Presentation is loading. Please wait.

Presentation is loading. Please wait.

Third Party Risk Governance in a Diverse Environment

Published byDarlene Kelley Modified over 6 years ago

Similar presentations

Presentation on theme: "Third Party Risk Governance in a Diverse Environment"— Presentation transcript:

1 Third Party Risk Governance in a Diverse Environment
Iman Joshua CISO, Healthagen

2 How are most organizations handling Third Party Risk?
The methods that we use to evaluate Third Party Risk are generally inadequate and do not provide a holistic view of that party or their relevant risk. What do we normally do? Questionnaires Onsite Visit 3rd Party Audit How can we design this process better?

3 An holistic approach to managing third party risk
Classify Business Risk Data Classification Impact Categorize Vendors Engagement Capabilities Evaluation Tools Remediation Tracking

4 Categorizing Vendors

5 Third Party Risk Governance Program
BUSINESS FORMS THIRD PARTY UNIVERSE THIRD PARTY GOVERNANCE eGRC TRACKING TOOL LAW FIRMS CATEGORY RISK GRID Encryption & Authentication Security Performance

6 How did we get here? Define required controls that all departments must follow Create an inventory of Third parties Procurement Business Contract reviews, submitted RFPs Educate Educate Educate! Vendor Conferences Employee training Create a “gate” in procurement and legal Identify a central searchable repository Determine which tools are going to be used for evaluation BSIMM VAST/Veracode Prevalent – Security Questionnaires Third Party Assessments – SIG, AUP, SOC, etc Security Scorecard

7 Centralized Portal for Tracking via Archer

8 Third Party Governance Controls
Several controls added to the Third Party Governance Process specifically address cyber security risks: CONTROL DETAIL TYPE Standardized Information Gathering Tool(SIG) Questionnaire Full SIG for Hosting Third Parties 2015 Agreed Upon Procedures (AUP) 90+ Controls Reviewed by Third Party Controls Assessment Vendor Building Security In Maturity Model (vBSIMM) Software Security Maturity Assessment Performed by Assessor Conducted by Third Party and Shared with Assessor Code Scan Vulnerability Scan Controls Obtained Through Network Scanning of Internet Facing Endpoint Security Performance Controls Assessment Copyright Aetna Inc.

9 Standardized Information Gathering (SIG)
ASSESSOR & THIRD PARTY COMPLETED SIG SIG ASSESSMENT EXCHANGE PROVIDE THIRD PARTY OPPORTUNITY TO ANSWERS FOLLOW UP VIA PRIOR TO MEETING SIG and SIG Hybrid areas: SIG Management Tool: Runs mismatch of Third Party SIG and Master SIG FINAL ACTION ITEM & SCORING Compilation of questions to determine how IT and Data Security risks are managed across a broad spectrum of risk control areas Full SIG – over 1,500 questions 95.0% Control Accomplishments “I like the fact that Company X is working to help the industry remove the need to complete assessments by providing the opportunity to complete one SIG and use it for additional engagements -” stated by multiple Third Parties eGRC TRACKING TOOL Awareness of Third Party IT and Data Security vulnerabilities SIG Master is compared to the Third Party SIG for vulnerabilities to be remediated Remediation action items for vulnerabilities tracked to completion and re-assessed for sign off / accountability REMEDIATION ACTION ITEMS STORED IN TRACKING TOOL & DOCUMENTED IN CONTRACTS Copyright Aetna Inc.

10 AUP vs SOC2 Determine a single control standard
Determine if supplemental documentation will be accepted Engage a Third Party as a preferred Third Party Understand the difference between the AUP and the multiple types of SOC(s) Copyright Aetna Inc.

11 Vendor Building Security In Maturity Model (vBSIMM)
ASSESSOR & THIRD PARTY COMPLETED vBSIMM ASSESSMENT REVIEW MTG PROVIDE TRAINING FINAL ACTION ITEM & SCORING vBSIMM PROCESS AREAS: ASSESSMENT & INITIAL SCORING SYSTEM: Architecture Analysis Code Review Security Testing Penetration Testing Configuration Management – Incident Response / Vulnerability Management Top Total Score = 15 points Top Total Score for each area = 3 points 0 = Not Implemented 1 = Low Maturity 2 = Medium Maturity 3 = High Mature Control Accomplishments Awareness of Third Party software development vulnerabilities Training provided to Third Party to improve maturity “Thank you for taking the time to teach us the process and the areas where our software development can be improved-” Third Party Remediation action items for vulnerabilities tracked to completion and re-assessed for sign off / accountability 90.0% eGRC TRACKING TOOL REMEDIATION ACTION ITEMS STORED IN TRACKING TOOL & DOCUMENTED IN CONTRACTS Copyright Aetna Inc.

12 Application Security and Third Party Risk Management
What is vBSIMM? Simply put, vBSIMM is an assessment process that provides visibility into the maturity of a Third Party’s ability to deliver secure software by evaluating: Architecture Analysis Code Review Config / Vuln Mgmt vBSIMM Security Testing Penetration Testing vBSIMM Practices (1) Architecture Analysis Activity Third Party performs security design / architecture / feature review (threat models). Code Review Activity Third Party uses automated tools and/or manual review. Security Testing Activity Third Party ensures QA supports edge/boundary value condition testing. Penetration Testing Activity Third Party uses penetration testers to identify security vulnerabilities. Configuration Management - Incident Response / Vulnerability Management Third Party uses vulnerability/ incident data to modify security practices (prevention). Copyright Aetna Inc.

13 Security Alert & Performance Tool
The intent is to provide awareness to vulnerabilities and help uplift Third Party's’ security posture to the maturity of your company. Copyright Aetna Inc.

14 How do we continue to educate others?
Annual Vendor Conference Vendor Portal AV-ISAC

15 F. Iman Joshua ijoshua@aetna.com
Thank you! Questions? F. Iman Joshua

Download ppt "Third Party Risk Governance in a Diverse Environment"

Similar presentations

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
National Protection and Programs Directorate Department of Homeland Security The Office of Infrastructure Protection Cybersecurity Brief [Date of presentation]

National Protection and Programs Directorate Department of Homeland Security The Office of Infrastructure Protection Cybersecurity Brief [Date of presentation]
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security Controls – What Works

Security Controls – What Works
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
IT Outsourcing Management

IT Outsourcing Management
Creating a Secured and Trusted Information Sphere in Different Markets Giuseppe Contino.

Creating a Secured and Trusted Information Sphere in Different Markets Giuseppe Contino.
Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard
Professional Systems Associates, Inc. We’ve been building powerful, people-oriented software solutions for commercial and government.

Professional Systems Associates, Inc. We’ve been building powerful, people-oriented software solutions for commercial and government.
Network security policy: best practices

Network security policy: best practices
Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,

Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,
Chapter 7 Database Auditing Models

Chapter 7 Database Auditing Models
PCI 3.0 Boot Camp Payment Card Industry Data Security Standards 3.0.

PCI 3.0 Boot Camp Payment Card Industry Data Security Standards 3.0.
The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions 631-692-5175 Steve Katz, CISSP Security.

The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions Steve Katz, CISSP Security.
NUAGA May 22, 2014.  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
Lean and (Prepared for) Mean: Application Security Program Essentials Philip J. Beyer - Texas Education Agency John B. Dickson.

Lean and (Prepared for) Mean: Application Security Program Essentials Philip J. Beyer - Texas Education Agency John B. Dickson.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Information Systems Security Computer System Life Cycle Security.

Information Systems Security Computer System Life Cycle Security.
Applied Technology Services, Inc. Your Partner in Technology www.appliedtechnologyservices.com Applied Technology Services, Inc. Your Partner in Technology.

Applied Technology Services, Inc. Your Partner in Technology Applied Technology Services, Inc. Your Partner in Technology.
David N. Wozei Systems Administrator, IT Auditor.

David N. Wozei Systems Administrator, IT Auditor.

Similar presentations

Ads by Google