Cover Slide. Third Party Risk and the Role of the Cyber Security/IT Risk Officer. Robert Satchmo Anderson

Similar documents
Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

FDIC InTREx What Documentation Are You Expected to Have?

Cybersecurity Auditing in an Unsecure World

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

ISE North America Leadership Summit and Awards

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

CYBERSECURITY RESILIENCE

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

Cybersecurity Session IIA Conference 2018

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Security Principles for Stratos. Part no. 667/UE/31701/004

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Security Diagnostics for IAM

How to Optimize Cyber Defenses through Risk-Based Governance. Steven Minsky CEO of LogicManager & Author of the RIMS Risk Maturity Model

Securing Your Secured Data

MIS Week 9 Host Hardening

Rocky Mountain Cyberspace Symposium 2018 DoD Cyber Resiliency

Compliance Audit Readiness. Bob Kral Tenable Network Security

QuickBooks Online Security White Paper July 2017

INTELLIGENCE DRIVEN GRC FOR SECURITY

Run the business. Not the risks.

locuz.com SOC Services

COMPLIANCE IN THE CLOUD

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

Effective Strategies for Managing Cybersecurity Risks

Defense in Depth Security in the Enterprise

Auditing the Cloud. Paul Engle CISA, CIA

Automating the Top 20 CIS Critical Security Controls

Sneak Peak at CIS Critical Security Controls V 7 Release Date: March Presented by Kelli Tarala Principal Consultant Enclave Security

Designing and Building a Cybersecurity Program

Securing the cloud ISACA Korea. Han Ther, Lee CISA, CISM, CISSP, CRISC, ITILF, MCSA

Cloud Transformation Program Cloud Change Champions June 20, 2018

AWS continually manages risk and undergoes recurring assessments to ensure compliance with industry standards.

Challenges 3. HAWK Introduction 4. Key Benefits 6. About Gavin Technologies 7. Our Security Practice 8. Security Services Approach 9

the SWIFT Customer Security

Certified Information Security Manager (CISM) Course Overview

Sirius Security Overview

Tips for Passing an Audit or Assessment

Data Classification, Security, and Privacy

Locking Down the Cloud Security is Not a Myth

Security Architecture

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

FISMAand the Risk Management Framework

HITRUST Common Security Framework - Are you prepared?

Protecting your data. EY s approach to data privacy and information security

Balancing Between Risk and Compliance

Cloud Security Whitepaper

Building a Resilient Security Posture for Effective Breach Prevention

The Convergence of Security and Compliance. How Next Generation Endpoint Security Manages 5 Core Compliance Controls

Cybersecurity Overview

Exploring Emerging Cyber Attest Requirements

Defense in Depth. Constructing Your Walls for Your Enterprise. Mike D Arezzo Director of Security April 21, 2016

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Twilio cloud communications SECURITY

Cybersecurity The Evolving Landscape

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

Managing and Auditing Organizational Migration to the Cloud TELASA SECURITY

Rethinking Information Security Risk Management CRM002

Session ID: CISO-W22 Session Classification: General Interest

Data Breaches: Is IBM i Really At Risk? All trademarks and registered trademarks are the property of their respective owners.

No IT Audit Staff? How to Hack an IT Audit. Presenters. Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP

IT-CNP, Inc. Capability Statement

ISE Canada Executive Forum and Awards

Sage Data Security Services Directory

What It Takes to be a CISO in 2017

Interpreting the FFIEC Cybersecurity Assessment Tool

Device Discovery for Vulnerability Assessment: Automating the Handoff

The NIST Cybersecurity Framework

Suma Soft s IT Risk & Security Management Solutions for Global Enterprises

Introduction. Deployment Models. IBM Watson on the IBM Cloud Security Overview

Granted: The Cloud comes with security and continuity...

NCUA IT Exam Focus. By Tom Schauer, Principal CliftonLarsonAllen

WORKSHARE SECURITY OVERVIEW

INTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE

Awareness Technologies Systems Security. PHONE: (888)

The Convergence of Security and Compliance

Cloud Computing. Faculty of Information Systems. Duc.NHM. nhmduc.wordpress.com

Federal Continuous Monitoring Working Group. March 21, DOJ Cybersecurity Conference 2/8/2011

Cybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security

Cloud Customer Architecture for Securing Workloads on Cloud Services

Treasury IT Overview February 14, 2019

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

2017 IT Examination Preparedness. Iowa Bankers 2017 Technology Conference October 24, 2017

Peer Collaboration The Next Best Practice for Third Party Risk Management

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Cyber Security Technologies

CYBER RISK MANAGEMENT: ADDRESSING THE CHALLENGE SIMON CRUMPLIN, FOUNDER & CEO

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Information Technology General Control Review

IT Attestation in the Cloud Era

Understanding and Evaluating Service Organization Controls (SOC) Reports

The Business of Security in the Cloud

Access Governance in a Cloudy Environment. Nabeel Nizar VP Worldwide Solutions

Copyright 2011 EMC Corporation. All rights reserved.

Key Technologies for Security Operations. Copyright 2014 EMC Corporation. All rights reserved.

Streamlined FISMA Compliance For Hosted Information Systems

Transcription:

Cover Slide Third Party Risk and the Role of the Cyber Security/IT Risk Officer Robert Satchmo Anderson

Overview Third Party Risk Management (TPRM) (vendor management, new acquisitions, and joint ventures), Fourth Parties, and Fifth Parties Stop the Madness!!!! Cyber Security/Information Security Risk Tools to aid in Risk Analysis Risk Analysis How to be successful (Understand the threats, vulnerabilities and controls Defensive measures) 2

Satchmo s Mil-Civ Translation (Business to IT translation coming soon ) DOD Civilian World Vendor DISA, contractor, unit Vendor 3 rd Party DISA, NSA, DLA, etc Contracted out service 4 th Party ISP (subcontracted) Maybe cloud based 5 th Party Local provider/generator Local provider/generator New Acquisition Newly activated unit Company X Joint (combined) Venture KFOR network Integrating Company Y My goal: Identify and highlight TP risks; in order to, understand and mitigate the risks associated with security and controls 3

Cyber Security and Information Risk (When the business cares) Reputational Risk (New Acquisition)--$$$ Strategic Risk-- Credit Risk Liquidity Risk Legal/compliance Risk (New Offering-China) Operational Transactions Risk from Supply chain risk **Taken from the FFIEC IT Examination Handbook Info Base Frameworks include: COBIT, ITIL and ISO Risk Mgt framework (RMF) for DoD IT formerly DIACAP operating under FISMA and NIST 800-37 4

Risk Analysis Who are Third Parties? New unit standup, military partner (combined operations), financial partners, Uniformed service (Air Force Space Command) or a unit command Anyone providing you a product or a service Corporate vendors are Amazon Web services, Azure, Oracle, anything you contract out for SaaS, PaaS, IaaS Know and understand the threats, vulnerabilities and controls Know the risk appetite (what is expected, what data is flowing, internet accessible, security tiers, etc.) Bottom line: Do the gumshoe work. SIG analysis, trust but verify read logs, analyze signatures, look at the AD groups, bring in audit friends for a full exploration of the vendor 5

Tools in Risk Analysis Risk Registers (Archer) Authoritative sources Regulatory requirements (To Policy, to Standard, to Tasks to complete) annotate, revisit, document, ratings, plus Vulnerability Scans, App scans, and Penetration Tests (dig deep) Payment card industry-qualified security assessors reports Service organization control reports (SOC 2 Type 2) Show and prove Automated reports (AV, Patching, asset mgt) Accurate inventory! 6

Tools in Risk Analysis Others--Interviews, Diagrams, screen captures, etc Standardized Information Gathering (Santa Fe Group) Vendor Risk Management maturity model (your own Santa Fe Group) Cyber protection teams should incorporate most of the above, COCOMs should understand the 3 rd, 4 th and 5 th party relationships and the potential effect to military operations (Good luck) Provide your TLAs your intel requirements have them give you threat based intel (works at the Company too ) 7

Risk Analysis Who: Qualified, certifed, common sense, cyber security guru (generalist) What: Identify, define and validate the risk When: Constantly Where: on-site, off-site, cyberspace Why: Capture and assess the risk; Identify and Propose risk reduction options How: Everything you can get your hands on 8

Oh, Math hurts Elements in your risk calculus (Understand the risk appetite first) Business 1 st Architecture and design (tiers, restricted, internet facing) Human Resources (new employees, seasoned, clueless) Risk Management (SOPs, guidelines, concrete, enterprise, business) Asset Management (What is known, where, who is watching it) Identity and Access Management (multi-factor, Active directory, RSA-tokens) Key Management (dynamic vs static, rotated) 9

More Math Elements in your risk calculus Data Security (encrypted at rest, back end secure, TLS 1.2) Endpoint (USBs allowed, AV, patched, etc) Apps (Secure development, QA, separation of duties) Network (segmented, VLANs, ACLs) Physical security (cameras (IP or CCTV), private/public PCI, guards) Vuln Mgt (How often, criticality, can they spell it?) Change Mgt (Is it practiced, accountable, verifable) Incident Mgt (Planned, Go-kit packed, HMFIC, exercised) DR/BCP (Plan, business impact analysis, exercised) 10

How to be successful Know the risk appetite and adhere to it Identify and allocate appropriate resources to the TPRM program (legal, financial, Cyber Security, auditors, etc) Ensure senior management is on-board with a governance framework based upon risk and compliance develop policies, standards, SOPs, and site visit checklists Ensure linkages between audit, TPRM and cyber security to ensure gaps aren t present Don t be steamrolled, don t do business as it has always been Play nice in the sandbox (Internally) Dig deep (externally) visit the site, read the policies, understand data flow and architecture, DR/BCP, read the SIG (yawn) 11

How to be unsuccessful Poor contracting without metrics, SLAs, etc Lack resources (technical, audit, vendor mgt personnel) Unfettered access to data by the Vendor Poor adherence to polices, standards, outside compliance Undefined processes, none or little governance, lack of priority, no data classification standards Stay at home Not watching Security/Sys Admins 12

Where to go for info (depends what you are looking for) digitaltransactions.net/issues/current/ securitywizardry.com/ secureworks.com/ iso.org/iso/home.html nist.gov/index.html ssae-16.com/ ithandbook.ffiec.gov/ isaca.org/pages/default.aspx 13

Questions Robert.satchmo.anderson@gmail.com 14

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback