Presentation is loading. Please wait.

Presentation is loading. Please wait.

Third-party risk management (TPRM)

Published byMonika Schulze Modified over 5 years ago

Similar presentations

Presentation on theme: "Third-party risk management (TPRM)"— Presentation transcript:

1 Third-party risk management (TPRM)
The Weakest Link in Cyber Security

2 65% 94% 83% TPRM the drivers of breaches linked to third parties
plan to spend more over next 12 months 83% of business leaders lack confidence Organisations are experiencing a growth in third-party associated cyber security risks …meaning a greater focus on third-party related governance and reporting …however, traditional TPRM programmes are resource intensive, and provide a snapshot in time view A lot of talk in the media relating to this 65% stat from the Ponemon Institute report. The same Ponemon Institute suggested 75% of companies thought this number will increase. TPR is on companies radar (94% plan to spend more - driven by increased regulator focus), but what we are seeing is that many companies lack the confidence in traditional TPR programmes (manual, time consuming, provide only snapshot in time view of risk), and so are seeking alternative approaches to supplement their TP risk management. Source: Ponomen Institute Third Party Risk Report 2018

3 a real world Example, Target Corporation
Breach caused by Air Con supplier with connection to Target’s network for billing and contract purposes Attackers installed malware using stolen Air Con suppliers credentials 40 million credit card numbers, verification codes and 60 million customer profiles exfiltrated $18.5m fine, the largest to date for a data breach CEO and CIO resigned Profits fell by 46% in quarter following breach

4 third party risk Management
Best Practice Approach Assess Prioritised list Vendor importance Connectivity Data Sensitivity Acceptable risk Physical Location Governance Compliance Monitor Regular monitoring & tracking Threat landscape & Trends Patching & Detection Improvement reporting Ongoing process Remediate Breach planning Remediation guidance Regulatory response Contractual enforcement Peer Benchmarking

5 Organisations need a way to translate and distil this cyber activity into meaningful information so they can identify third-party risks and create effective programmes. Often not short on TP info (Q&A provide a lot) but the issue is turning this info into meaningful, actionable info with a Business context

6 Quantifying Risk: Cyber Security Rating
Cyber Security ratings provide a quantifiable correlation to third-party risk and data breaches: 5x more likely if your rating is below 400, than one above 700 3x more likely if 50% of your computers are running updated OS 2x Open Port risk vector grade is F But they require considerable effort to administer effectively, at a time when companies often have resource shortages and skills gaps. And this is where company cyber security ratings are finding their place and becoming the norm. Organs starting to see as equivalent of credit score/rating. They provide an independent view of a company’s cyber security posture using a non-intrusive, ‘Outside/in’ approach. That is, their publicly visible tech footprint. This enables companies to very quickly get a view of the security risks across their vendor portfolio, allowing them understand where the main risks are to focus efforts (not just rating but the why and how to fix)……and importantly, on a continual basis, in near real-time….ratings updated daily (130k company’s mapped). Benchmarking key too……see how vendors performing against their industry peers. Provide quantifiable correlation b/n rating v data breach risk. But, requires resources and skills to effectively run (both in short supply), this is where we feel we can add significant value..

7 Rating Methodology 740 - 900 640 - 740 250 - 640
Non-invasive techniques Publicly accessible threat intel sources 3 categories: Events – known IP address associated with Malware (botnets, malicious servers, spam) Diligence – extent to which security features and protocols implemented (open ports, encryption, SSL, SPF) User behavior – potentially insecure practices like peer-to-peer file sharing more likely if your rating is below 400, than one above 700 ADVANCED more likely if 50% of your computers are running updated OS INTERMEDIATE Open Port risk vector grade is F BASIC Just to quickly touch on the rating methodology. Map a companies IP addresses and domains. Track events, sources and attribute these events to company using propriety algorithm. Ratings also influenced by remediation response speeds.

8 The solution – three components
ITC TPRM managed service 1. Setup and onboarding Monitoring and alerting Regular monthly reporting Comprehensive onboarding process underpinned by cyber security experts to ensure best practice advice on identifying, monitoring, and managing third-party risk Agree levels of risk tolerance to drive alert preferences and settings Highlight immediately actionable remediation guidance for ‘at risk’ low rating third-parties A fully managed service. We’ve broken the service down into 3 components. And we’ll go into more details of each shortly, We provide a comprehensive onboarding process underpinned by cyber security experts to ensure best practice and effective setup right from the start to identify, monitor, and manage third-party risk. Led by a senior cyber security expert and supported by a cyber analyst.

9 The solution – three components
ITC TPRM managed service 1. Setup and onboarding 2. Monitoring and alerting Regular monthly reporting Continuous monitoring of identified priority third parties, by a expert cyber analyst. Daily Event Alerts for significant third-party profile rating and risk changes, including recommended remediation actions to enable easy collaboration with affected third party. Status tracker for critical third-party remediation actions within the current month to drive fast vendor response and resolution. Once successfully onboarded. Critically it’s about the Continuous monitoring as the differentiated over and above point in time / snapshot view of traditional TPRM programmes. Pt2) we will package up all information required to address the identified risk/issue in a clear, timely and concise manner to enable the customer easy vendor collaboration for remediation. Pt3) key is the fact we will track previous alerts for evidence of vendor remediation, to enable customers to follow-up with vendors / start to integrate into SLAs if necessary (60% of critical vendor issues stay unresolved for over 6 months)

10 The solution – three components
ITC TPRM managed service 1. Setup and onboarding 2. Monitoring and alerting 3. Regular monthly reporting Monthly performance reporting and trend analysis highlighting overall third-party and risk posture, industry trends, benchmarking, and threat activity. Remediation analysis and guidance on identified ‘at risk’ low rating third-parties. Designed to enable Board Level consumption Performed by a cyber analyst. Ability to discuss, refine and fine tune monitoring thresholds (alert settings etc) each month.

11 The solution – key features
ITC TPRM managed service Setup and onboarding Onboarding Risk Assessment Report – priority vendor rating performance overview, and actionable remediation guidance for highlighted ‘at risk’ vendors Onboarding Workshop identify & agree risk areas, assess existing policies and governance to highlight integration touch- points with TPRM service, define service processes, set alerting thresholds and preferences Monitoring and alerting Continuous monitoring Daily alerts based on: Rating, and risk vectors changes Infections, vulnerabilities and breaches Recommended remediation guidance to enable easy collaboration with affected third party. Bookable expert cyber analyst support Annual programme review and refinement workshop Regular monthly reporting Performance overview of monitored third-parties, by score rating and risk changes Monthly Alert summary & trends Third-Party Trend Analysis Significant rating / grades drops Performance vs industry benchmarks Summary of infections, vulnerabilities, breaches, by affected vendors De-brief call – Q&A, threshold refinement Again, key point is all underpinned by a cyber security experts – onboarding, monitoring, and reporting. Simple run through of key features. Onboarding is itself a 3 stage process Identify priority vendors using our criteria scoring framework We produce a priority vendor onboarding report providing key vendor performance overview and highlighting areas of risk for immediate action Informed by the report and current TRPM governance framework assessment undertake a one hour workshop/call with the customer Monitoring & Alerting: Critically, unlike traditional Q&A based TPRM programmes this is not a snapshot in time and provides continuous monitoring (system updates ratings and risk vector grades daily). Key value is providing relevant, concise remediation guidance to enable our customers quick and easy vendor engagement to support remediation. Monthly Reporting Track trends, breaches, infections and poor performing third-parties Both on-demand cyber analyst monthly support calls, and monthly report de-brief calls can be used to review and fine tune alert thresholds and risk settings to optimise programme performance.

12 Benefits of our solution
Expert advice for best practice set up, monitoring, and management of third-party risk Alerts backed by professional analysis for improved risk insight Effective remediation guidance to reduce the risk of breaches and facilitate easy vendor engagement Tracking and trend information to monitor individual companies Peer-based benchmarking Peer benchmarking is a hot topic for senior management / BoD level as provides quantifiable evidence of where they stand to generate urgency / investment.

13

Download ppt "Third-party risk management (TPRM)"

Similar presentations

Strategy 2022: A Holistic View Tony Hayes International President ISACA 2013-2014 © 2012, ISACA. All rights reserved.

Strategy 2022: A Holistic View Tony Hayes International President ISACA © 2012, ISACA. All rights reserved.
Security Controls – What Works

Security Controls – What Works
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
©2003–2008 Check Point Software Technologies Ltd. All rights reserved. CheckPoint new security architecture and R70 highlights.

©2003–2008 Check Point Software Technologies Ltd. All rights reserved. CheckPoint new security architecture and R70 highlights.
INFORMATION SECURITY GOVERNANCE (ISG) Relates to the security of information systems Is an element of corporate governance.

INFORMATION SECURITY GOVERNANCE (ISG) Relates to the security of information systems Is an element of corporate governance.
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Cyber Security: Now and.

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Cyber Security: Now and.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Quality Assurance. Identified Benefits that the Core Skills Programme is expected to Deliver 1.Increased efficiency in the delivery of Core Skills Training.

Quality Assurance. Identified Benefits that the Core Skills Programme is expected to Deliver 1.Increased efficiency in the delivery of Core Skills Training.
COUP 2015 Case Study: Flexible Framework: The University of Manchester Approach. Ian Jarvey Deputy Head of Procurement Jimmy Brannigan NETpositive Futures.

COUP 2015 Case Study: Flexible Framework: The University of Manchester Approach. Ian Jarvey Deputy Head of Procurement Jimmy Brannigan NETpositive Futures.
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. State of Network Security.

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. State of Network Security.
Vendor Management from a Vendor’s Perspective. Agenda Regulatory Updates and Trends Examiner Trends Technology and Solution Trends Common Issues and Misconceptions.

Vendor Management from a Vendor’s Perspective. Agenda Regulatory Updates and Trends Examiner Trends Technology and Solution Trends Common Issues and Misconceptions.
FFIEC Cyber Security Assessment Tool

FFIEC Cyber Security Assessment Tool
INNOVATE THROUGH MOTIVATION MSP Services Overview KEVIN KIRKPATRICK – OWNER, MSP INC LOGO.

INNOVATE THROUGH MOTIVATION MSP Services Overview KEVIN KIRKPATRICK – OWNER, MSP INC LOGO.
Albany Bank Corporation Security Incident Management Program.

Albany Bank Corporation Security Incident Management Program.
SOLGM Wanaka Retreat Health and Safety at Work Act 2015 Ready? 4 February 2016 Samantha Turner Partner DDI: +64 4 924 3460 Mob: +64 21 310 216

SOLGM Wanaka Retreat Health and Safety at Work Act 2015 Ready? 4 February 2016 Samantha Turner Partner DDI: Mob:
CLOSE THE SECURITY GAP WITH IT SOLUTIONS FROM COMPUTACENTER AND CISCO AUGUST 2014.

CLOSE THE SECURITY GAP WITH IT SOLUTIONS FROM COMPUTACENTER AND CISCO AUGUST 2014.
Governor Support Service Training Governor Workshop 31 st March 2016 As a service we have a responsibility to enable all governors to access appropriate,

Governor Support Service Training Governor Workshop 31 st March 2016 As a service we have a responsibility to enable all governors to access appropriate,
Procurement Development Programs

Procurement Development Programs
Law Firm Data Security: What In-house Counsel Need to Know

Law Firm Data Security: What In-house Counsel Need to Know
Customer Experience: Create a digitally led customer experience

Customer Experience: Create a digitally led customer experience

Similar presentations

Ads by Google