Endpoint security and systems Management
SanerNow a platform for Endpoint security and systems Management
 
Compliance in the mobile enterprise: 5 tips to prepare for your next audit
Compliance in the mobile enterprise: 5 tips to prepare for your next auditCompliance in the mobile enterprise: 5 tips to prepare for your next audit
Compliance in the mobile enterprise: 5 tips to prepare for your next audit
 
Passwords don't work multifactor controls do!
Passwords don't work multifactor controls do!Passwords don't work multifactor controls do!
Passwords don't work multifactor controls do!
 

Recently uploaded

"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 

Recently uploaded (20)

"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 

Cyber Security Vendor Risk Management /Supply Chain Risk Management

  • 1. Vendor Risk – Cyber Security Perspective March 15th, 2017
  • 2. P A G E 2 © 2016 Mafazo | All Rights Reserved Introductions Shannon Glass - Fisher Practice Director, Information Security Afidence shannon.glass@afidence.com Max Aulakh Information Security Professional MAFAZO Cyber Security max@mafazo.com
  • 3. P A G E 3 © 2016 Mafazo | All Rights Reserved Agenda Business Case Process Overview Vendor Classification Inherent Risk Building your assessment Manual Process Process Automation Monitoring Stage
  • 4. P A G E 4 © 2016 Mafazo | All Rights Reserved Business Case | Headlines Target Hackers Used Stolen Vendor Credentials – Wall Street Journal, January 2014 Bank says a failure on vendor's part to correctly fix an identified instability within the bank's storage system led to the seven- hour service outage last week. – By Eileen Yu, ZDNet Asia on July 14, 2010 New York Tightens Screws on 3rd Party Cyber-Risk – By Chris Kentouris, FinOps Report on March 8, 2017 “It is abundantly clear that, in many respects,” Mr. Lawsky (New York State’s top financial regulator) said in the letter, “a firm’s level of cybersecurity is only as good as the security of its vendors.” NYTimes.com: After JPMorgan Cyberattack, a Push to Fortify Wall Street Banks 10/21/14
  • 5. P A G E 5 © 2016 Mafazo | All Rights Reserved Business Case | Regulatory Pressure 1996, HIPAA Passed July, 01 GLBA Nov, 01 OCC Bulletin 2001-47 Aug, 03 CS Privacy SB 1386 May, 02 OCC Bulletin 2002-16 May, 07 HF 1758 MN Plastic Card Security Act Nov, 09 HITECH Act Jan, 10 NRS 603 NV Data Security Mar, 10 201 MA Code Reg 17 Jul ‘10 WA HB 1149 Jan ‘11 PCI DSS 2 Mar ‘12 CFPB Bulletin 2012-03 Mar ‘13 Omnibus HIPAA Rule Oct ’13 OCC Bulletin 2013-29 May ‘14 PCI DSS 3 Oct‘16 DFARs 204.73 Companies often face direct financial impact! 3rd Parties are major source of data breaches!
  • 6. P A G E 6 © 2016 Mafazo | All Rights Reserved Vendor Risk Process Overview Inventory Vendors Classify Vendor Assessment Type Coordinate Self Assess Review On Phone Review On Site Generate Issues Finalize Corrective Plan Monitor
  • 7. P A G E 7 © 2016 Mafazo | All Rights Reserved Vendor Classification • Scheme allows you to: ✓ Prioritize your vendors ✓ Build a relevant assessment for particular vendor ✓ Understand Inherent risk posed by your vendors ✓ Allows for a flexible scoring system/model • Many schemes with several factors • Total Spend • Financial Performance • Criticality of the vendor’s service to the continuation of the client’s services • Critical data being shared
  • 8. P A G E 8 © 2016 Mafazo | All Rights Reserved Vendor Classification | Inherent Inherent Risk Strategic Factors High Medium Low Vendor Criticality High Medium Low Regulations HIPAA Business Associate SOX 404 DFARS Type Cloud On-Prem Development Data Amount 100-200 Records 200 – 300 Records 1000 – 2000 Records
  • 9. P A G E 9 © 2016 Mafazo | All Rights Reserved Vendor Classification | Inherent
  • 10. P A G E 10 © 2016 Mafazo | All Rights Reserved Assessment Building  Free Control Inventories ◦ NIST Cyber Security Framework ◦ NIST Risk Management Framework (900+ Controls) ◦ HIPAA Security Rule ◦ FedRAMP ◦ Custom Controls ◦ FFIEC Framework ◦ IT Examiner Handbook  Lower cost inventories (almost free) ◦ ISO 27000 ◦ PCI-DSS  Overpriced Controls Data ◦ Shared Assessment/SIG ◦ Unified Compliance ◦ HITRUST “a firm’s level of cybersecurity is only as good as the security of its vendors.”
  • 11. P A G E 11 © 2016 Mafazo | All Rights Reserved Building an Assessment  Most vendors are assessed based on “standardized questions” ◦ Would you ever ask a janitorial service if they have a Chief Security Officer?  Too many questions that are not- relevant incentivizes the vendor to “quickly” get through the assessment so they can conduct business.  Take vendor “fatigue” in to consideration.
  • 12. P A G E 12 © 2016 Mafazo | All Rights Reserved Assessment Auto-Tailoring  Software can automate much of these tasks to not only build but automate type of questions you should be asking.  Certain industries require some standardized questions regardless of size of the vendor – FedRAMP  Too many questions that are not-relevant incentivizes the vendor to “quickly” get through the assessment so they can conduct business.  Take technical stack elements (database, operating systems, etc..) into consideration when tailoring. ◦ Don’t just accept “ISO or PCI” certifications – those are generally siloed efforts not global
  • 13. P A G E 13 © 2016 Mafazo | All Rights Reserved Vendor Residual Risk  What if vendor cyber security risk/residual risk remains too high after the assessment? ◦ Do you still conduct business with them?  What can we do to de-risk your vendors from cyber security perspective? ◦ Supply chain experts use “The Beer Game” to illustrate power of data sharing to manage product spikes & distribution to protect both the vendor and client.
  • 14. P A G E 14 © 2016 Mafazo | All Rights Reserved Manual Assessment Process NIST RMF Or Custom Controls List Framework/Spreadsheet 1 1. Compliance Officer › Manually extracted into MSWORD or EXCEL 3. Security Officer › Creates multiple compliance spreadsheet − 5 - 10 Columns, 100 - 200 Rows − Multi-user input Email System 4. Sent to Vendors › Reviews Spreadsheet − Data collection − Multiple inputs Vendor Risk Requirements Finalized/Spreadsheet 2 2. Security Officer & Legal › Select or Create Security Framework link to Non-Voluntary Requirements − SIG, NIST, etc… Multiple Spreadsheets › By Vendor › By Year › By Change
  • 15. P A G E 15 © 2016 Mafazo | All Rights Reserved Automation  1 FTE is expected to manage cyber risk of 1000+ vendors while managing everything else internally. ◦ What would you do if you had to manage 100s of different vendor cyber security risk?  1 FTE is expected to build cyber assessments on the fly based on the “risk” ◦ Look for the ability to build out any assessment with any inventory  Automation serves as a force-multiplier ◦ Reduction of man-hours and reduction of errors  Vendor cyber security automation can be almost as easy as a “password reset self service” but for your vendors. ◦ Incentivization ◦ Gaming engine to measure risk
  • 16. P A G E 16 © 2016 Mafazo | All Rights Reserved Monitoring  Monitoring allows you to gather assessment trend data & breach data about your vendor.  Develop a plan for your vendor to reduce cyber risk over time.  Share relevant resources with your vendor (de-risk).  Co-develop a “Target Risk” Profile ◦ Set of requirements/controls/questions that should be met.
  • 17. P A G E 17 © 2016 Mafazo | All Rights Reserved Summary Business Case Process Overview Vendor Classification Inherent Risk Building your assessment Manual Process Process Automation Monitoring Stage
  • 18. P A G E 18 © 2016 Mafazo | All Rights Reserved Q&A Shannon Glass - Fisher Practice Director, Information Security Afidence shannon.glass@afidence.com Max Aulakh Information Security Professional MAFAZO Cyber Security max@mafazo.com 937-789-4216 www.mafazo.com
  • 19. P A G E 19 © 2016 Mafazo | All Rights Reserved Back up| About Tryump • Cyber Compliance automation & orchestration platform • Cyber security framework builder, manager and auto-mapper • Manage use case complexity, scale and speed of assessment delivery • Automate compliance testing & link technical results (pen-testing & other data).