Managing Third Party Risk in the Now Justine Lowe Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved. Justine Lowe Executive Director, Executive Advisory Optiv With more than 19 years of information risk and security experience, Lowe has developed a strong business understanding and skills to mitigate risks to the business to reduce and respond to cyber risks. Her core competencies include leadership, security policy and awareness, governance, risk and compliance programs. Lowe is the former lead of policy, awareness and compliance for a big four firm, KPMG, where she had enterprise wide responsibility for setting policy aligned to ISO27001/2: 2013 and ensuring that the KPMG firms worldwide and third parties had required information security and privacy controls. Her prior role at KPMG was as CISO for the Africa region which included setting strategy, security incident management, secure application development and risk assessments. Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved. MANAGING THIRD PARTY RISK Relationship with Third Party Third-Party Business Profile IT Controls Analysis 4 Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved. Current Practices & The Future Growing Problem • • • • • Over Sheer volume Costly third-party due-diligence Global regulatory requirements Data and privacy security breaches Fiduciary board - top of mind The Future % 50 • • • • • of all breaches come from third parties(1) (former and current service providers, consultants, suppliers and partners) 5 (1) Source: Key findings from The Global State of Information Security® Survey 2016 Automation of manual processes Global scale Ability to make informed risk decisions Due-diligence matched to level of risk Single source for all third-party risk data Confidential Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved. 6 Confidential Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved. 8 Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved. Third-Party Targeted Attacks “Insider” “Trusted” “Outsourcer” Supplier with Trusted Access Service Provider Your Business Third-Party Attacks Target of Opportunity Breach a major supplier and you gain access to multiple companies’ data Global Problem A supplier anywhere in the world can be the cause of, or suffer from a security breach Economic Conditions Increased outsourcing and financial stress on third parties can lower defenses 9 Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved. Are You Responsible for a Breach at a Third Party? Customers don’t care about your business partners. Consequences: They entrust you with the information. Loss of Customer Loyalty Eroded Share Value Increased Scrutiny Litigation Brand Damage Lawsuits Higher Audit Costs 10 Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved. Exploiting the “Trusted” Third Party THIRD PARTY or “INSIDER” THE ATTACKER’S TARGET Capture Login Credentials External Facing Application Use Credentials to Get Inside Critical Data Lateral Escalate Movement Privileges ACTORS and METHODS: = 12 Hacktivists Criminal Orgs State Sponsored Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved. Risk Based / Data Centric The TPRM Journey Lifecycle Focused Ultimate Goal is Risk Based/Data Centric supporting the lifecycle with automation Technology Hopeful Spreadsheet Based Ad Hoc Program Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved. STRATEGIC TPRM Engaging at Every Level Program Level • Business strategy and management • Managed Service Problems Level • Program Development • Integration product with intelligence Project Level • TPRM Intelligence Product Evaluation • Product Deployment • Manual assessment of a Third Party TACTICAL Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved. The Five Steps of Third-Party Risk Lifecycle 5. Renewal Management 1. Inherent Risk Evaluation Portfolio Management Consistently evaluate and classify inherent business risks 2. Technical Diligence 3. Risk Reduction Risk Assessment Remediation Assessment Automation and Tracking Validation Automation and Scaling Remediation Management and Signoff Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved. 4. Monitoring and Reporting Operational Visibility Customizable Dashboard & Reporting Plan, Develop and Manage Third-Party Risk Programs Discovery and Analysis Program Development Maturity Assessment • • • • Program review High level gap Maturity assessment Program Roadmap 18 Develop tool set • Policy/standard • Procedure • Methodology • Risk scoring • Risk register • Questionnaire • Identify vendors • Define assets • Tier rank vendors • Action plan Risk Assessments Third Party Risk Managed Service • Enterprise view of risk to provide consistent risk decisions • Questionnaire development • Services reduce cost • Interact with and resources vendors necessary to manage third party risk • Review questionnaires • Common process and structure based on • Onsite assessment best practices as appropriate • Monitor and manage • Analysis vendor progress • Findings and recommendations Confidential Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved. Third-Party Contracts Restrictions on Outsourcing Security Service Level Agreement Breach Notification Security Safeguards Right to Audit Indemnification, Cyber Insurance, etc. 19 Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved. Relationship Exposure Inventory • Relationship Exposure Inventory – Risk Register • Maintain a relationship list (type and quantity) • Relationship “Creep” • • • Due diligence is performed during the first contract Relationship grows over time Increased liability without updating the risk exposure metrics 20 Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved. Business Profile Risk • Purpose: Who is The Third Party? • Understand the Risk of Doing Business With Third Party Financial Strength/Credit Risk Regulatory Oversight Geopolitical/Economic Risk Business Risk Breach History, Crime, Legal Suit • Most often performed outside of Information Security 21 Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved. Mapping Risk Tiers Tier 1 Tier 2 Tier 3 High Medium Low Reputational Risk High Medium Low Transaction Risk $$$$$ $$$$ $$$ Compliance Risk High Medium Low Data Privacy Risk High Medium Low Credit Risk $$$$$ $$$$ $$$ Country Risk High Medium Low Other Risks High Medium Low Relationship Risk Strategic Risk Business Profile Risk 22 Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved. Tiering Third Parties Average Enterprise Has 1000s of Third-Parties 1.5% - 2% 90% - 95% 6% - 8% Tier 1 Tier 2 Tier 3 23 Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved. 23 Third Party Tiered Management Tier 1 Annual Questionnaire Control Validation (evidence) Site Visit External Audit (e.g. SOC1) External pen tests Internal pen tests Documentation request Tier 2 Tier 3 Extended Standar d Full Partial Short Yes Yes No No No No Yes Yes Full Yes Yes Partial Yes No Brief 24 Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved. No Control Assessments Standardized Assessments • Match Due-Diligence to Risk and Type of Service • • • • Full Assessment - Large Full Assessment - Light Cloud Computing Application Development • Call Center • Small Office • Single Person Office • No Ambiguity • How You Ask Questions is as Important as What You Ask 25 Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved. When to Review During the RFP / Evaluation Process When the Business Relationship Changes When the Business Risk Profile Changes When a Regulation Changes At Least Annually 26 Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved. Third-Party Risk Monitoring Threat Intelligence Financial Data Level 1 (unintrusive) Use web information as indicator on level of control maturity External ThirdParty Sites Level 2 (Semi-intrusive) Direct Interaction with Third Party People Process Tool Risk Reports M&A Maturity Assessments Risk Assessment Threat Modeling Application Security Breach Reports Maturity of security program; people, process and technology Technology Level 3 (intrusive) Direct Interaction with Technology Use technology to scan system configuration and controls Economic Data Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved. Social Data ERM Third-Party Risk Management Solutions’ Mission: Plan Determine the third-party risk management capabilities required by the business Build Develop the capabilities and governance for a cost effective program Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved. Run Manage the process and reporting to determine inherent risk, assess the controls and drive remediation Optiv - A Full Service Security Firm - Based in North America with Global Reach - Formerly Accuvant and Fishnet Security Architecture and Implementation Advisory Services Program strategy Risk Management Compliance Penetration testing Vulnerability assessment Software security Incident response Cloud security Identity access management Planning and design Identification and selection Implementation and migration Integration Optimization Product support Applied Research Education and Awareness Solution research Technical product research Advanced research End user security Technology training Secure development Advanced security Solution Architectures to Programmatic Blueprints 29 Confidential Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved. Questions? [email protected] www.optiv.com 30 Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
© Copyright 2026 Paperzz