Download presentation
Presentation is loading. Please wait.
Published byDarlene Kelley Modified over 6 years ago
1
Third Party Risk Governance in a Diverse Environment
Iman Joshua CISO, Healthagen
2
How are most organizations handling Third Party Risk?
The methods that we use to evaluate Third Party Risk are generally inadequate and do not provide a holistic view of that party or their relevant risk. What do we normally do? Questionnaires Onsite Visit 3rd Party Audit How can we design this process better?
3
An holistic approach to managing third party risk
Classify Business Risk Data Classification Impact Categorize Vendors Engagement Capabilities Evaluation Tools Remediation Tracking
4
Categorizing Vendors
5
Third Party Risk Governance Program
BUSINESS FORMS THIRD PARTY UNIVERSE THIRD PARTY GOVERNANCE eGRC TRACKING TOOL LAW FIRMS CATEGORY RISK GRID Encryption & Authentication Security Performance
6
How did we get here? Define required controls that all departments must follow Create an inventory of Third parties Procurement Business Contract reviews, submitted RFPs Educate Educate Educate! Vendor Conferences Employee training Create a “gate” in procurement and legal Identify a central searchable repository Determine which tools are going to be used for evaluation BSIMM VAST/Veracode Prevalent – Security Questionnaires Third Party Assessments – SIG, AUP, SOC, etc Security Scorecard
7
Centralized Portal for Tracking via Archer
8
Third Party Governance Controls
Several controls added to the Third Party Governance Process specifically address cyber security risks: CONTROL DETAIL TYPE Standardized Information Gathering Tool(SIG) Questionnaire Full SIG for Hosting Third Parties 2015 Agreed Upon Procedures (AUP) 90+ Controls Reviewed by Third Party Controls Assessment Vendor Building Security In Maturity Model (vBSIMM) Software Security Maturity Assessment Performed by Assessor Conducted by Third Party and Shared with Assessor Code Scan Vulnerability Scan Controls Obtained Through Network Scanning of Internet Facing Endpoint Security Performance Controls Assessment Copyright Aetna Inc.
9
Standardized Information Gathering (SIG)
ASSESSOR & THIRD PARTY COMPLETED SIG SIG ASSESSMENT EXCHANGE PROVIDE THIRD PARTY OPPORTUNITY TO ANSWERS FOLLOW UP VIA PRIOR TO MEETING SIG and SIG Hybrid areas: SIG Management Tool: Runs mismatch of Third Party SIG and Master SIG FINAL ACTION ITEM & SCORING • Compilation of questions to determine how IT and Data Security risks are managed across a broad spectrum of risk control areas Full SIG – over 1,500 questions • 95.0% Control Accomplishments “I like the fact that Company X is working to help the industry remove the need to complete assessments by providing the opportunity to complete one SIG and use it for additional engagements -” stated by multiple Third Parties eGRC TRACKING TOOL Awareness of Third Party IT and Data Security vulnerabilities SIG Master is compared to the Third Party SIG for vulnerabilities to be remediated Remediation action items for vulnerabilities tracked to completion and re-assessed for sign off / accountability REMEDIATION ACTION ITEMS STORED IN TRACKING TOOL & DOCUMENTED IN CONTRACTS Copyright Aetna Inc.
10
AUP vs SOC2 Determine a single control standard
Determine if supplemental documentation will be accepted Engage a Third Party as a preferred Third Party Understand the difference between the AUP and the multiple types of SOC(s) Copyright Aetna Inc.
11
Vendor Building Security In Maturity Model (vBSIMM)
ASSESSOR & THIRD PARTY COMPLETED vBSIMM ASSESSMENT REVIEW MTG PROVIDE TRAINING FINAL ACTION ITEM & SCORING vBSIMM PROCESS AREAS: ASSESSMENT & INITIAL SCORING SYSTEM: Architecture Analysis Code Review Security Testing Penetration Testing Configuration Management – Incident Response / Vulnerability Management Top Total Score = 15 points Top Total Score for each area = 3 points 0 = Not Implemented 1 = Low Maturity 2 = Medium Maturity 3 = High Mature Control Accomplishments Awareness of Third Party software development vulnerabilities Training provided to Third Party to improve maturity “Thank you for taking the time to teach us the process and the areas where our software development can be improved-” Third Party Remediation action items for vulnerabilities tracked to completion and re-assessed for sign off / accountability 90.0% eGRC TRACKING TOOL REMEDIATION ACTION ITEMS STORED IN TRACKING TOOL & DOCUMENTED IN CONTRACTS Copyright Aetna Inc.
12
Application Security and Third Party Risk Management
What is vBSIMM? Simply put, vBSIMM is an assessment process that provides visibility into the maturity of a Third Party’s ability to deliver secure software by evaluating: Architecture Analysis Code Review Config / Vuln Mgmt vBSIMM Security Testing Penetration Testing vBSIMM Practices (1) Architecture Analysis Activity Third Party performs security design / architecture / feature review (threat models). Code Review Activity Third Party uses automated tools and/or manual review. Security Testing Activity Third Party ensures QA supports edge/boundary value condition testing. Penetration Testing Activity Third Party uses penetration testers to identify security vulnerabilities. Configuration Management - Incident Response / Vulnerability Management Third Party uses vulnerability/ incident data to modify security practices (prevention). Copyright Aetna Inc.
13
Security Alert & Performance Tool
The intent is to provide awareness to vulnerabilities and help uplift Third Party's’ security posture to the maturity of your company. Copyright Aetna Inc.
14
How do we continue to educate others?
Annual Vendor Conference Vendor Portal AV-ISAC
15
F. Iman Joshua ijoshua@aetna.com
Thank you! Questions? F. Iman Joshua
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.