Many recent high-profile breaches have underscored two important cybersecurity lessons: the need for increased scrutiny in evaluating access and controls of partners handling valuable customer data, and the imperativeness of assessing a third party’s (hopefully multi-layered) approach to cyber resilience.
Given the average number of tech tools, platforms and partnerships today, having a clear and consistent partner evaluation process is critical for the protection of customer data and in limiting overall risk of exposure to cyber attacks. It is not an area where a business can “cut corners” to save time or dollars if the partnership cost seems too good to pass up – the long-term risk is simply not worth the short-term gain.
Recently, the Cybersecurity and Infrastructure Security Agency (CISA) included security ratings or scorings as part of its cyber risk reduction initiative. This is significant as it showcases there’s a need for consistent industry measurement to give businesses an objective, quantifiable way of determining an entity’s cyber risk and the level of trust they may incorrectly give to their partners who handle their data. While severalagencies and government stakeholders are starting to use security ratings, this idea of a uniform scoring system is still a pretty novel concept that will continue to evolve.
In the meantime, here are four questions businesses should ask when determining a partner’s cyber resilience to reduce the possible risks that come with giving external parties access to sensitive data.
In its 10th annual Risk Barometer, Allianz found that cyber incidents ranked third in a list of the most important global business risks for the upcoming year, coming in second behind risks stemming from the pandemic itself. We can expect cyber incidents to increase in frequency and sophistication as cyber criminals continue to leverage the various security lapses that accompany remote workforces.
However, something that has changed recently is how business leaders and boards of directors are viewing cyber risk. While previously seen as an issue solely for security and technology leaders to manage, executives are now pressuring security departments to financially quantify cyber risks facing their organizations.
In fact, a recent survey of 100 senior security professionals found that 70% of respondents have received pressure to produce cyber risk quantification for their business. Further, half of the respondents reported they have a lack of confidence in their ability to communicate and report the financial impacts of cyber risks, with a quarter saying they do not have a cyber risk quantification technology deployed at their company.
Why are executives pressuring CISOs to start financially quantifying cyber risk for their business? This process allows CISOs to identify and rank risk scenarios that are most critical to their enterprise, based on factors such as which attacks would have the biggest financial impact, and how equipped the company is to defend itself against any given attack.
Automated risk quantification makes this process even easier, removing the guesswork out of these decisions and streamlining the process of getting to actionable information. The potential for human error and subjectivity are removed completely from the equation.
Previously, security leaders have relied on theoretical models of risk like the Common Vulnerability Scoring System (CVSS). Even with this system, it can be difficult to prioritize the vulnerabilities that rank highest in terms of severity. This is even more challenging for leaders across the enterprise who may be unfamiliar with this system. Cyber risk quantification provides security leaders with a way to communicate the most pressing cyber threats facing a company that do not rely on a scoring system that is incomprehensible to anyone outside of the security department.
By assigning a dollar value to potential cyber incidents, business leaders have better visibility into the most pressing – and costly – threats facing the enterprise. With this information, the business and security teams can align their efforts and prioritize the largest risks, rather than dedicating resources to lower priority risks.
Teams can focus their efforts on ensuring the business has adequate controls and processes in place to defend against the costlier risks and make additional investments accordingly. It can also make it easier for leaders and boards to justify spending more time or money to proactively defend against certain risks.
For CISOs, cyber risk quantification also provides an easier way to communicate the value of their work to leadership. Security leaders can calculate the return on investment of their tools and teams in the context of risk reduction for the enterprise. This gives leaders better visibility into the risks facing their organizations in terms that are understandable and actionable. Conversely, cyber risk quantification can help to identify any issues with an organization’s existing cybersecurity program and measure improvement over time.
Overall, shifting to this type of risk-led approach for cybersecurity will result in data-driven and actionable insights that will allow leaders across all business departments to understand and act on the most critical cyber risks facing their enterprise.
We know that attacks are going to continue, whether they’re state-sponsored or cyber criminals, and it is critical for an enterprise to have a comprehensive view into your risk landscape. Now is the time for security leaders to adopt cyber risk quantification and more easily demonstrate how cybersecurity organizations are protecting their business operations from disruption and catastrophic harm.
Recent data indicates that they are inconsistent (at best) when it comes to digging deep enough for clues of security issues lurking in the enterprise’s vendor and partner ecosystem. Even more troubling? Very few TPRM security assessments result in remediation action.
So TPRM programs are nominally jumping through hoops to ask vendors about or observe their security controls. But few of them are actually doing much to work with their vendors to bolster the security of these third-party IT environments.
This was one of the key findings of a recent report compiled by Cyentia Institute on behalf of RiskRecon. Conducted among 154 TPRM professionals operating in a range of industries, the study showed that a whopping 81% of respondents admit they rarely require remediation from third parties after an assessment.
And that’s not because everything is fine and dandy with these vendors’ security controls. The survey showed that a slim 14% of these professionals are highly confident that their vendors are performing security requirements. That’s not from an utter lack of investment. At this point some 79% of organizations have a formal TPRM program, with a median of at least two full-time employees. Some of these programs are just getting underway, but many have been established for some time and the average age of these programs is now five to six years.
Obviously, these investments in TPRM programs are not being fully realized through effective risk reduction, so what gives? The survey results indicate that this may be classic checkbox compliance scenario. According to respondents, regulatory compliance is the runaway top driver for development of their company’s TPRM program. Some 62% cited compliance as their number one motive for running a program, in contrast to just 22% who named executive mandates and 16% who cited customer requirements.
This likely explains why so many organizations today still rely so heavily on security questionnaires, as that’s the bare minimum required by most compliance regimes. The survey showed that twice as many organizations regularly utilize questionnaires – 84% – as compared to those (42%) who utilize a more verifiable assessment method like cybersecurity ratings. This is in spite of the fact that only about one in three TPRM professionals actually believe questionnaire responses.
Clearly there’s more work to be done. The good news is that the forces at play within the TPRM world are following a maturity playbook that most cybersecurity and risk professionals know well.
Control A10 of ISO 27001 mandates for outsourcing organization to monitor and review the performance of third party service provider on regular basis which includes the contractor working on critical assets within the scope. Service level Agreement (SLA) or Operation level Agreement (OLA) are the binding legal agreement which includes all the important services to fullfil the information security and compliance requirements of an organization.
Contract with service provider should require the need of standard reports on regular basis which should be reviewed at least monthly and attended by staff and management responsible for services. In these meetings, management should ensure that contractual requirements have been met by the service provider
Key management responsibilities should include but not limited to the followings:
Outsourcing organization should decide which key metrics will be created to monitor the performance of service provider which will ensure that contractual clauses are met consistanly.
For information security related services, reviewing all incidents for sepcified period (at least once a month) to make sure thay have been included in an organization treatment plan for appropriate corrective actions based on an organization risk priorty.
“Almost 80% of CEOs say that their organization must get better at managing external relationships. According to The Economist, one of the major reasons why so many relationships end in disappointment is that most organizations ‘are not very good at contracting’. This ground-breaking title from leading authority IACCM (International Association for Contract and Commercial Management) represents the collective wisdom and experience of Contract, Legal and Commercial experts from some of the world s leading companies to define how to partner for performance. This practical guidance is designed to support practitioners through the contract lifecycle and to give both supply and buy perspectives, leading to a more consistent approach and language that supports greater efficiency and effectiveness. Within the five phases described in this book (Initiate, Bid, Development, Negotiate and Manage), readers will find invaluable guidance on the whole lifecycle with insights to finance, law and negotiation, together with dispute resolution, change control and risk management. This title is the official IACCM operational guidance and fully supports and aligns with the course modules for Certification.”
This is an Operational Guide. This book is a management guide to contract and commercial management that is both is both practical and straightforward.
Based on the knowledge of contract, legal and commerce professionals, this guide will support you through each phase of the contract lifecycle and help you to take common language and approach that enables a progressive way of working.
In this book you will find the information presented in four sections, these are:
> Bid
> Development
> Negotiate
> Manage
Topics covered in these sections include:
> Risk
> Finance
> Negotiation
> Dispute resolution
> Change control
This title is endorsed by the IACCM (International Association for Contract and Commercial Management) – the association that represents contract and relationship management professionals and organisations.
Key Features and Benefits:
* A guide to best practice in the world of negotiating contracts and building relationships. This guide will give you the knowledge to take a comprehensive approach to negotiating contracts by using a common language.
* The methods in this book are based on the experiences of practitioners worldwide, they are also progressive. Whereas some other approaches are adversarial and negative.
* Endorsed by the IACCM the best practice organisation for contract and relationship management professionals. This proves the quality and relevance of the material
Another report of a laptop stolen, this one containing reams of sensitive customer information. The laptop was later returned in the same office complex, to a room which was reportedly locked; however, the sensitive data on the laptop was not encrypted.
According to a San Francisco Chronicle article by Deborah Gage (Aug 6, 2008, pg. C1): “A laptop containing personal information on 33,000 travelers enrolled in a fast pass program at San Francisco International Airport turned up Tuesday in the same airport office from which it had been reported missing more than a week ago.
The machine belongs to Verified Identity Pass, which has a contract with the TSA to run Clear, a service that speeds registered travelers through airport security lines. Verified Identity operates the program at about 20 airports nationwide.
The computer held names, addresses and birthdates for people applying to the program, as well as driver’s license, passport and green card information. But, she said, the computer contained no Social Security numbers, credit card numbers, fingerprints, facial images or other biometric information.
Travelers in the Clear program pay to have the TSA verify their identities. In return, they receive a card that gives them access to special security lanes in airports so they can avoid standing in line to go through security.
The TSA said in a statement that Verified Identity was out of compliance with the administration’s procedures because the information on the laptop was not properly encrypted. Now the company must undergo a third-party audit before Clear can resume, the TSA said.”
When TSA states that the vendor (Verified Identity) was out of compliance, does that make the vendor liable for negligence? Not unless this was stated clearly in the contract that the vendor will be liable if customers’ private data is exposed unencrypted. Which means private data should be encrypted if it’s at the server, in transit or on the laptop.
This brings the question if the 3rd party service provider (vendor) should be considered for the security risk assessment and how often. This question should be considered before signing a service contract with the vendor and what criteria or standard should be used to assess the vendor. Should this assessment include the security office 3rd party cleaning staff, perhaps yes, considering sometime cleaning staff does have an access to very sensitive areas in the organization? Many of the controls applied to contractors should be more or less the same as applied to regular employees but the contractor who has access to sensitive information potentially should have more controls then the regular employees, which should be clearly defined in the service contract.
Before signing the service contract, due care requires the organization should always assess the vendor’s security posture based on their own information security policy and ISO 27002 standards. Depending on the risk assessment report, the organization can negotiate the controls necessary to protect the security and privacy of their data and customers with given vendors. At this point the organization needs to make a decision, if the vendor is up to par as far as information security is concerned and if negligent, give them some sort of deadline to improve controls to become a business affiliate. Depending on the level of data sensitivity, some vendors might be required to acquire ISO 27001 certification to become a business partner. This clause should be clearly included in the service contract.
Assessing the vendor on a regular basis might be the key to know if they are complying with the required security clauses mentioned in the service contract and make them potentially liable for non-compliance. If the vendor fails the assessment the organization should follow up with the vendor to remediate those gaps within a reasonable time frame, otherwise this constitutes a breach of the contract.
![IT Vendor Risk Management A Complete Guide - 2021 Edition by [Gerardus Blokdyk]](https://m.media-amazon.com/images/I/41jZ5XeJBgL.jpg)
