Cyber Security Vendor Risk Management /Supply Chain Risk Management

Vendor Risk –Cyber Security Perspective

March 15th, 2017

P A G E 2

© 2016 Mafazo | All Rights Reserved

Introductions

Shannon Glass - Fisher

Practice Director, Information Security

Afidence

[email protected]

Max Aulakh

Information Security Professional

MAFAZO Cyber Security

[email protected]

P A G E 3


Agenda

Business Case

Process Overview

Vendor Classification

Inherent Risk

Building your assessment

Manual Process

Process Automation

Monitoring Stage

P A G E 4


Business Case | Headlines

Target Hackers Used Stolen Vendor Credentials

– Wall Street Journal, January 2014

Bank says a failure on vendor's part to correctly fix an identified instability within the bank's storage system led to the seven-hour service outage last week.

– By Eileen Yu, ZDNet Asia on July 14, 2010

New York Tightens Screws on 3rd Party Cyber-Risk

– By Chris Kentouris, FinOps Report on March 8, 2017

“It is abundantly clear that, in many respects,” Mr. Lawsky (New York State’s top financial regulator) said in the letter, “a firm’slevel of cybersecurity is only as good as the security of its vendors.”

NYTimes.com: After JPMorgan Cyberattack, a Push to Fortify Wall Street Banks 10/21/14

P A G E 5


Business Case | Regulatory Pressure

1996, HIPAA Passed

July, 01GLBA

Nov, 01OCC

Bulletin 2001-47

Aug, 03CS Privacy

SB 1386

May, 02OCC

Bulletin 2002-16

May, 07HF 1758

MN Plastic Card

Security Act

Nov, 09HITECH Act

Jan, 10NRS 603 NV Data Security

Mar, 10201 MA

Code Reg 17

Jul ‘10WA HB 1149

Jan ‘11 PCI DSS 2

Mar ‘12 CFPB

Bulletin 2012-03

Mar ‘13 Omnibus

HIPAA Rule

Oct ’13OCC

Bulletin 2013-29

May ‘14PCI DSS 3

Oct‘16DFARs 204.73

Companies often face direct financial impact!3rd Parties are major source of data breaches!

P A G E 6


Vendor Risk Process Overview

Inventory Vendors

Classify Vendor

Assessment Type

Coordinate

Self AssessReview On

PhoneReview On

SiteGenerate

Issues

FinalizeCorrective

PlanMonitor

P A G E 7



• Scheme allows you to:

✓ Prioritize your vendors

✓ Build a relevant assessment for particular vendor

✓ Understand Inherent risk posed by your vendors✓ Allows for a flexible scoring system/model

• Many schemes with several factors

• Total Spend

• Financial Performance

• Criticality of the vendor’s service to the continuation of the client’s services

• Critical data being shared

P A G E 8


Vendor Classification | Inherent

Inherent Risk

Strategic Factors

High

Medium

Low

Vendor Criticality

High

Medium

Low

Regulations

HIPAA

Business Associate

SOX 404 DFARS

Type

Cloud

On-Prem

Development

Data Amount

100-200 Records

200 – 300 Records

1000 – 2000 Records

P A G E 9


Vendor Classification | Inherent

P A G E 10


Assessment Building

Free Control Inventories

◦ NIST Cyber Security Framework

◦ NIST Risk Management Framework (900+ Controls)

◦ HIPAA Security Rule

◦ FedRAMP

◦ Custom Controls

◦ FFIEC Framework

◦ IT Examiner Handbook

Lower cost inventories (almost free)

◦ ISO 27000

◦ PCI-DSS

Overpriced Controls Data

◦ Shared Assessment/SIG

◦ Unified Compliance

◦ HITRUST

“a firm’s level of cybersecurity is only as good as the security of its vendors.”

P A G E 11


Building an Assessment

Most vendors are assessed based

on “standardized questions”

◦ Would you ever ask a janitorial service if

they have a Chief Security Officer?

Too many questions that are not-

relevant incentivizes the vendor to

“quickly” get through the

assessment so they can conduct

business.

Take vendor “fatigue” in to

consideration.

P A G E 12


Assessment Auto-Tailoring

Software can automate much of these tasks to not only build but automate type

of questions you should be asking.

Certain industries require some standardized questions regardless of size of the

vendor – FedRAMP

Too many questions that are not-relevant incentivizes the vendor to “quickly”

get through the assessment so they can conduct business.

Take technical stack elements (database, operating systems, etc..) into

consideration when tailoring.

◦ Don’t just accept “ISO or PCI” certifications – those are generally siloed efforts not global

P A G E 13


Vendor Residual Risk

What if vendor cyber security

risk/residual risk remains too high

after the assessment?

◦ Do you still conduct business with them?

What can we do to de-risk your

vendors from cyber security

perspective?

◦ Supply chain experts use “The Beer

Game” to illustrate power of data sharing

to manage product spikes & distribution

to protect both the vendor and client.

P A G E 14


Manual Assessment Process

NIST RMF

Or

Custom

Controls List

Framework/Spreadsheet 1

1. Compliance Officer

› Manually extracted into

MSWORD or EXCEL

3. Security Officer

› Creates multiple compliance spreadsheet

− 5 - 10 Columns, 100 - 200 Rows

− Multi-user input

Email System

4. Sent to Vendors

› Reviews Spreadsheet

− Data collection

− Multiple inputs

Vendor Risk

Requirements

Finalized/Spreadsheet 2

2. Security Officer & Legal

› Select or Create Security Framework

link to Non-Voluntary Requirements

− SIG, NIST, etc…

Multiple Spreadsheets

› By Vendor

› By Year

› By Change

P A G E 15


Automation

1 FTE is expected to manage cyber risk of 1000+ vendors while managing

everything else internally.

◦ What would you do if you had to manage 100s of different vendor cyber security risk?

1 FTE is expected to build cyber assessments on the fly based on the “risk”

◦ Look for the ability to build out any assessment with any inventory

Automation serves as a force-multiplier

◦ Reduction of man-hours and reduction of errors

Vendor cyber security automation can be almost as easy as a “password reset

self service” but for your vendors.

◦ Incentivization

◦ Gaming engine to measure risk

P A G E 16


Monitoring

Monitoring allows you to gather

assessment trend data & breach

data about your vendor.

Develop a plan for your vendor to

reduce cyber risk over time.

Share relevant resources with your

vendor (de-risk).

Co-develop a “Target Risk” Profile

◦ Set of requirements/controls/questions

that should be met.

P A G E 17


Summary

Business Case

Process Overview


Inherent Risk

Building your assessment

Manual Process

Process Automation

Monitoring Stage

P A G E 18


Q&A

Shannon Glass - Fisher

Practice Director, Information Security

Afidence

[email protected]

Max Aulakh

Information Security Professional

MAFAZO Cyber Security

[email protected]

937-789-4216

www.mafazo.com

mailto:[email protected]

P A G E 19


Back up| About Tryump

• Cyber Compliance automation & orchestration platform• Cyber security framework builder, manager and auto-mapper

• Manage use case complexity, scale and speed of assessment delivery• Automate compliance testing & link technical results (pen-testing & other data).

Cyber Security Vendor Risk Management /Supply Chain Risk Management

Technology

Transcript of Cyber Security Vendor Risk Management /Supply Chain Risk Management