Presentation is loading. Please wait.

Presentation is loading. Please wait.

The state of digital supplier risk management: In partners we trust

Published byPierce Stevenson Modified over 5 years ago

Similar presentations

Presentation on theme: "The state of digital supplier risk management: In partners we trust"— Presentation transcript:

1 The state of digital supplier risk management: In partners we trust
STR-W02 The state of digital supplier risk management: In partners we trust Leonel Navarro, PMP, CISSP, CISM, ISO27001LA Global Information Security Practice Director Softtek @SofttekSecurity -Standardize the use o capitalization

2 You are using systems in every direction, seeking to automate work to achieve company goals.
What is the problem you are solving? 2

3 Like it or not, you have little choice other than to TRUST others with your information, and rely on their services and systems. Like it or not, you have little choice other than to SHARE others with your information, and rely on their services and systems. - Emphasize TRUST – Include a slide to change SHARE to TRUST The State of Digital Third-Party Risk 2016 Report - 3

4 How many third parties do you think an organization integrates into its business?
- How many 3rd parties do you think the average business? - rethorical question 4

5 Cost and reputation damage explosion
“49% of companies have experienced a data breach through one of their vendors” - Data risk in the third party ecosystem, Ponemon Institute, April 2016. “65% of companies experienced a supply chain disruption as a consequence of a cyber-attack” - IT Disruption risk, APQC, April 2015. “More than half of organizations suffer damage of at least 20% of their value” Cost of data breach study: Global Analysis, Ponemon, June 2016. “28% of supply chain disruptions lead to reporting balance sheet impacts” - Supply Chain Risk Management Study, Supply Chain Insights LLC, July 2015. Why now? Why is this momento they should change what’s been working? Why do they need to take inmediate action? - Add one news headlines with a news of a case where this was a problem - Three of four of the six that can fit in one slide to make the case 5

6 What do you estimate to be the % of data breaches associated with third parties?
- Poll 6

7 Source of data breaches
Add an arrow that shows a trending even higher for your supplier The State of Digital Third-Party Risk 2016 Report - 7

8 Which one of your vendors poses the highest risk to your organization?
What are you going to do about it? 8

9 Digital third party risk management is an important bridge to increase security.
9

10 Digital third party risk management
IDENTIFY 3rd party risk profiling EVALUATE Risk-based assessment SEPARATE & TERMINATE Third party risk management SELECT Effective due diligence MANAGE & MONITOR Metrics-based & remediation HIRE & INCORPORATE Contractual liability Integrate both columns into one single graphic Third-party risk profiling Risk-based assessment Effective due diligence Support in remediation Continuous process & metrics based 10

11 The state of digital third party risk 2016
1,236 Security & risk assessments 286 Controls aligned to ISO 27001 14 Security domains The State of Digital Third-Party Risk Report - Split in two slides: Cover and the results Geographically distribution 11

12 The state of digital third party risk 2016
Add an arrow that shows a trending even higher for your supplier 12

13 Top 10 security controls that third parties fail on initial assessment
Animation . Provide two versions of the document one with animation and the other without. The State of Digital Third-Party Risk 2016 Report - 13

14 The state of digital third party risk 2016
% of controls passed when partially compliant SELECTIVE RISKS ADVANCED MATURITY GENERALIZED RISKS SUPPLIER IMMATURITY Physical and environment security System acquisition, development and maintenance Cryptography Information security incident management 50% 100% 0% % of suppliers meeting all controls 75% Information security continuity Access control Network security management Operations security Organization of information security Information transfer Asset management Human resource security Regulatory compliance The State of Digital Third-Party Risk 2016 Report - 14

15 Best-in-class and worst-in-class benchmarks
The State of Digital Third-Party Risk 2016 Report -

16 Best-in-class and worst-in-class benchmarks
The State of Digital Third-Party Risk 2016 Report - 16

17 Best-in-class and worst-in-class benchmarks
The State of Digital Third-Party Risk 2016 Report - 17

18 How would your third parties rank against best-in-class benchmarks?
18

19 Scoring your third parties
Risk Level Data Sensitivity Data Usage Service Location 3: High Confidential Information Processing Remote with direct connection (VPN, P2P, B2B VPN) 2: Medium Private Information Reporting / Consulting Remote without direct connection ( , ftp, uploads, downloads) 1: Low Public Information Storage Onsite Classify third parties based on risk profiles Identify risks and classify them based on likelihood and impact Likelihood : Occurrence percentage Impact: Integrity, confidentiality availability, safety Other factors: Regulatory or contractual requirements Sensitivity or criticality of data assets

20 Scoring your third parties
Information security policies High privileged accounts Network & infrastructure mgmt. System availability Physical security controls Software development + 11 Additional domains Customized Risk profile Industry aligned 3rd party category Aligned ISO or SANS 20CSC SSAE16, SOX, PCI Questionnaire delivery Sending questionnaires in XLS format (encrypted) Online portals to share and upload documents Specific tools for assessment Organization of information security Human resource mgmt. HR security and procedures Communication & operations mgmt. Access control Incident management Data security and change mgmt. 20

21 Scoring your third parties
Level 1 : Excellent Complies with all controls audited Level 2: Good Meets all critical and high risk controls but fails on low level controls Level 3: Acceptable Meets only critical controls, but fail on high and low controls Level 4: Weak Does not meet critical controls and is pending remediation plan for high and low controls Level 5: Poor Does not meet any critical or high controls - Letters of the chart may not be readable, put this in two slides.

22 Scoring your third parties
- Letters of the chart may not be readable, put this in two slides.

23 The state digital third party risk management framework
Management – Reporting – Support Third party audit management Metrics Policies & Standards Third party inventory Third party profiling Generation Third party policy definition Risk assessment Evidence gathering Analysis Contractual guidelines Report generation Third party mitigation plan Action plan definition Training & awareness Remediation Support & Follow-up Remediation support Evidence gathering Verification Add an arrow that shows a trending even higher for your supplier Process Improvement

24 How do I apply this?

25 Apply what you have learned today
Based on your risk profile identify your critical third parties Use the top 10 security controls list to open conversations Incorporate top 10 security controls to your next audit cycle Generate metrics, benchmark your third parties, and create internal awareness with them Incorporate security requirements (liability, fourth parties) into your contracts Get rid of the overwritten title Too much content on the slide.

26 Apply what you have learned today
Follow the internal procurement process and evaluate the cyber risk from the beginning Perform due diligence with new third parties to understand their cybersecurity maturity level Define communication processes to deal effectively with security incidents Perform continuous process validation and verification Improve your lifecycle third party risk management program 25

27 Q&A Leonel Navarro, PMP, CISSP, CISM, ISO27001LA Softtek @SofttekSecurity

Download ppt "The state of digital supplier risk management: In partners we trust"

Similar presentations

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Security Controls – What Works

Security Controls – What Works
Advantages of IT Security Prof. Uldis Sukovskis, CISA Riga Information Technology Institute Secure information exchange in Electronic media Baltic IT&T.

Advantages of IT Security Prof. Uldis Sukovskis, CISA Riga Information Technology Institute Secure information exchange in Electronic media Baltic IT&T.
First Practice - Information Security Management System Implementation and ISO 27001 Certification.

First Practice - Information Security Management System Implementation and ISO Certification.
© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. © 2012 McGladrey LLP. All Rights Reserved. © 2013 McGladrey LLP. All.

© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. © 2012 McGladrey LLP. All Rights Reserved. © 2013 McGladrey LLP. All.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Financial Advisory & Litigation Consulting Services Risk Management 2006 September 14-15, 2006 The Metropolitan Club, New York, NY Workshop B: Information.

Financial Advisory & Litigation Consulting Services Risk Management 2006 September 14-15, 2006 The Metropolitan Club, New York, NY Workshop B: Information.
Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.

Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.
SecureAware Building an Information Security Management System.

SecureAware Building an Information Security Management System.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Copyright © 2006 CyberRAVE LLC. All rights reserved. 1 Virtual Private Network Service Grid A Fixed-to-Mobile Secure Communications Framework Managed Security.

Copyright © 2006 CyberRAVE LLC. All rights reserved. 1 Virtual Private Network Service Grid A Fixed-to-Mobile Secure Communications Framework Managed Security.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Dell Connected Security Solutions Simplify & unify.

Dell Connected Security Solutions Simplify & unify.
Systems and Software Consortium | 2214 Rock Hill Road, Herndon, VA 20170-4227 Phone: (703)742-8877 | FAX: (703)742-7200 www.systemsandsoftware.org Best.

Systems and Software Consortium | 2214 Rock Hill Road, Herndon, VA Phone: (703) | FAX: (703) Best.
Auditing IT Vulnerabilities IT vulnerabilities are weaknesses or exposures in IT assets or processes that may lead to a business risk or security risk.

Auditing IT Vulnerabilities IT vulnerabilities are weaknesses or exposures in IT assets or processes that may lead to a business risk or security risk.
Project co-funded by the European Commission within the 7th Framework Program (Grant Agreement No. 619682 ) Business Convergence WS#2 Smart Grid Technologies.

Project co-funded by the European Commission within the 7th Framework Program (Grant Agreement No ) Business Convergence WS#2 Smart Grid Technologies.
1 Chapter Nine Conducting the IT Audit Lecture Outline Audit Standards IT Audit Life Cycle Four Main Types of IT Audits Using COBIT to Perform an Audit.

1 Chapter Nine Conducting the IT Audit Lecture Outline Audit Standards IT Audit Life Cycle Four Main Types of IT Audits Using COBIT to Perform an Audit.

Similar presentations

Ads by Google