The document discusses the risks introduced by commercial off-the-shelf software and hardware, emphasizing the importance of a robust security culture within organizations. It outlines the necessity of risk assessments, especially concerning third and fourth-party relationships, and highlights various methodologies for determining risk levels. Additionally, it stresses the importance of contractual agreements and the need for ongoing scrutiny and documentation of security practices.

1. Why? and How?

2.  Does Commercial Off the Shelf Software introduce risk to your
environment?
 Do commercially produced hardware products introduce risk
 Does the security culture of the organization providing software,
hardware and services have anything to do with your risk?
 Do fourth party relationships matter?

3.  Culture of Security
 It is critical that an organization have a “Culture of Security”
 What is a “Culture of Security”
 Culture - the quality in a person or society that arises from a concern for what is
regarded as excellent in arts, letters, manners, scholarly pursuits, etc.
 Culture of Security is embedded in the daily operation of the organization so that it
becomes a norm and not an exception
 The culture of security drives the practices of an organization
 It’s deeper than just having AV and IDS/IPS
 Includes mature policies, standards and practices

4.  Product and Services Risk
 Every product or service introduces risk
 Network interfaces and access to you
 Poor coding practices
 Vendor systems
 Personnel activities
 Fourth party participation

5.  Fourth Party Relationships
 Where are they located
 Do they have a “Culture of Security”
 Does your Third Party have a security contract or understanding with
their third party providers?

6.  Identify Framework/Methodology
 Determination
 Risk Rank
 Risk Assessments
 Contractual Agreements

7.  Identify Framework/Methodology
 There are many ways to determine and manage risk
 NIST SP 800-161 (Supply Chain Risk Management (SCRM) for Information
and Communications Technology)
 National Strategy for Global Supply Chain Security
 Cloud Security Alliance
 Shared Assessments Standard Information Gathering (SIG) and Agreed Upon
Procedures (AUP)

8.  Determination Questionnaire
 Not all relationships require intense scrutiny
 You must determine which do and which don’t
 Short questionnaire
 High level evaluation of risk
 Groundskeepers
 Cleaning teams
 Service personnel
 Construction crews

9.  Does the vendor store, process, transmit or access systems or data?
 Does the vendor have logical or physical access to facilities?
 Can the vendor directly or indirectly impact your business availability?
 Does the engagement create, modify or purchase software and/or hardware?
 Are any of the above criteria met before, during or after implementation of the
products or services?

10. 1) What type of data will the Third Party potentially process, store,
transmit, or have access to, as part of this engagement?
2) What is the greatest daily average quantity of records/account
information of which this engagement scope will send, receive, process,
store or have access to before, during or after implementation?
3) What is the frequency at which this engagement scope will send,
receive, process, store or have access to before, during or after
implementation?
4) Does this engagement scope include any type of data-
sharing/user/admin/database access OR inbound connectivity to your
corporate network OR outbound connectivity from corporate network
with the third party before, during or after implementation?

11. 5) Does this engagement scope include physical access by Third Party
personnel to your facilities before, during or after implementation?
6) Does this engagement scope involve creation of new services and/or
changes to existing services?
7) Does this engagement scope involve the creation/modification of
software applications and/or the deployment of new devices/IT
infrastructure?
8) Does this engagement scope include offshore (offshore=outside
continental U.S.) facilities or personnel involvement of any kind before,
during or after implementation or use of any products and/or service(s)
involved? (Consider sending, receiving, processing, storing data / any
access at any time / software development)

12. 9) Does this engagement scope include inbound and/or outbound
connectivity and/or data sharing with other external parties
(vendors/partners of this vendor) before, during or after
implementation?
10) Is a cloud solution utilized from this vendor?
11) Is a mobile solution utilized from this vendor as part of this engagement
scope?
12) How many "Fourth Party" vendors will have access to Third Party data
or facilities and/or your corporate data or facilities as part of this
engagement scope?

13. 15) What is the vendor's most recent annual income?
16) Has the vendor recently gone through a merger, acquisition, or
divestiture?
17) Will the vendor’s services include performing any transactions on behalf
of your company or your subsidiary entities?
18) What is the volume of transactions per day the vendor will perform on
behalf of your company or your subsidiary entities?
19) What is the daily value of the transactions performed by the vendor on
behalf of your company or your subsidiary entities?
20) What is the current Disaster Recovery (DR) Tier?

14. 22) What is the current Business Impact Analysis (BIA)?
23) Does this vendor provide services that are customer facing?
24) Are there any (public or private) known issues, findings or concerns?
25) Is this vendor a strategic vendor for your company?
26) Known count of viable alternative vendors?
24) What concentration of this Line of Business‘ cumulative business
position is represented by this specific project/engagement scope?
(percentage estimate / response optional)
25) What is the currently projected utilization term for this vendor?

15.  Risk Rank
 After you have determined whether an assessment is needed
 Level of scrutiny
 On-site
 Frequency of review

16.  Risk Assessments
 Perform your assessment
 Use the framework you chose
 Create a scoring model
 Maintain record of assessments
 Follow up on findings
 Create process to document risk acceptance
 Maintain timelines for remediation
 Document when remediation has been completed
 Provide a path forward to the business through Risk Acceptance/Risk Remediation

17.  Assessments can be done at various levels
 Contract only
 Lite assessments (Questionnaire)
 Heavy Assessments (Questionnaire)
 On-site Assessments

18.  One of the most frequently selected options is:
 Shared Assessments Standard Information Gathering Questionnaire
(SIG) Lite and Full
 Questionnaire submitted to vendors to assess control effectiveness
 Evidence is collected in support of the answers provided
 Sometimes evidence is viewed but not physically received
 On-site Assessments using Agreed Upon Procedures (AUP)
 Guideline for on-site assessments

19.  Shared Assessments SIG Lite and SIG Full
 A. Risk Management
 B. Security Policy
 C. Organizational Security
 D. Asset Management
 E. Human Resource Security
 F. Physical and Environmental
 G. Communications and Operations Management

20.  H. Access Control
 I. Information Systems Acquisition Development & Maintenance
 J. Incident, Event & Communications Management
 K. Business Continuity and Disaster Recovery
 L. Compliance
 M. Mobile
 P. Privacy

21.  Q. Software Security
 V. Cloud Security
 Z. Additional Questions

22.  Contractual Agreements
 Should be included with every contract (based on determination)
 Should be negotiable
 Should be general enough to allow flexibility, but specific enough to
ensure security
 Should ensure accountability