Trust But Verify - Third Party Risk Management
-
Upload
anitian -
Category
Technology
-
view
171 -
download
1
Transcript of Trust But Verify - Third Party Risk Management
intelligent information securityANITIAN
MEET THE SPEAKER – ANDREW PLATO
• President / CEO of Anitian • 20 years of experience in IT & security• Completed thousands of security
assessments & projects• Discovered SQL injection in 1995• Helped develop first in-line IPS engine
(BlackICE) • Co-developed RiskNow™ - Rapid Risk
Assessment approach • Championed movement toward practical,
pragmatic information security solutions
intelligent information securityANITIAN
Vision Security makes the world a better place. Mission Building great security leaders.
We deliver security and threat intelligence via a range of services:• Risk assessment • Compliance (PCI, HIPAA, NERC, etc.)• Application security • Penetration testing• Incident response / forensics• Security controls integration• Managed threat intelligence and risk assessment
ANITIAN
intelligent information securityANITIAN
OVERVIEW
Intent • Discuss the challenges of third party risk management• Define strategies to inventory, classify, and assess third parties
Assumptions• This is a gigantic topic, we cannot cover it all• Our focus is IT-centric, but the concepts apply everywhere• Our approach is innovative and new
intelligent information securityANITIAN
THE THIRD PARTY RISK CHALLENGE
• How do we: • Trust better?• Verify that trust, honestly• Manage the complexity of third party vendors
• Answer: Trust, but verify
intelligent information securityANITIAN
RELATIONSHIPS VS REGULATION
Third Party TRUST Management • Foundation of trust• Values relationships• Flexible, but structured• Trusts, but verifies
Third Party RISK Management• Foundation of suspicion• Values compliance• Rigid, creates impediments• Does not trust, attempts to verify
intelligent information securityANITIAN
TRUST MANAGEMENT BASICS
Inventory / Classify
Define Trust Levels
Assess (So What?)
1
2
3
intelligent information securityANITIAN
WHAT DO YOU HAVE?
Services• Developers• Resellers • Managed services • Contractors and contingent staff • Consultants • Financial services / payment processors • HR services (benefits, recruiters, background checks) • Legal, accounting, marketing, etc.
intelligent information securityANITIAN
WHAT DO YOU HAVE? (2)
• Cloud• SaaS (Office365, Salesforce, Airwatch, etc.)• IaaS / PaaS (AWS, Rackspace, Azure, etc.)• Storage (Box, OneDrive, etc.)
• Traditional Software• Hardware• Development components (libraries, Wordpress, etc.) • Business partners (IR providers, telecom, etc.) • Business alliances • Facilities
intelligent information securityANITIAN
CLASSIFY
• Gather initial list to produce a “best guess” inventory• Organize into logical categories
• Software• Hardware• Services• Vendors• Facilities
• Who...• Owns them?• Uses them?• Manages them?
• Why do you have them?
intelligent information securityANITIAN
LET’S TALK ABOUT INVENTORY
• Have discussions with business process owners to validate items• Why do we have this relationship (rationale)?• How important is this relationship to the company? • Validate the owner and relevant custodians• What access do they have? Need? • What do you share with them?• How could they hurt us?• Are there service level agreements? What are they?• Who are the contacts? • How was the vendor selected?• How much leverage do we have with them?
• Avoid sending around spreadsheets
intelligent information securityANITIAN
THIRD PARTY INVENTORY
• Document all your data in a matrix • This is just for documenting the vendors, not for risk assessment• Typical data you want to capture in this inventory:
• Add to this as you see fit
• Name• Type • Description• Rationale • BPO• Custodian• Importance• Access
• Trust level • Controls • SLAs • Term • Applicable regulations
intelligent information securityANITIAN
TRUST LEVELS?
• A simplified classification of trust relationships • Helps organize and assess risk more efficiently• Easy to communicate• Key questions:
• How important to the business is the vendor? • How sensitive is their access?
intelligent information securityANITIAN
PLOT ACCESS VS IMPORTANCE
Trusted Strategic Partner
Informal Partner
Sensitivity of Access
Impo
rtan
ce to
Bus
ines
s
Low AccessLow importance
High AccessLow importance
High AccessHigh importance
Low AccessHigh importance
intelligent information securityANITIAN
RISK MANAGEMENT ACTIVITIES
• Risk assessment efforts mapped to each level• Examples
• Independent risk assessment • Request for information (RFI)• Technical testing (penetration testing, code review, etc.) • Contractual assurances • On-site walk through• Named insured • Third party assurances (SOC2, ISO, etc.) • Compliance certifications (PCI, HIPAA/HITRUST, NERC, etc.) • Review cycle • Financial guarantees (bonds, etc.)
intelligent information securityANITIAN
MAP RISK ACTIVTIES TO LEVELS
Strategic Partner
• Independent risk assessment
• Technical testing
• Contract assurance
• Quarterly review
• Monitoring plan
• Named insurance
Partner
• Table-top risk assessment
• In-house technical testing
• Contract assurance
• Annual review
Trusted
• RFI• Contract
assurance• Biannual
review
Informal
• None• Biannual
validation
intelligent information securityANITIAN
FLEXIBILITY IS IN THE PLOT
Trusted Strategic Partner
Informal Partner
Sensitivity of Access
Impo
rtan
ce to
Bus
ines
s
Low AccessLow importance
High AccessLow importance
High AccessHigh importance
Low AccessHigh importance
intelligent information securityANITIAN
INDEPENDENT TESTS AND CERTIFICATIONS
• Compliance standards are useful (PCI, HIPAA) • Frameworks (ISO, NIST) • Financial audits • Third party assessors (like Anitian) • Security tests (penetration tests)
• Are they honest?• Do they add up? • Does the level of risk match the importance of the relationship
intelligent information securityANITIAN
QUESTIONNAIRES / RFI
• Never ask YES/NO questions• Make them describe how they do things
Question Description Answer
Data protection
Describe the methods used to encrypt sensitive data?
Access Control
How do you enforce least privileged access rights on users?
Background Checks
How do you conduct background checks on employees? How often?
intelligent information securityANITIAN
RISK DIMENSIONS
What applies to the TPP? • Compliance • Financial • Operational• Security / Privacy • Reputational • Relational • Transactional• Physical • Legal
intelligent information securityANITIAN
WHAT ARE YOUR TOLERANCES?
• How important is the relationship to the business?• How much impact do they have on you?• How much leverage do you have?
• Don’t like how Big Company does things – tough• Worried that Little Company is bankrupt – can you change
that? • Does the access match the importance? • Who decides that? • Does that person understand the risk?
intelligent information securityANITIAN
DOCUMENT THE TOLERANCES
Dimension Risk Description Tolerance Remedy
Compliance High Vendor is not PCI compliant. They also have no independent certifications.
Temporarily Require PCI compliance attestation within one year.
Terminate vendor if not met by 6.15.2016
Reputational Low Vendor is not in an industry that could cause the business much reputational risk
Yes None
intelligent information securityANITIAN
RISK REDUCTION STRATEGIES
• More insurance• More assurance• Reduced access • Alternative partners• Data / service redundancies • Require certifications • Independent testing• Drop vendor• Accept the risk
intelligent information securityANITIAN
RISK BRIEF
• Quick summary for leadership• Information to present:
• Keep it under one-page
• Vendor name• Description of what they
do• Value of relationship• Overall risk ranking• Trust level • Access required
• Sensitivity of access• List of top risk dimensions• Risk reduction
recommendations• Date of assessment• List of artifacts (optional)
intelligent information securityANITIAN
BALANCE
TRUST
Value of Relationship
Sensitivity of Access
Impact to Business
Leverage
intelligent information securityANITIAN
DO I NEED A GRC PLATFORM?
• Archer, Lockpath, Metricstream, Rsam, etc. • No, you can run an entire Third Party Risk program with
spreadsheets and emails• GRC platforms help with data management• Do not buy one until you have a program in place• Extremely time-consuming to setup • Remember, questionnaires are your least trustworthy source of
information
intelligent information securityANITIAN
FINAL THOUGHTS
• This is an immense challenge, but we do it everyday• Independent validations = most reliable source• Questionnaires = least reliable source• Ask how and why questions, not yes/no• Get out and speak to people face to face
• It is okay to tolerate risk• Anitian can help you build this program• Trust, but verify
intelligent information securityANITIAN
THANK YOU
EMAIL: [email protected]: @andrewplato
@AnitianSecurityWEB: www.anitian.comBLOG: blog.anitian.comSLIDES: bit.ly/anitianCALL: 888-ANITIAN