How many third parties have access to your network, your apps, your data? How well do their security controls stack up against yours? As our reliance on third party service providers continues to increase, our ability to monitor and manage those relationships needs to keep pace. This presentation will provide you with tips, tricks, and tools you can use to implement an effective third party risk management program.

1. Implementing an
Effective Third Party
Risk Management
Program

2. Who am I? Jerod Brennen
InfoSec Geek
Security Architect, GBQ Partners
Alphabet Soup: CISSP, GWAPT, GWEB
@slandail
https://slandail.net/
https://gbq.com/
2

3. One Step
at a Time
▫ Securing Executive Buy-In
▫ Identifying Your Third Parties
▫ Prioritizing Your Assessments
▫ Conducting Initial Assessments
▫ Ongoing Management
▫ Automation
▫ Further Reading
3

4. $39.4
million
4

5. ▫“According to the 2013
Trustwave Global
Security Report on 450
global data breach
investigations, 63%
were linked to a third-
party component of IT
system administration.”
Target Isn’t
Alone
5
▫- From
http://www.computer
weekly.com/news/224
0178104/Bad-
outsourcing-decisions-
cause-63-of-data-
breaches

6. Verizon DBIR
6

7. Who’s In Scope?
7

8. Identifying Your
Third Parties
▫ Talk to Accounts Payable
▫ Survey your end users
▫ Review your outbound Internet
traffic logs
8

9. Prioritizing Your Assessments
9
Image from http://www.isaca.org/Journal/archives/2006/Volume-5/Pages/JOnline-
Understanding-Data-Classification-Based-on-Business-and-Security-Requirements1.aspx

10. Think Like an
End User
Confidentiality Integrity Availability
10

11. Identifying Your
Third Parties
▫ Document your assessment
phases
▫ Document your question set
▫ Track assessments like
engagements/projects
11

12. Are You
Asking Me, or
Telling Me?
Shared
Assessments
https://sharedasses
sments.org/
Cloud Security
Alliance Cloud
Controls Matrix
https://cloudsecurit
yalliance.org/
SANS CIS Critical
Security Controls
https://www.sans.or
g/critical-security-
controls
12
NIST 800-53 rev4
http://nvlpubs.nist.g
ov/nistpubs/Specia
lPublications/NIST.S
P.800-53r4.pdf
ISO 27002:2013
http://www.iso.org/
iso/catalogue_detail
?csnumber=54533
Common Sense
Security Framework
(CSSF)
http://www.commo
nsenseframework.or
g/

13. You Do This
▫ Security Risk
Assessment
Learn to Love
the Attestation
You Ask For These
▫ Security Controls
Assessment
▫ Technical
Vulnerability
Assessment
▫ Privacy Assessment
▫ Compliance
Assessment
▫ Penetration Test
▫ IT Audits
13

14. Don’t Fear the
OSINT
▫ Google Finance
▫ LinkedIn
▫ Chronology of Data Breaches
▫ PasteBin
▫ Qualys SSL Server Test
▫ Mozilla Observatory
▫ PunkSPIDER
▫ Shodan
▫ Censys14

15. Ongoing
Assessments
▫ Frequency?
▫ What’s Changed?
▫ Automate all the things!
15

16. Speaking of
Automation
▫ Prevalent
▫ Skyhigh Networks
▫ BitSight
16

17. Getting Ahead
of the Curve
▫ Lock down your internal data
classification procedures.
▫ Identify a process-oriented employee
who can own/manage this process.
▫ Start talking to IT Vendor Risk
Management vendors.
▫ Document a question set that’s relevant
to your organization (framework).
▫ Add a security/risk assessment
requirement to your purchasing
process/form.17

18. Further Reading ▫ Missed Alarms and 40 Million Stolen Credit Card
Numbers: How Target Blew It
▫ http://www.bloomberg.com/bw/articles/2014-
03-13/target-missed-alarms-in-epic-hack-of-
credit-card-data
▫ Verizon 2015 Data Breach Investigations Report
▫ http://www.verizonenterprise.com/DBIR/2015/
▫ NAVEX Global Definitive Guide to Third Party Risk
Management
▫ http://www.navexglobal.com/en-
us/resources/ebooks/definitive-guide-to-third-
party-risk18

19. 19
THANKS! Any questions?
You can find me at
▫ @slandail
▫ jbrennen@gbq.com