How many third parties have access to your network, your apps, your data? How well do their security controls stack up against yours? As our reliance on third party service providers continues to increase, our ability to monitor and manage those relationships needs to keep pace. This presentation will provide you with tips, tricks, and tools you can use to implement an effective third party risk management program.
3. One Step
at a Time
▫ Securing Executive Buy-In
▫ Identifying Your Third Parties
▫ Prioritizing Your Assessments
▫ Conducting Initial Assessments
▫ Ongoing Management
▫ Automation
▫ Further Reading
3
5. ▫“According to the 2013
Trustwave Global
Security Report on 450
global data breach
investigations, 63%
were linked to a third-
party component of IT
system administration.”
Target Isn’t
Alone
5
▫- From
http://www.computer
weekly.com/news/224
0178104/Bad-
outsourcing-decisions-
cause-63-of-data-
breaches
9. Prioritizing Your Assessments
9
Image from http://www.isaca.org/Journal/archives/2006/Volume-5/Pages/JOnline-
Understanding-Data-Classification-Based-on-Business-and-Security-Requirements1.aspx
11. Identifying Your
Third Parties
▫ Document your assessment
phases
▫ Document your question set
▫ Track assessments like
engagements/projects
11
12. Are You
Asking Me, or
Telling Me?
Shared
Assessments
https://sharedasses
sments.org/
Cloud Security
Alliance Cloud
Controls Matrix
https://cloudsecurit
yalliance.org/
SANS CIS Critical
Security Controls
https://www.sans.or
g/critical-security-
controls
12
NIST 800-53 rev4
http://nvlpubs.nist.g
ov/nistpubs/Specia
lPublications/NIST.S
P.800-53r4.pdf
ISO 27002:2013
http://www.iso.org/
iso/catalogue_detail
?csnumber=54533
Common Sense
Security Framework
(CSSF)
http://www.commo
nsenseframework.or
g/
13. You Do This
▫ Security Risk
Assessment
Learn to Love
the Attestation
You Ask For These
▫ Security Controls
Assessment
▫ Technical
Vulnerability
Assessment
▫ Privacy Assessment
▫ Compliance
Assessment
▫ Penetration Test
▫ IT Audits
13
14. Don’t Fear the
OSINT
▫ Google Finance
▫ LinkedIn
▫ Chronology of Data Breaches
▫ PasteBin
▫ Qualys SSL Server Test
▫ Mozilla Observatory
▫ PunkSPIDER
▫ Shodan
▫ Censys14
17. Getting Ahead
of the Curve
▫ Lock down your internal data
classification procedures.
▫ Identify a process-oriented employee
who can own/manage this process.
▫ Start talking to IT Vendor Risk
Management vendors.
▫ Document a question set that’s relevant
to your organization (framework).
▫ Add a security/risk assessment
requirement to your purchasing
process/form.17
18. Further Reading ▫ Missed Alarms and 40 Million Stolen Credit Card
Numbers: How Target Blew It
▫ http://www.bloomberg.com/bw/articles/2014-
03-13/target-missed-alarms-in-epic-hack-of-
credit-card-data
▫ Verizon 2015 Data Breach Investigations Report
▫ http://www.verizonenterprise.com/DBIR/2015/
▫ NAVEX Global Definitive Guide to Third Party Risk
Management
▫ http://www.navexglobal.com/en-
us/resources/ebooks/definitive-guide-to-third-
party-risk18
Talk to Accounts Payable
SOMEONE’S getting paid
Survey your end users
“Which websites do you login to in order to do your job?”
Review your outbound Internet traffic logs
Web traffic (cloud service logins)
SFTP/SSH traffic (commonly used for secure file transfers)
Document Your Assessment Phases
Engagement Phase – Define scope, define rules of engagement, exchange information
Assessment Phase – Review information, identify threats, estimate risk
Review Phase – Document findings, make recommendations, present report for approval
Document Your Question Set
How much is too much?
What is your internal security/compliance framework?
NIST (FISMA), ISO 27000 Series, PCI, HIPAA
Track assessments like engagements/projects
Task owners, due dates, milestones
Frequency?
Low Priority = Annually
Medium Priority = Semi-Annually
High Priority = Quarterly
What’s changed?
Business model
Operating environment/locations
Technology stack
Vendor’s partners
AUTOMATE ALL THE THINGS!!!
Consider deployed technologies
GRC Solution (Governance, Risk, and Compliance)
Service Desk Solution
IT Vendor (& Cloud) Risk Management
Prevalent - http://www.prevalent.net/
Skyhigh Networks - https://www.skyhighnetworks.com/
BitSight - https://www.bitsighttech.com/