Vendor Risk – Cyber Security Perspective March 15th, 2017
Apr 12, 2017
P A G E 2
© 2016 Mafazo | All Rights Reserved
Introductions
Shannon Glass - Fisher
Practice Director, Information Security
Afidence
Max Aulakh
Information Security Professional
MAFAZO Cyber Security
P A G E 3
© 2016 Mafazo | All Rights Reserved
Agenda
Business Case
Process Overview
Vendor Classification
Inherent Risk
Building your assessment
Manual Process
Process Automation
Monitoring Stage
P A G E 4
© 2016 Mafazo | All Rights Reserved
Business Case | Headlines
Target Hackers Used Stolen Vendor Credentials
– Wall Street Journal, January 2014
Bank says a failure on vendor's part to correctly fix an identified instability within the bank's storage system led to the seven-hour service outage last week.
– By Eileen Yu, ZDNet Asia on July 14, 2010
New York Tightens Screws on 3rd Party Cyber-Risk
– By Chris Kentouris, FinOps Report on March 8, 2017
“It is abundantly clear that, in many respects,” Mr. Lawsky (New York State’s top financial regulator) said in the letter, “a firm’slevel of cybersecurity is only as good as the security of its vendors.”
NYTimes.com: After JPMorgan Cyberattack, a Push to Fortify Wall Street Banks 10/21/14
P A G E 5
© 2016 Mafazo | All Rights Reserved
Business Case | Regulatory Pressure
1996, HIPAA Passed
July, 01GLBA
Nov, 01OCC
Bulletin 2001-47
Aug, 03CS Privacy
SB 1386
May, 02OCC
Bulletin 2002-16
May, 07HF 1758
MN Plastic Card
Security Act
Nov, 09HITECH Act
Jan, 10NRS 603 NV Data Security
Mar, 10201 MA
Code Reg 17
Jul ‘10WA HB 1149
Jan ‘11 PCI DSS 2
Mar ‘12 CFPB
Bulletin 2012-03
Mar ‘13 Omnibus
HIPAA Rule
Oct ’13OCC
Bulletin 2013-29
May ‘14PCI DSS 3
Oct‘16DFARs 204.73
Companies often face direct financial impact!3rd Parties are major source of data breaches!
P A G E 6
© 2016 Mafazo | All Rights Reserved
Vendor Risk Process Overview
Inventory Vendors
Classify Vendor
Assessment Type
Coordinate
Self AssessReview On
PhoneReview On
SiteGenerate
Issues
FinalizeCorrective
PlanMonitor
P A G E 7
© 2016 Mafazo | All Rights Reserved
Vendor Classification
• Scheme allows you to:
✓ Prioritize your vendors
✓ Build a relevant assessment for particular vendor
✓ Understand Inherent risk posed by your vendors✓ Allows for a flexible scoring system/model
• Many schemes with several factors
• Total Spend
• Financial Performance
• Criticality of the vendor’s service to the continuation of the client’s services
• Critical data being shared
P A G E 8
© 2016 Mafazo | All Rights Reserved
Vendor Classification | Inherent
Inherent Risk
Strategic Factors
High
Medium
Low
Vendor Criticality
High
Medium
Low
Regulations
HIPAA
Business Associate
SOX 404 DFARS
Type
Cloud
On-Prem
Development
Data Amount
100-200 Records
200 – 300 Records
1000 – 2000 Records
P A G E 10
© 2016 Mafazo | All Rights Reserved
Assessment Building
Free Control Inventories
◦ NIST Cyber Security Framework
◦ NIST Risk Management Framework (900+ Controls)
◦ HIPAA Security Rule
◦ FedRAMP
◦ Custom Controls
◦ FFIEC Framework
◦ IT Examiner Handbook
Lower cost inventories (almost free)
◦ ISO 27000
◦ PCI-DSS
Overpriced Controls Data
◦ Shared Assessment/SIG
◦ Unified Compliance
◦ HITRUST
“a firm’s level of cybersecurity is only as good as the security of its vendors.”
P A G E 11
© 2016 Mafazo | All Rights Reserved
Building an Assessment
Most vendors are assessed based
on “standardized questions”
◦ Would you ever ask a janitorial service if
they have a Chief Security Officer?
Too many questions that are not-
relevant incentivizes the vendor to
“quickly” get through the
assessment so they can conduct
business.
Take vendor “fatigue” in to
consideration.
P A G E 12
© 2016 Mafazo | All Rights Reserved
Assessment Auto-Tailoring
Software can automate much of these tasks to not only build but automate type
of questions you should be asking.
Certain industries require some standardized questions regardless of size of the
vendor – FedRAMP
Too many questions that are not-relevant incentivizes the vendor to “quickly”
get through the assessment so they can conduct business.
Take technical stack elements (database, operating systems, etc..) into
consideration when tailoring.
◦ Don’t just accept “ISO or PCI” certifications – those are generally siloed efforts not global
P A G E 13
© 2016 Mafazo | All Rights Reserved
Vendor Residual Risk
What if vendor cyber security
risk/residual risk remains too high
after the assessment?
◦ Do you still conduct business with them?
What can we do to de-risk your
vendors from cyber security
perspective?
◦ Supply chain experts use “The Beer
Game” to illustrate power of data sharing
to manage product spikes & distribution
to protect both the vendor and client.
P A G E 14
© 2016 Mafazo | All Rights Reserved
Manual Assessment Process
NIST RMF
Or
Custom
Controls List
Framework/Spreadsheet 1
1. Compliance Officer
› Manually extracted into
MSWORD or EXCEL
3. Security Officer
› Creates multiple compliance spreadsheet
− 5 - 10 Columns, 100 - 200 Rows
− Multi-user input
Email System
4. Sent to Vendors
› Reviews Spreadsheet
− Data collection
− Multiple inputs
Vendor Risk
Requirements
Finalized/Spreadsheet 2
2. Security Officer & Legal
› Select or Create Security Framework
link to Non-Voluntary Requirements
− SIG, NIST, etc…
Multiple Spreadsheets
› By Vendor
› By Year
› By Change
P A G E 15
© 2016 Mafazo | All Rights Reserved
Automation
1 FTE is expected to manage cyber risk of 1000+ vendors while managing
everything else internally.
◦ What would you do if you had to manage 100s of different vendor cyber security risk?
1 FTE is expected to build cyber assessments on the fly based on the “risk”
◦ Look for the ability to build out any assessment with any inventory
Automation serves as a force-multiplier
◦ Reduction of man-hours and reduction of errors
Vendor cyber security automation can be almost as easy as a “password reset
self service” but for your vendors.
◦ Incentivization
◦ Gaming engine to measure risk
P A G E 16
© 2016 Mafazo | All Rights Reserved
Monitoring
Monitoring allows you to gather
assessment trend data & breach
data about your vendor.
Develop a plan for your vendor to
reduce cyber risk over time.
Share relevant resources with your
vendor (de-risk).
Co-develop a “Target Risk” Profile
◦ Set of requirements/controls/questions
that should be met.
P A G E 17
© 2016 Mafazo | All Rights Reserved
Summary
Business Case
Process Overview
Vendor Classification
Inherent Risk
Building your assessment
Manual Process
Process Automation
Monitoring Stage
P A G E 18
© 2016 Mafazo | All Rights Reserved
Q&A
Shannon Glass - Fisher
Practice Director, Information Security
Afidence
Max Aulakh
Information Security Professional
MAFAZO Cyber Security
937-789-4216
www.mafazo.com
P A G E 19
© 2016 Mafazo | All Rights Reserved
Back up| About Tryump
• Cyber Compliance automation & orchestration platform• Cyber security framework builder, manager and auto-mapper
• Manage use case complexity, scale and speed of assessment delivery• Automate compliance testing & link technical results (pen-testing & other data).