SlideShare a Scribd company logo

Supply Chain and Third-Party Risks During COVID-19

S
Sophia Price

Carrie Whysall, Director of Managed Security Services for CynergisTek discuss supply chain and third-party risks and why managing the level of risk brought into your organization is so important. Carrie breaks down the impacts your organization could be facing due to the COVID-19 pandemic. She will examine the importance of vendor security management and the process of building and maintaining relationships with your vendors to ensure you have a clear understanding of the services being provided and the risks that may be inherent in that relationship with the vendor, especially in regards to new telehealth vendors you may be using during the COVID pandemic. Carrie will also discuss what an effective VRM program entails and how your VRM program can help you determine, manage, and monitor potential third-party risks.

Services
1 of 16
1 A Podcast by Carrie Whysall CynergisTek, Inc. Supply Chain and Third-Party Risks During COVID-19
2 © Carrie Whysall, 2020 Hello! I’m Carrie Whysall, Director of Managed Security Services at CynergisTek, Inc. I’m here to introduce, and explain the importance of supply chain, and third-party risks during the time of COVID-19.
3 What is vendor risk management? © Carrie Whysall, 2020 It’s really the process of building relationships with your vendors. This includes creating both formal and informal processes that protect and enhance the organizational strategies for both parties in the relationship. The goal here being having a transparent relationship that allows for a better understanding of the services provided and the risks that are inherit in that relationship.
4  Health Alliance Plan on March 6, 2019. This breach of 120,000 records was caused by ransomware that their third-party vendor Wolverine Solutions Group became infected with. The same third-party vendor was also the cause of a breach at Spectrum Health Lakeland. This one is very concerning because not only did they get patient data, they got detailed provider info as well.  Federal Emergency Management Agency (FEMA) on March 22, 2019. This breach of 2.5 million records is wrong in so many ways. After these victims were traumatized by hurricanes, they were victimized a second time when a contractor being used by FEMA didn’t protect the information that was provided to them.  Quest Diagnostics on June 3, 2019. This breach exposed almost 17 million records. The breach occurred because a hacker took control of a payments page that was being hosted by AMCA, a third-party billing vendor used by Quest.  Essentia Health on July 10, 2019. This breach was due to their third-party vendor California Reimbursement Enterprise being the victim of a phishing attack. It has been nice months and they are still unclear as to how many records were exposed. © Carrie Whysall, 2020 Why is VRM so important?
5 © Carrie Whysall, 2020 An effective VRM program starts by comprehensively determining potential third- party risks including process risks, political risks, unwanted functions, contract risks, legal as well as regulatory issues for non-compliance, and information system failures. This risk identification procedure should be followed by an evaluation of the precise drivers that increase third-party risk. VRM programs… where do I start?
6 © Carrie Whysall, 2020 4 tips for creating a VRM Program: #1 Compile #2 Classify #3 Assess #4 Decide
7 © Carrie Whysall, 2020 #1 Compile Implementing the program starts by knowing all your vendors. Start with your finance or accounting contacts to see what they have.
8 © Carrie Whysall, 2020 #2 Classify Vendors need to be classified by how much potential risk they pose to the organization. The potential risk is based on the potential impact that a breach involving the vendor would have on the organization annually. This step is critical to success and should not be decided by IT alone. If you have a current Mission Critical and/or business critical list of applications are great places to start.
9 © Carrie Whysall, 2020 #3 Assess There are typically two types of assessments that correspond with the two classifications determined in the vendor classification form and each classification follows a different assessment process. For low risk vendors you may be able to complete the questionnaire with information known internally to your organization. Once completed the questionnaires should be saved with the vendor’s classification form and reviewed annually. For high or critical risk vendors, it will require a more formal process which should include documented responses from the vendors.
10 © Carrie Whysall, 2020 #4 Decide For each of the high-risk vendors, a decision must be made of what to do with the risks discovered through the assessment process.  Risk Accepted: Accept the risk “as-is” without any additional effort on the part of the organization or the vendor.  Risk Accepted with remediation plan.  Risk Unacceptable: There are two options for this finding.  Work with the vendor on remediation/mitigation on their side.  Decide to terminate the contract based on risk and follow the terms set forth in the contract regarding termination of services.  Note: one of the biggest mistakes an entity can make in this phase is creating a remediation plan without follow through. Nothing stings more than having an exposed risk occur because you didn’t complete the remediation.
11 © Carrie Whysall, 2020 What types of assessments are there ? Pre-Procurement Assessment: this is typically a shorter assessment that is based primarily on the organizations security policy with focus on technology, data storage, and connectivity requirements. The goal here being that a quick decision on whether or not to use this product from a particular vendor. HIPAA-Based Risk Assessments: these are typically much longer assessments that focus on a much broader range of HIPAA regulations. The questions are more in depth and typically require detailed responses from a vendor. These assessments are also typically where a risk level is assigned to a vendor.
12 What Are Some of the Challenges?
13 © Carrie Whysall, 2020 What issues arise throughout the process?  Asking the right questions.  Having access to the contract documents.  Getting the correct documents back for the vendors.  Getting responses in a timely manner.  Ensuring that going forward you update new contracts with requirements for meeting your security requirements and retaining the ability to assess of audit them periodically.  Adding automation where you can.  Effective use of the data you have gathered.  Where else would this data be helpful to the organization?  SOC/SIEM feeds  Cyber insurance validation  Supply chain
14 © Carrie Whysall, 2020 What about staffing?  Vendor management can have a significant impact on staffing. Most entities do not have additional bodies to pull for these efforts. Especially right now while we are struggling to staff COVID-19 Units while having to institute furloughs in our elective procedure areas.  At first the typical attempt is to assign portions of existing staff to this activity. These are usually either existing security or compliance staff. Early efforts may be via Excel spreadsheets and tracked manually.
15 © Carrie Whysall, 2020 …And what about outsourcing?  Allows an organization to leverage the experience and existing vendor relationships the outsourcer already has.  Provides the benefit of access to subject matter experts (SME’s). No need to train existing staff on the process.  The agreements should contractually set SLA’s and turnaround times for expedited requests.  A higher number of assessments can be completed as the outsourced staff is working full time on them not as part of another role.  Standardized risk valuations, typically through the use of templates, which include – critical, high, moderate, and low and clear definitions of each value.  Assigning the assessment portions to a partner allows you to focus on remediation plans and tasks instead of time on the phone or in email tracking down answers.
16 © Carrie Whysall, 2020 Thanks for tuning in! For more COVID-19 related podcast content, please visit www.cynergistek.com/podcasts.

Recommended

Safeguarding the Supply Chain: How to Survive and Succeed during COVID-19
Safeguarding the Supply Chain: How to Survive and Succeed during COVID-19Safeguarding the Supply Chain: How to Survive and Succeed during COVID-19
Safeguarding the Supply Chain: How to Survive and Succeed during COVID-19
SirionLabs
 
The 10 most trusted risk management solution providers 2019
The 10 most trusted risk management solution providers 2019The 10 most trusted risk management solution providers 2019
The 10 most trusted risk management solution providers 2019
Insights success media and technology pvt ltd
 
Deloitte India - Deloitte Construction Summit
Deloitte India - Deloitte Construction SummitDeloitte India - Deloitte Construction Summit
Deloitte India - Deloitte Construction Summit
aakash malhotra
 
Most admired companies to watch 2019
Most admired companies to watch 2019Most admired companies to watch 2019
Most admired companies to watch 2019
CIO Look Magazine
 
Technology in the mid-market: Seizing opportunity
Technology in the mid-market: Seizing opportunityTechnology in the mid-market: Seizing opportunity
Technology in the mid-market: Seizing opportunity
Deloitte United States
 
2019 LIBOR Survey: Thriving in Transition Uncertainty
2019 LIBOR Survey: Thriving in Transition Uncertainty2019 LIBOR Survey: Thriving in Transition Uncertainty
2019 LIBOR Survey: Thriving in Transition Uncertainty
accenture
 
LIBOR and Conduct Risk: When and How Should You Mitigate?
LIBOR and Conduct Risk: When and How Should You Mitigate?LIBOR and Conduct Risk: When and How Should You Mitigate?
LIBOR and Conduct Risk: When and How Should You Mitigate?
accenture
 
Swiss human capital trends 2018
Swiss human capital trends 2018Swiss human capital trends 2018
Swiss human capital trends 2018
Deloitte Switzerland
 

Recommended

Safeguarding the Supply Chain: How to Survive and Succeed during COVID-19
Safeguarding the Supply Chain: How to Survive and Succeed during COVID-19Safeguarding the Supply Chain: How to Survive and Succeed during COVID-19
Safeguarding the Supply Chain: How to Survive and Succeed during COVID-19
SirionLabs
 
The 10 most trusted risk management solution providers 2019
The 10 most trusted risk management solution providers 2019The 10 most trusted risk management solution providers 2019
The 10 most trusted risk management solution providers 2019
Insights success media and technology pvt ltd
 
Deloitte India - Deloitte Construction Summit
Deloitte India - Deloitte Construction SummitDeloitte India - Deloitte Construction Summit
Deloitte India - Deloitte Construction Summit
aakash malhotra
 
Most admired companies to watch 2019
Most admired companies to watch 2019Most admired companies to watch 2019
Most admired companies to watch 2019
CIO Look Magazine
 
Technology in the mid-market: Seizing opportunity
Technology in the mid-market: Seizing opportunityTechnology in the mid-market: Seizing opportunity
Technology in the mid-market: Seizing opportunity
Deloitte United States
 
2019 LIBOR Survey: Thriving in Transition Uncertainty
2019 LIBOR Survey: Thriving in Transition Uncertainty2019 LIBOR Survey: Thriving in Transition Uncertainty
2019 LIBOR Survey: Thriving in Transition Uncertainty
accenture
 
LIBOR and Conduct Risk: When and How Should You Mitigate?
LIBOR and Conduct Risk: When and How Should You Mitigate?LIBOR and Conduct Risk: When and How Should You Mitigate?
LIBOR and Conduct Risk: When and How Should You Mitigate?
accenture
 
Swiss human capital trends 2018
Swiss human capital trends 2018Swiss human capital trends 2018
Swiss human capital trends 2018
Deloitte Switzerland
 
Cybersecurity through the Deloitte lens
Cybersecurity through the Deloitte lensCybersecurity through the Deloitte lens
Cybersecurity through the Deloitte lens
aakash malhotra
 
Implementing the smart factory: New perspectives for driving value
Implementing the smart factory: New perspectives for driving valueImplementing the smart factory: New perspectives for driving value
Implementing the smart factory: New perspectives for driving value
Deloitte United States
 
COVID-19: Helping SMBs outmaneuver uncertainty
COVID-19: Helping SMBs outmaneuver uncertaintyCOVID-19: Helping SMBs outmaneuver uncertainty
COVID-19: Helping SMBs outmaneuver uncertainty
accenture
 
EY Digital Deal Economy - Nederland
EY Digital Deal Economy - NederlandEY Digital Deal Economy - Nederland
EY Digital Deal Economy - Nederland
reichske
 
The realist’s guide to quantum technology and national security
The realist’s guide to quantum technology and national securityThe realist’s guide to quantum technology and national security
The realist’s guide to quantum technology and national security
Deloitte United States
 
I Own Your Building (Management System)
I Own Your Building (Management System)I Own Your Building (Management System)
I Own Your Building (Management System)
Zero Science Lab
 
eGestalt Named a 2012 'Emerging Vendor' by CRN and UBM Channel
eGestalt Named a 2012 'Emerging Vendor' by CRN and UBM ChanneleGestalt Named a 2012 'Emerging Vendor' by CRN and UBM Channel
eGestalt Named a 2012 'Emerging Vendor' by CRN and UBM Channel
flashnewsrelease
 
Evolution of cyber threats and the development of new security architecture
Evolution of cyber threats and the development of new security architectureEvolution of cyber threats and the development of new security architecture
Evolution of cyber threats and the development of new security architecture
EY
 
Security of the future - Adapting Approaches to What We Need
Security of the future - Adapting Approaches to What We NeedSecurity of the future - Adapting Approaches to What We Need
Security of the future - Adapting Approaches to What We Need
simplyme12345
 
The Bottom Line on Trust | Accenture Strategy Competitive Agility Index 2018
The Bottom Line on Trust | Accenture Strategy Competitive Agility Index 2018The Bottom Line on Trust | Accenture Strategy Competitive Agility Index 2018
The Bottom Line on Trust | Accenture Strategy Competitive Agility Index 2018
accenture
 
What matters in security - A highlighter
What matters in security - A highlighterWhat matters in security - A highlighter
What matters in security - A highlighter
Andre Muscat
 
IBM CIO Mid Market Study 2011
IBM CIO Mid Market Study 2011IBM CIO Mid Market Study 2011
IBM CIO Mid Market Study 2011
ojwinslade
 
Addressing Sales Practice and Conduct Risk in the Canadian Market
Addressing Sales Practice and Conduct Risk in the Canadian MarketAddressing Sales Practice and Conduct Risk in the Canadian Market
Addressing Sales Practice and Conduct Risk in the Canadian Market
accenture
 
Marlink IMO 2021 Guide to Cyber Risk Management
Marlink IMO 2021 Guide to Cyber Risk ManagementMarlink IMO 2021 Guide to Cyber Risk Management
Marlink IMO 2021 Guide to Cyber Risk Management
CHRIS CLIFFORD
 
Optiv Security Award Write Up
Optiv Security Award Write UpOptiv Security Award Write Up
Optiv Security Award Write Up
Claudia Toscano
 
Risk taking in SME's
Risk taking in SME'sRisk taking in SME's
Risk taking in SME's
Brian Stevens
 
2017 HK ESG Research Report
2017 HK ESG Research Report2017 HK ESG Research Report
2017 HK ESG Research Report
Alaya Consulting
 
Driving growth and differential performance among Class I railroads
Driving growth and differential performance among Class I railroadsDriving growth and differential performance among Class I railroads
Driving growth and differential performance among Class I railroads
Deloitte United States
 
eCrime-report-2011-accessible
eCrime-report-2011-accessibleeCrime-report-2011-accessible
eCrime-report-2011-accessible
Charmaine Servado
 
Oil & Gas ICT Leader 2016
Oil & Gas ICT Leader 2016Oil & Gas ICT Leader 2016
Oil & Gas ICT Leader 2016
Ray Bugg
 
Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity Essay
Michael Solomon
 
Strengthening Supply Chain Security Against Cyber-Attacks.pdf
Strengthening Supply Chain Security Against Cyber-Attacks.pdfStrengthening Supply Chain Security Against Cyber-Attacks.pdf
Strengthening Supply Chain Security Against Cyber-Attacks.pdf
Enterprise Insider
 

More Related Content

What's hot

Cybersecurity through the Deloitte lens
Cybersecurity through the Deloitte lensCybersecurity through the Deloitte lens
Cybersecurity through the Deloitte lens
aakash malhotra
 
Implementing the smart factory: New perspectives for driving value
Implementing the smart factory: New perspectives for driving valueImplementing the smart factory: New perspectives for driving value
Implementing the smart factory: New perspectives for driving value
Deloitte United States
 
COVID-19: Helping SMBs outmaneuver uncertainty
COVID-19: Helping SMBs outmaneuver uncertaintyCOVID-19: Helping SMBs outmaneuver uncertainty
COVID-19: Helping SMBs outmaneuver uncertainty
accenture
 
EY Digital Deal Economy - Nederland
EY Digital Deal Economy - NederlandEY Digital Deal Economy - Nederland
EY Digital Deal Economy - Nederland
reichske
 
The realist’s guide to quantum technology and national security
The realist’s guide to quantum technology and national securityThe realist’s guide to quantum technology and national security
The realist’s guide to quantum technology and national security
Deloitte United States
 
I Own Your Building (Management System)
I Own Your Building (Management System)I Own Your Building (Management System)
I Own Your Building (Management System)
Zero Science Lab
 
eGestalt Named a 2012 'Emerging Vendor' by CRN and UBM Channel
eGestalt Named a 2012 'Emerging Vendor' by CRN and UBM ChanneleGestalt Named a 2012 'Emerging Vendor' by CRN and UBM Channel
eGestalt Named a 2012 'Emerging Vendor' by CRN and UBM Channel
flashnewsrelease
 
Evolution of cyber threats and the development of new security architecture
Evolution of cyber threats and the development of new security architectureEvolution of cyber threats and the development of new security architecture
Evolution of cyber threats and the development of new security architecture
EY
 
Security of the future - Adapting Approaches to What We Need
Security of the future - Adapting Approaches to What We NeedSecurity of the future - Adapting Approaches to What We Need
Security of the future - Adapting Approaches to What We Need
simplyme12345
 
The Bottom Line on Trust | Accenture Strategy Competitive Agility Index 2018
The Bottom Line on Trust | Accenture Strategy Competitive Agility Index 2018The Bottom Line on Trust | Accenture Strategy Competitive Agility Index 2018
The Bottom Line on Trust | Accenture Strategy Competitive Agility Index 2018
accenture
 
What matters in security - A highlighter
What matters in security - A highlighterWhat matters in security - A highlighter
What matters in security - A highlighter
Andre Muscat
 
IBM CIO Mid Market Study 2011
IBM CIO Mid Market Study 2011IBM CIO Mid Market Study 2011
IBM CIO Mid Market Study 2011
ojwinslade
 
Addressing Sales Practice and Conduct Risk in the Canadian Market
Addressing Sales Practice and Conduct Risk in the Canadian MarketAddressing Sales Practice and Conduct Risk in the Canadian Market
Addressing Sales Practice and Conduct Risk in the Canadian Market
accenture
 
Marlink IMO 2021 Guide to Cyber Risk Management
Marlink IMO 2021 Guide to Cyber Risk ManagementMarlink IMO 2021 Guide to Cyber Risk Management
Marlink IMO 2021 Guide to Cyber Risk Management
CHRIS CLIFFORD
 
Optiv Security Award Write Up
Optiv Security Award Write UpOptiv Security Award Write Up
Optiv Security Award Write Up
Claudia Toscano
 
Risk taking in SME's
Risk taking in SME'sRisk taking in SME's
Risk taking in SME's
Brian Stevens
 
2017 HK ESG Research Report
2017 HK ESG Research Report2017 HK ESG Research Report
2017 HK ESG Research Report
Alaya Consulting
 
Driving growth and differential performance among Class I railroads
Driving growth and differential performance among Class I railroadsDriving growth and differential performance among Class I railroads
Driving growth and differential performance among Class I railroads
Deloitte United States
 
eCrime-report-2011-accessible
eCrime-report-2011-accessibleeCrime-report-2011-accessible
eCrime-report-2011-accessible
Charmaine Servado
 
Oil & Gas ICT Leader 2016
Oil & Gas ICT Leader 2016Oil & Gas ICT Leader 2016
Oil & Gas ICT Leader 2016
Ray Bugg
 

What's hot (20)

Cybersecurity through the Deloitte lens
Cybersecurity through the Deloitte lensCybersecurity through the Deloitte lens
Cybersecurity through the Deloitte lens
 
Implementing the smart factory: New perspectives for driving value
Implementing the smart factory: New perspectives for driving valueImplementing the smart factory: New perspectives for driving value
Implementing the smart factory: New perspectives for driving value
 
COVID-19: Helping SMBs outmaneuver uncertainty
COVID-19: Helping SMBs outmaneuver uncertaintyCOVID-19: Helping SMBs outmaneuver uncertainty
COVID-19: Helping SMBs outmaneuver uncertainty
 
EY Digital Deal Economy - Nederland
EY Digital Deal Economy - NederlandEY Digital Deal Economy - Nederland
EY Digital Deal Economy - Nederland
 
The realist’s guide to quantum technology and national security
The realist’s guide to quantum technology and national securityThe realist’s guide to quantum technology and national security
The realist’s guide to quantum technology and national security
 
I Own Your Building (Management System)
I Own Your Building (Management System)I Own Your Building (Management System)
I Own Your Building (Management System)
 
eGestalt Named a 2012 'Emerging Vendor' by CRN and UBM Channel
eGestalt Named a 2012 'Emerging Vendor' by CRN and UBM ChanneleGestalt Named a 2012 'Emerging Vendor' by CRN and UBM Channel
eGestalt Named a 2012 'Emerging Vendor' by CRN and UBM Channel
 
Evolution of cyber threats and the development of new security architecture
Evolution of cyber threats and the development of new security architectureEvolution of cyber threats and the development of new security architecture
Evolution of cyber threats and the development of new security architecture
 
Security of the future - Adapting Approaches to What We Need
Security of the future - Adapting Approaches to What We NeedSecurity of the future - Adapting Approaches to What We Need
Security of the future - Adapting Approaches to What We Need
 
The Bottom Line on Trust | Accenture Strategy Competitive Agility Index 2018
The Bottom Line on Trust | Accenture Strategy Competitive Agility Index 2018The Bottom Line on Trust | Accenture Strategy Competitive Agility Index 2018
The Bottom Line on Trust | Accenture Strategy Competitive Agility Index 2018
 
What matters in security - A highlighter
What matters in security - A highlighterWhat matters in security - A highlighter
What matters in security - A highlighter
 
IBM CIO Mid Market Study 2011
IBM CIO Mid Market Study 2011IBM CIO Mid Market Study 2011
IBM CIO Mid Market Study 2011
 
Addressing Sales Practice and Conduct Risk in the Canadian Market
Addressing Sales Practice and Conduct Risk in the Canadian MarketAddressing Sales Practice and Conduct Risk in the Canadian Market
Addressing Sales Practice and Conduct Risk in the Canadian Market
 
Marlink IMO 2021 Guide to Cyber Risk Management
Marlink IMO 2021 Guide to Cyber Risk ManagementMarlink IMO 2021 Guide to Cyber Risk Management
Marlink IMO 2021 Guide to Cyber Risk Management
 
Optiv Security Award Write Up
Optiv Security Award Write UpOptiv Security Award Write Up
Optiv Security Award Write Up
 
Risk taking in SME's
Risk taking in SME'sRisk taking in SME's
Risk taking in SME's
 
2017 HK ESG Research Report
2017 HK ESG Research Report2017 HK ESG Research Report
2017 HK ESG Research Report
 
Driving growth and differential performance among Class I railroads
Driving growth and differential performance among Class I railroadsDriving growth and differential performance among Class I railroads
Driving growth and differential performance among Class I railroads
 
eCrime-report-2011-accessible
eCrime-report-2011-accessibleeCrime-report-2011-accessible
eCrime-report-2011-accessible
 
Oil & Gas ICT Leader 2016
Oil & Gas ICT Leader 2016Oil & Gas ICT Leader 2016
Oil & Gas ICT Leader 2016
 

Similar to Supply Chain and Third-Party Risks During COVID-19

Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity Essay
Michael Solomon
 
Strengthening Supply Chain Security Against Cyber-Attacks.pdf
Strengthening Supply Chain Security Against Cyber-Attacks.pdfStrengthening Supply Chain Security Against Cyber-Attacks.pdf
Strengthening Supply Chain Security Against Cyber-Attacks.pdf
Enterprise Insider
 
Risk & Advisory Services: Quarterly Risk Advisor May 2016
Risk & Advisory Services: Quarterly Risk Advisor May 2016Risk & Advisory Services: Quarterly Risk Advisor May 2016
Risk & Advisory Services: Quarterly Risk Advisor May 2016
CBIZ, Inc.
 
Six Crucial Steps for Insurance Companies to Excel in Risk Management
Six Crucial Steps for Insurance Companies to Excel in Risk ManagementSix Crucial Steps for Insurance Companies to Excel in Risk Management
Six Crucial Steps for Insurance Companies to Excel in Risk Management
360factors
 
White-Paper-Four-Keys-to-Creating-a-Vendor-Risk-Management-Program.pdf
White-Paper-Four-Keys-to-Creating-a-Vendor-Risk-Management-Program.pdfWhite-Paper-Four-Keys-to-Creating-a-Vendor-Risk-Management-Program.pdf
White-Paper-Four-Keys-to-Creating-a-Vendor-Risk-Management-Program.pdf
Ouheb Group
 
Responding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for MerchantsResponding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for Merchants
- Mark - Fullbright
 
Law Firm Hacked by Cyber Criminals
Law Firm Hacked by Cyber Criminals Law Firm Hacked by Cyber Criminals
Law Firm Hacked by Cyber Criminals
Richard Brzakala
 
Digital economy and its effect on cyber risk
Digital economy and its effect on cyber riskDigital economy and its effect on cyber risk
Digital economy and its effect on cyber risk
aakash malhotra
 
B crisis
B crisisB crisis
B crisis
Jose Patrick
 
CBIZ Quarterly Manufacturing & Distribution “Hot Topics” Newsletter (Sep-Oct ...
CBIZ Quarterly Manufacturing & Distribution “Hot Topics” Newsletter (Sep-Oct ...CBIZ Quarterly Manufacturing & Distribution “Hot Topics” Newsletter (Sep-Oct ...
CBIZ Quarterly Manufacturing & Distribution “Hot Topics” Newsletter (Sep-Oct ...
CBIZ, Inc.
 
financial exec final
financial exec finalfinancial exec final
financial exec final
Adam Ortlieb
 
Vendor Governance - Alyne Operational & Cyber Resilience White Paper (part 2)
Vendor Governance - Alyne Operational & Cyber Resilience White Paper (part 2)Vendor Governance - Alyne Operational & Cyber Resilience White Paper (part 2)
Vendor Governance - Alyne Operational & Cyber Resilience White Paper (part 2)
Richard Brooks
 
Unlocking the Performance Levers of Commercial Underwriting
Unlocking the Performance Levers of Commercial UnderwritingUnlocking the Performance Levers of Commercial Underwriting
Unlocking the Performance Levers of Commercial Underwriting
Cognizant
 
Risk & Advisory Services: Quarterly Risk Advisor March 2017
Risk & Advisory Services: Quarterly Risk Advisor March 2017Risk & Advisory Services: Quarterly Risk Advisor March 2017
Risk & Advisory Services: Quarterly Risk Advisor March 2017
CBIZ, Inc.
 
Vendor Risk Mgmt Ravi-Licata
Vendor Risk Mgmt Ravi-LicataVendor Risk Mgmt Ravi-Licata
Vendor Risk Mgmt Ravi-Licata
Lena Licata
 
Risk & Advisory Services: Quarterly Risk Advisor Feb. 2016
Risk & Advisory Services: Quarterly Risk Advisor Feb. 2016Risk & Advisory Services: Quarterly Risk Advisor Feb. 2016
Risk & Advisory Services: Quarterly Risk Advisor Feb. 2016
CBIZ, Inc.
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
PECB
 
Smarter Faster Product Innovation - Strategic Imperatives for P&C Insurers
Smarter Faster Product Innovation - Strategic Imperatives for P&C InsurersSmarter Faster Product Innovation - Strategic Imperatives for P&C Insurers
Smarter Faster Product Innovation - Strategic Imperatives for P&C Insurers
Accenture Insurance
 
2014 ota databreachguide4
2014 ota databreachguide42014 ota databreachguide4
2014 ota databreachguide4
Meg Weber
 
New Age HSE Services - Pics Auditing whitepaper
New Age HSE Services - Pics Auditing whitepaperNew Age HSE Services - Pics Auditing whitepaper
New Age HSE Services - Pics Auditing whitepaper
craigwillis_newagehse
 

Similar to Supply Chain and Third-Party Risks During COVID-19 (20)

Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity Essay
 
Strengthening Supply Chain Security Against Cyber-Attacks.pdf
Strengthening Supply Chain Security Against Cyber-Attacks.pdfStrengthening Supply Chain Security Against Cyber-Attacks.pdf
Strengthening Supply Chain Security Against Cyber-Attacks.pdf
 
Risk & Advisory Services: Quarterly Risk Advisor May 2016
Risk & Advisory Services: Quarterly Risk Advisor May 2016Risk & Advisory Services: Quarterly Risk Advisor May 2016
Risk & Advisory Services: Quarterly Risk Advisor May 2016
 
Six Crucial Steps for Insurance Companies to Excel in Risk Management
Six Crucial Steps for Insurance Companies to Excel in Risk ManagementSix Crucial Steps for Insurance Companies to Excel in Risk Management
Six Crucial Steps for Insurance Companies to Excel in Risk Management
 
White-Paper-Four-Keys-to-Creating-a-Vendor-Risk-Management-Program.pdf
White-Paper-Four-Keys-to-Creating-a-Vendor-Risk-Management-Program.pdfWhite-Paper-Four-Keys-to-Creating-a-Vendor-Risk-Management-Program.pdf
White-Paper-Four-Keys-to-Creating-a-Vendor-Risk-Management-Program.pdf
 
Responding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for MerchantsResponding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for Merchants
 
Law Firm Hacked by Cyber Criminals
Law Firm Hacked by Cyber Criminals Law Firm Hacked by Cyber Criminals
Law Firm Hacked by Cyber Criminals
 
Digital economy and its effect on cyber risk
Digital economy and its effect on cyber riskDigital economy and its effect on cyber risk
Digital economy and its effect on cyber risk
 
B crisis
B crisisB crisis
B crisis
 
CBIZ Quarterly Manufacturing & Distribution “Hot Topics” Newsletter (Sep-Oct ...
CBIZ Quarterly Manufacturing & Distribution “Hot Topics” Newsletter (Sep-Oct ...CBIZ Quarterly Manufacturing & Distribution “Hot Topics” Newsletter (Sep-Oct ...
CBIZ Quarterly Manufacturing & Distribution “Hot Topics” Newsletter (Sep-Oct ...
 
financial exec final
financial exec finalfinancial exec final
financial exec final
 
Vendor Governance - Alyne Operational & Cyber Resilience White Paper (part 2)
Vendor Governance - Alyne Operational & Cyber Resilience White Paper (part 2)Vendor Governance - Alyne Operational & Cyber Resilience White Paper (part 2)
Vendor Governance - Alyne Operational & Cyber Resilience White Paper (part 2)
 
Unlocking the Performance Levers of Commercial Underwriting
Unlocking the Performance Levers of Commercial UnderwritingUnlocking the Performance Levers of Commercial Underwriting
Unlocking the Performance Levers of Commercial Underwriting
 
Risk & Advisory Services: Quarterly Risk Advisor March 2017
Risk & Advisory Services: Quarterly Risk Advisor March 2017Risk & Advisory Services: Quarterly Risk Advisor March 2017
Risk & Advisory Services: Quarterly Risk Advisor March 2017
 
Vendor Risk Mgmt Ravi-Licata
Vendor Risk Mgmt Ravi-LicataVendor Risk Mgmt Ravi-Licata
Vendor Risk Mgmt Ravi-Licata
 
Risk & Advisory Services: Quarterly Risk Advisor Feb. 2016
Risk & Advisory Services: Quarterly Risk Advisor Feb. 2016Risk & Advisory Services: Quarterly Risk Advisor Feb. 2016
Risk & Advisory Services: Quarterly Risk Advisor Feb. 2016
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
 
Smarter Faster Product Innovation - Strategic Imperatives for P&C Insurers
Smarter Faster Product Innovation - Strategic Imperatives for P&C InsurersSmarter Faster Product Innovation - Strategic Imperatives for P&C Insurers
Smarter Faster Product Innovation - Strategic Imperatives for P&C Insurers
 
2014 ota databreachguide4
2014 ota databreachguide42014 ota databreachguide4
2014 ota databreachguide4
 
New Age HSE Services - Pics Auditing whitepaper
New Age HSE Services - Pics Auditing whitepaperNew Age HSE Services - Pics Auditing whitepaper
New Age HSE Services - Pics Auditing whitepaper
 

Recently uploaded

Bridging the Language Gap The Power of Simultaneous Interpretation in Rwanda
Bridging the Language Gap The Power of Simultaneous Interpretation in RwandaBridging the Language Gap The Power of Simultaneous Interpretation in Rwanda
Bridging the Language Gap The Power of Simultaneous Interpretation in Rwanda
Kasuku Translation Ltd
 
Top 10 Challenges That Every Web Designer Face on A Daily Basis.pptx
Top 10 Challenges That Every Web Designer Face on A Daily Basis.pptxTop 10 Challenges That Every Web Designer Face on A Daily Basis.pptx
Top 10 Challenges That Every Web Designer Face on A Daily Basis.pptx
e-Definers Technology
 
How Do Love Spells Really Work? The Secret to Get Your Ex Back Fast, Powerful...
How Do Love Spells Really Work? The Secret to Get Your Ex Back Fast, Powerful...How Do Love Spells Really Work? The Secret to Get Your Ex Back Fast, Powerful...
How Do Love Spells Really Work? The Secret to Get Your Ex Back Fast, Powerful...
Traditional Healer, Love Spells Caster and Money Spells That Work Fast
 
The best Social Media Spy Apps for Catching Your Unfaithful Wife.pdf
The best Social Media Spy Apps for Catching Your Unfaithful Wife.pdfThe best Social Media Spy Apps for Catching Your Unfaithful Wife.pdf
The best Social Media Spy Apps for Catching Your Unfaithful Wife.pdf
tonytkelly6
 
WORK PERMIT IN NORWAY | WORK VISA SERVICE
WORK PERMIT IN NORWAY | WORK VISA SERVICEWORK PERMIT IN NORWAY | WORK VISA SERVICE
WORK PERMIT IN NORWAY | WORK VISA SERVICE
RKIMT
 
Expert Tips for Pruning Your Plants.pdf.
Expert Tips for Pruning Your Plants.pdf.Expert Tips for Pruning Your Plants.pdf.
Expert Tips for Pruning Your Plants.pdf.
Local Gardeners
 
Copy Trading Forex Brokers 2024 ptx
Copy Trading Forex Brokers 2024 ptxCopy Trading Forex Brokers 2024 ptx
Copy Trading Forex Brokers 2024 ptx
Brokerreviewfx
 
Enhance Your Home with Professional Painting Services
Enhance Your Home with Professional Painting ServicesEnhance Your Home with Professional Painting Services
Enhance Your Home with Professional Painting Services
Perfect Industrial
 
antivirus and security software | basics
antivirus and security software | basicsantivirus and security software | basics
antivirus and security software | basics
basicsprotection
 
x ray baggage scanner manufacturers in India
x ray baggage scanner manufacturers in Indiax ray baggage scanner manufacturers in India
x ray baggage scanner manufacturers in India
Gujar Industries India Pvt. Ltd
 
Siddhivinayak temple timings Houston, TX
Siddhivinayak temple timings Houston, TXSiddhivinayak temple timings Houston, TX
Siddhivinayak temple timings Houston, TX
gaurisiddhivinayakte
 
Top Challenges Faced by High-Risk Merchants and How to Overcome Them.pptx
Top Challenges Faced by High-Risk Merchants and How to Overcome Them.pptxTop Challenges Faced by High-Risk Merchants and How to Overcome Them.pptx
Top Challenges Faced by High-Risk Merchants and How to Overcome Them.pptx
Merchantech - Payment Processing Services
 
eBrand Promotion Full Service Digital Agency Company Profile
eBrand Promotion Full Service Digital Agency Company ProfileeBrand Promotion Full Service Digital Agency Company Profile
eBrand Promotion Full Service Digital Agency Company Profile
ChimaOrjiOkpi
 
Electrical Testing Lab Services in Dubai.pdf
Electrical Testing Lab Services in Dubai.pdfElectrical Testing Lab Services in Dubai.pdf
Electrical Testing Lab Services in Dubai.pdf
sandeepmetsuae
 
Discover How Long Do Aluminum Gutters Last?
Discover How Long Do Aluminum Gutters Last?Discover How Long Do Aluminum Gutters Last?
Discover How Long Do Aluminum Gutters Last?
SteveRiddle8
 
METS Lab SASO Certificate Services in Dubai.pdf
METS Lab SASO Certificate Services in Dubai.pdfMETS Lab SASO Certificate Services in Dubai.pdf
METS Lab SASO Certificate Services in Dubai.pdf
sandeepmetsuae
 
3 Examples of new capital gains taxes in Canada
3 Examples of new capital gains taxes in Canada3 Examples of new capital gains taxes in Canada
3 Examples of new capital gains taxes in Canada
Lakshay Gandhi
 
Generate Revenue with Contact Center Business Model Strategy
Generate Revenue with Contact Center Business Model StrategyGenerate Revenue with Contact Center Business Model Strategy
Generate Revenue with Contact Center Business Model Strategy
RNayak3
 
Greeting powerpoint slide for kids( 4-6 years old)
Greeting powerpoint slide for kids( 4-6 years old)Greeting powerpoint slide for kids( 4-6 years old)
Greeting powerpoint slide for kids( 4-6 years old)
lenguyenthaotrang663
 
The Fraud Examiner’s Report – What the Certified Fraud Examiner Should Know
The Fraud Examiner’s Report – What the Certified Fraud Examiner Should KnowThe Fraud Examiner’s Report – What the Certified Fraud Examiner Should Know
The Fraud Examiner’s Report – What the Certified Fraud Examiner Should Know
Godwin Emmanuel Oyedokun MBA MSc PhD FCA FCTI FCNA CFE FFAR
 

Recently uploaded (20)

Bridging the Language Gap The Power of Simultaneous Interpretation in Rwanda
Bridging the Language Gap The Power of Simultaneous Interpretation in RwandaBridging the Language Gap The Power of Simultaneous Interpretation in Rwanda
Bridging the Language Gap The Power of Simultaneous Interpretation in Rwanda
 
Top 10 Challenges That Every Web Designer Face on A Daily Basis.pptx
Top 10 Challenges That Every Web Designer Face on A Daily Basis.pptxTop 10 Challenges That Every Web Designer Face on A Daily Basis.pptx
Top 10 Challenges That Every Web Designer Face on A Daily Basis.pptx
 
How Do Love Spells Really Work? The Secret to Get Your Ex Back Fast, Powerful...
How Do Love Spells Really Work? The Secret to Get Your Ex Back Fast, Powerful...How Do Love Spells Really Work? The Secret to Get Your Ex Back Fast, Powerful...
How Do Love Spells Really Work? The Secret to Get Your Ex Back Fast, Powerful...
 
The best Social Media Spy Apps for Catching Your Unfaithful Wife.pdf
The best Social Media Spy Apps for Catching Your Unfaithful Wife.pdfThe best Social Media Spy Apps for Catching Your Unfaithful Wife.pdf
The best Social Media Spy Apps for Catching Your Unfaithful Wife.pdf
 
WORK PERMIT IN NORWAY | WORK VISA SERVICE
WORK PERMIT IN NORWAY | WORK VISA SERVICEWORK PERMIT IN NORWAY | WORK VISA SERVICE
WORK PERMIT IN NORWAY | WORK VISA SERVICE
 
Expert Tips for Pruning Your Plants.pdf.
Expert Tips for Pruning Your Plants.pdf.Expert Tips for Pruning Your Plants.pdf.
Expert Tips for Pruning Your Plants.pdf.
 
Copy Trading Forex Brokers 2024 ptx
Copy Trading Forex Brokers 2024 ptxCopy Trading Forex Brokers 2024 ptx
Copy Trading Forex Brokers 2024 ptx
 
Enhance Your Home with Professional Painting Services
Enhance Your Home with Professional Painting ServicesEnhance Your Home with Professional Painting Services
Enhance Your Home with Professional Painting Services
 
antivirus and security software | basics
antivirus and security software | basicsantivirus and security software | basics
antivirus and security software | basics
 
x ray baggage scanner manufacturers in India
x ray baggage scanner manufacturers in Indiax ray baggage scanner manufacturers in India
x ray baggage scanner manufacturers in India
 
Siddhivinayak temple timings Houston, TX
Siddhivinayak temple timings Houston, TXSiddhivinayak temple timings Houston, TX
Siddhivinayak temple timings Houston, TX
 
Top Challenges Faced by High-Risk Merchants and How to Overcome Them.pptx
Top Challenges Faced by High-Risk Merchants and How to Overcome Them.pptxTop Challenges Faced by High-Risk Merchants and How to Overcome Them.pptx
Top Challenges Faced by High-Risk Merchants and How to Overcome Them.pptx
 
eBrand Promotion Full Service Digital Agency Company Profile
eBrand Promotion Full Service Digital Agency Company ProfileeBrand Promotion Full Service Digital Agency Company Profile
eBrand Promotion Full Service Digital Agency Company Profile
 
Electrical Testing Lab Services in Dubai.pdf
Electrical Testing Lab Services in Dubai.pdfElectrical Testing Lab Services in Dubai.pdf
Electrical Testing Lab Services in Dubai.pdf
 
Discover How Long Do Aluminum Gutters Last?
Discover How Long Do Aluminum Gutters Last?Discover How Long Do Aluminum Gutters Last?
Discover How Long Do Aluminum Gutters Last?
 
METS Lab SASO Certificate Services in Dubai.pdf
METS Lab SASO Certificate Services in Dubai.pdfMETS Lab SASO Certificate Services in Dubai.pdf
METS Lab SASO Certificate Services in Dubai.pdf
 
3 Examples of new capital gains taxes in Canada
3 Examples of new capital gains taxes in Canada3 Examples of new capital gains taxes in Canada
3 Examples of new capital gains taxes in Canada
 
Generate Revenue with Contact Center Business Model Strategy
Generate Revenue with Contact Center Business Model StrategyGenerate Revenue with Contact Center Business Model Strategy
Generate Revenue with Contact Center Business Model Strategy
 
Greeting powerpoint slide for kids( 4-6 years old)
Greeting powerpoint slide for kids( 4-6 years old)Greeting powerpoint slide for kids( 4-6 years old)
Greeting powerpoint slide for kids( 4-6 years old)
 
The Fraud Examiner’s Report – What the Certified Fraud Examiner Should Know
The Fraud Examiner’s Report – What the Certified Fraud Examiner Should KnowThe Fraud Examiner’s Report – What the Certified Fraud Examiner Should Know
The Fraud Examiner’s Report – What the Certified Fraud Examiner Should Know
 

Supply Chain and Third-Party Risks During COVID-19

  • 1. 1 A Podcast by Carrie Whysall CynergisTek, Inc. Supply Chain and Third-Party Risks During COVID-19
  • 2. 2 © Carrie Whysall, 2020 Hello! I’m Carrie Whysall, Director of Managed Security Services at CynergisTek, Inc. I’m here to introduce, and explain the importance of supply chain, and third-party risks during the time of COVID-19.
  • 3. 3 What is vendor risk management? © Carrie Whysall, 2020 It’s really the process of building relationships with your vendors. This includes creating both formal and informal processes that protect and enhance the organizational strategies for both parties in the relationship. The goal here being having a transparent relationship that allows for a better understanding of the services provided and the risks that are inherit in that relationship.
  • 4. 4  Health Alliance Plan on March 6, 2019. This breach of 120,000 records was caused by ransomware that their third-party vendor Wolverine Solutions Group became infected with. The same third-party vendor was also the cause of a breach at Spectrum Health Lakeland. This one is very concerning because not only did they get patient data, they got detailed provider info as well.  Federal Emergency Management Agency (FEMA) on March 22, 2019. This breach of 2.5 million records is wrong in so many ways. After these victims were traumatized by hurricanes, they were victimized a second time when a contractor being used by FEMA didn’t protect the information that was provided to them.  Quest Diagnostics on June 3, 2019. This breach exposed almost 17 million records. The breach occurred because a hacker took control of a payments page that was being hosted by AMCA, a third-party billing vendor used by Quest.  Essentia Health on July 10, 2019. This breach was due to their third-party vendor California Reimbursement Enterprise being the victim of a phishing attack. It has been nice months and they are still unclear as to how many records were exposed. © Carrie Whysall, 2020 Why is VRM so important?
  • 5. 5 © Carrie Whysall, 2020 An effective VRM program starts by comprehensively determining potential third- party risks including process risks, political risks, unwanted functions, contract risks, legal as well as regulatory issues for non-compliance, and information system failures. This risk identification procedure should be followed by an evaluation of the precise drivers that increase third-party risk. VRM programs… where do I start?
  • 6. 6 © Carrie Whysall, 2020 4 tips for creating a VRM Program: #1 Compile #2 Classify #3 Assess #4 Decide
  • 7. 7 © Carrie Whysall, 2020 #1 Compile Implementing the program starts by knowing all your vendors. Start with your finance or accounting contacts to see what they have.
  • 8. 8 © Carrie Whysall, 2020 #2 Classify Vendors need to be classified by how much potential risk they pose to the organization. The potential risk is based on the potential impact that a breach involving the vendor would have on the organization annually. This step is critical to success and should not be decided by IT alone. If you have a current Mission Critical and/or business critical list of applications are great places to start.
  • 9. 9 © Carrie Whysall, 2020 #3 Assess There are typically two types of assessments that correspond with the two classifications determined in the vendor classification form and each classification follows a different assessment process. For low risk vendors you may be able to complete the questionnaire with information known internally to your organization. Once completed the questionnaires should be saved with the vendor’s classification form and reviewed annually. For high or critical risk vendors, it will require a more formal process which should include documented responses from the vendors.
  • 10. 10 © Carrie Whysall, 2020 #4 Decide For each of the high-risk vendors, a decision must be made of what to do with the risks discovered through the assessment process.  Risk Accepted: Accept the risk “as-is” without any additional effort on the part of the organization or the vendor.  Risk Accepted with remediation plan.  Risk Unacceptable: There are two options for this finding.  Work with the vendor on remediation/mitigation on their side.  Decide to terminate the contract based on risk and follow the terms set forth in the contract regarding termination of services.  Note: one of the biggest mistakes an entity can make in this phase is creating a remediation plan without follow through. Nothing stings more than having an exposed risk occur because you didn’t complete the remediation.
  • 11. 11 © Carrie Whysall, 2020 What types of assessments are there ? Pre-Procurement Assessment: this is typically a shorter assessment that is based primarily on the organizations security policy with focus on technology, data storage, and connectivity requirements. The goal here being that a quick decision on whether or not to use this product from a particular vendor. HIPAA-Based Risk Assessments: these are typically much longer assessments that focus on a much broader range of HIPAA regulations. The questions are more in depth and typically require detailed responses from a vendor. These assessments are also typically where a risk level is assigned to a vendor.
  • 12. 12 What Are Some of the Challenges?
  • 13. 13 © Carrie Whysall, 2020 What issues arise throughout the process?  Asking the right questions.  Having access to the contract documents.  Getting the correct documents back for the vendors.  Getting responses in a timely manner.  Ensuring that going forward you update new contracts with requirements for meeting your security requirements and retaining the ability to assess of audit them periodically.  Adding automation where you can.  Effective use of the data you have gathered.  Where else would this data be helpful to the organization?  SOC/SIEM feeds  Cyber insurance validation  Supply chain
  • 14. 14 © Carrie Whysall, 2020 What about staffing?  Vendor management can have a significant impact on staffing. Most entities do not have additional bodies to pull for these efforts. Especially right now while we are struggling to staff COVID-19 Units while having to institute furloughs in our elective procedure areas.  At first the typical attempt is to assign portions of existing staff to this activity. These are usually either existing security or compliance staff. Early efforts may be via Excel spreadsheets and tracked manually.
  • 15. 15 © Carrie Whysall, 2020 …And what about outsourcing?  Allows an organization to leverage the experience and existing vendor relationships the outsourcer already has.  Provides the benefit of access to subject matter experts (SME’s). No need to train existing staff on the process.  The agreements should contractually set SLA’s and turnaround times for expedited requests.  A higher number of assessments can be completed as the outsourced staff is working full time on them not as part of another role.  Standardized risk valuations, typically through the use of templates, which include – critical, high, moderate, and low and clear definitions of each value.  Assigning the assessment portions to a partner allows you to focus on remediation plans and tasks instead of time on the phone or in email tracking down answers.
  • 16. 16 © Carrie Whysall, 2020 Thanks for tuning in! For more COVID-19 related podcast content, please visit www.cynergistek.com/podcasts.