The state of digital supplier risk management: In partners we trust

Slides:



Advertisements
Similar presentations
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
Advertisements

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Security Controls – What Works
Advantages of IT Security Prof. Uldis Sukovskis, CISA Riga Information Technology Institute Secure information exchange in Electronic media Baltic IT&T.
First Practice - Information Security Management System Implementation and ISO Certification.
© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. © 2012 McGladrey LLP. All Rights Reserved. © 2013 McGladrey LLP. All.
Session 3 – Information Security Policies
Financial Advisory & Litigation Consulting Services Risk Management 2006 September 14-15, 2006 The Metropolitan Club, New York, NY Workshop B: Information.
Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.
SecureAware Building an Information Security Management System.
SEC835 Database and Web application security Information Security Architecture.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Copyright © 2006 CyberRAVE LLC. All rights reserved. 1 Virtual Private Network Service Grid A Fixed-to-Mobile Secure Communications Framework Managed Security.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Dell Connected Security Solutions Simplify & unify.
Systems and Software Consortium | 2214 Rock Hill Road, Herndon, VA Phone: (703) | FAX: (703) Best.
Auditing IT Vulnerabilities IT vulnerabilities are weaknesses or exposures in IT assets or processes that may lead to a business risk or security risk.
Project co-funded by the European Commission within the 7th Framework Program (Grant Agreement No ) Business Convergence WS#2 Smart Grid Technologies.
1 Chapter Nine Conducting the IT Audit Lecture Outline Audit Standards IT Audit Life Cycle Four Main Types of IT Audits Using COBIT to Perform an Audit.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Internal Audit Considerations for Cybersecurity Risks Posed by Vendors October th, 2015 Chicago IIA Chapter’s 2 nd Annual IIA Chicago IT Hacking.
FFIEC Cyber Security Assessment Tool
TMS - Cooperation partner of TÜV SÜD EFFECTIVE SERVICE MANAGEMENT based on ISO/IEC & ISO/IEC
Implications of Privacy Risks in IT and Operations Virginie Hupé Strategist, Trustworthy Computing Microsoft Corporation.
Chapter 8 Auditing in an E-commerce Environment
Information Security Framework Regulatory Compliance and Reporting Auditing and Validation Metrics Definition and Collection Reporting (management, regulatory,
BUSINESS CLARITY ™ PCI – The Pathway to Compliance.
The Certification Process John A. DiMaria; Certified Six Sigma BB, HISP Product Manager; BCM,ISMS,ITSM.
Is Vendor Management The New Risk Management? Douglas DeGrote.
Dolly Dhamodiwala CEO, Business Beacon Management Consultants
Donald JG Chiarella, PhD, CISM, CDMP, PEM, CHS-CIA, MBA.
Information Security Management Goes Global
Cyber Insurance Risk Transfer Alternatives
An Information Security Management System
Michael Wright • Chief Security Officer • Tech Lock
Dr. Yeffry Handoko Putra, M.T
What Is Vendor Management And Why Is It Important To You?
Managing Compliance for All Departments
Information Security Program
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Cybersecurity - What’s Next? June 2017
Data Minimization Framework
Cyber Risk Presentation to the Board of Directors
Information Technology Sector
Compliance with hardening standards
Third Party Risk Governance in a Diverse Environment
Cybersecurity Policies & Procedures ICA
Current ‘Hot Topics’ in Information Security Governance Auditing
ISO : Specifications for IT Service Management-
Lecture 14: Business Information Systems - ICT Security
NIST Cybersecurity Framework
Vendor Management & Business Value
San Francisco IIA Fall Seminar
Information Security: Risk Management or Business Enablement?
I have many checklists: how do I get started with cyber security?
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Advanced Services Cyber Security 101 © ABB February, | Slide 1.
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.
Information Security Risk Management
The Financial Impact of Cyber Risk 50 Questions Every CFO Should Ask
NERC Cyber Security Standard
Data Governance & Management Skills and Experience
Microsoft Data Insights Summit
KEY INITIATIVE Internal Control and Technical Accounting
Energy Storage & Cyber Security
Protecting Knowledge Assets – Case & Method for New CISO Portfolio
Presentation transcript:

The state of digital supplier risk management: In partners we trust STR-W02 The state of digital supplier risk management: In partners we trust Leonel Navarro, PMP, CISSP, CISM, ISO27001LA Global Information Security Practice Director Softtek @SofttekSecurity -Standardize the use o capitalization

You are using systems in every direction, seeking to automate work to achieve company goals. What is the problem you are solving? 2

Like it or not, you have little choice other than to TRUST others with your information, and rely on their services and systems. Like it or not, you have little choice other than to SHARE others with your information, and rely on their services and systems. - Emphasize TRUST – Include a slide to change SHARE to TRUST The State of Digital Third-Party Risk 2016 Report - http://en.softtek.co/tprisk2016 3

How many third parties do you think an organization integrates into its business? - How many 3rd parties do you think the average business? - rethorical question 4

Cost and reputation damage explosion “49% of companies have experienced a data breach through one of their vendors” - Data risk in the third party ecosystem, Ponemon Institute, April 2016. “65% of companies experienced a supply chain disruption as a consequence of a cyber-attack” - IT Disruption risk, APQC, April 2015. “More than half of organizations suffer damage of at least 20% of their value” - 2016 Cost of data breach study: Global Analysis, Ponemon, June 2016. “28% of supply chain disruptions lead to reporting balance sheet impacts” - Supply Chain Risk Management Study, Supply Chain Insights LLC, July 2015. Why now? Why is this momento they should change what’s been working? Why do they need to take inmediate action? - Add one news headlines with a news of a case where this was a problem - Three of four of the six that can fit in one slide to make the case 5

What do you estimate to be the % of data breaches associated with third parties? - Poll 6

Source of data breaches Add an arrow that shows a trending even higher for your supplier The State of Digital Third-Party Risk 2016 Report - http://en.softtek.co/tprisk2016 7

Which one of your vendors poses the highest risk to your organization? What are you going to do about it? 8

Digital third party risk management is an important bridge to increase security. 9

Digital third party risk management IDENTIFY 3rd party risk profiling EVALUATE Risk-based assessment SEPARATE & TERMINATE Third party risk management SELECT Effective due diligence MANAGE & MONITOR Metrics-based & remediation HIRE & INCORPORATE Contractual liability Integrate both columns into one single graphic Third-party risk profiling Risk-based assessment Effective due diligence Support in remediation Continuous process & metrics based 10

The state of digital third party risk 2016 1,236 Security & risk assessments 286 Controls aligned to ISO 27001 14 Security domains The State of Digital Third-Party Risk 2016 Report - http://en.softtek.co/tprisk2016 Split in two slides: Cover and the results Geographically distribution 11

The state of digital third party risk 2016 Add an arrow that shows a trending even higher for your supplier 12

Top 10 security controls that third parties fail on initial assessment Animation . Provide two versions of the document one with animation and the other without. The State of Digital Third-Party Risk 2016 Report - http://en.softtek.co/tprisk2016 13

The state of digital third party risk 2016 % of controls passed when partially compliant SELECTIVE RISKS ADVANCED MATURITY GENERALIZED RISKS SUPPLIER IMMATURITY Physical and environment security System acquisition, development and maintenance Cryptography Information security incident management 50% 100% 0% % of suppliers meeting all controls 75% Information security continuity Access control Network security management Operations security Organization of information security Information transfer Asset management Human resource security Regulatory compliance The State of Digital Third-Party Risk 2016 Report - http://en.softtek.co/tprisk2016 14

Best-in-class and worst-in-class benchmarks The State of Digital Third-Party Risk 2016 Report - http://en.softtek.co/tprisk2016

Best-in-class and worst-in-class benchmarks The State of Digital Third-Party Risk 2016 Report - http://en.softtek.co/tprisk2016 16

Best-in-class and worst-in-class benchmarks The State of Digital Third-Party Risk 2016 Report - http://en.softtek.co/tprisk2016 17

How would your third parties rank against best-in-class benchmarks? 18

Scoring your third parties Risk Level Data Sensitivity Data Usage Service Location 3: High Confidential Information Processing Remote with direct connection (VPN, P2P, B2B VPN) 2: Medium Private Information Reporting / Consulting Remote without direct connection (email, ftp, uploads, downloads) 1: Low Public Information Storage Onsite Classify third parties based on risk profiles Identify risks and classify them based on likelihood and impact Likelihood : Occurrence percentage Impact: Integrity, confidentiality availability, safety Other factors: Regulatory or contractual requirements Sensitivity or criticality of data assets

Scoring your third parties Information security policies High privileged accounts Network & infrastructure mgmt. System availability Physical security controls Software development + 11 Additional domains Customized Risk profile Industry aligned 3rd party category Aligned ISO 27001 or SANS 20CSC SSAE16, SOX, PCI Questionnaire delivery Sending questionnaires in XLS format (encrypted) Online portals to share and upload documents Specific tools for assessment Organization of information security Human resource mgmt. HR security and procedures Communication & operations mgmt. Access control Incident management Data security and change mgmt. 20

Scoring your third parties Level 1 : Excellent Complies with all controls audited Level 2: Good Meets all critical and high risk controls but fails on low level controls Level 3: Acceptable Meets only critical controls, but fail on high and low controls Level 4: Weak Does not meet critical controls and is pending remediation plan for high and low controls Level 5: Poor Does not meet any critical or high controls - Letters of the chart may not be readable, put this in two slides.

Scoring your third parties - Letters of the chart may not be readable, put this in two slides.

The state digital third party risk management framework Management – Reporting – Support Third party audit management Metrics Policies & Standards Third party inventory Third party profiling Generation Third party policy definition Risk assessment Evidence gathering Analysis Contractual guidelines Report generation Third party mitigation plan Action plan definition Training & awareness Remediation Support & Follow-up Remediation support Evidence gathering Verification Add an arrow that shows a trending even higher for your supplier Process Improvement

How do I apply this?

Apply what you have learned today Based on your risk profile identify your critical third parties Use the top 10 security controls list to open conversations Incorporate top 10 security controls to your next audit cycle Generate metrics, benchmark your third parties, and create internal awareness with them Incorporate security requirements (liability, fourth parties) into your contracts Get rid of the overwritten title Too much content on the slide.

Apply what you have learned today Follow the internal procurement process and evaluate the cyber risk from the beginning Perform due diligence with new third parties to understand their cybersecurity maturity level Define communication processes to deal effectively with security incidents Perform continuous process validation and verification Improve your lifecycle third party risk management program 25

Q&A Leonel Navarro, PMP, CISSP, CISM, ISO27001LA Softtek @SofttekSecurity / @LeonelNavarroS