Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
ANITIAN
TRUST BUT VERIFY
MANAGING THIRD PARTY RISK
intelligent information securityA N I T I A N
MEET THE SPEAKER – ANDREW PLATO
• President / CEO of Anitian
• Principal at ...
intelligent information securityA N I T I A N
Vision: Security is essential to growth, innovation, and prosperity.
Mission...
intelligent information securityA N I T I A N
OVERVIEW
• Intent
• Discuss the challenges of third party risk management
• ...
intelligent information securityA N I T I A N
WHAT IS YOUR INTENTION?
• Do you want to be compliant or secure?
• COMPLIANT...
THE CHALLENGE
intelligent information securityA N I T I A N
63%
OF BREACHES ARE CAUSED
BY THIRD PARTIES
intelligent information securityA N I T I A N
THEY’RE EVERYWHERE
THIRD PARTIES
intelligent information securityA N I T I A N
LURKING THREAT
intelligent information securityA N I T I A N
OUTSOURCED
WHERE?
intelligent information securityA N I T I A N
intelligent information securityA N I T I A N
RISK TOLERANCE
THREAT IGNORANCE
intelligent information securityA N I T I A N
intelligent information securityA N I T I A N
RELATIONSHIPS
ARE VALUABLE
intelligent information securityA N I T I A N
WORKS
intelligent information securityA N I T I A N
RELATIONSHIPS VS REGULATION
Third Party TRUST Management
• Foundation of tru...
intelligent information securityA N I T I A N
THE THIRD PARTY RISK CHALLENGE
• How do we:
• Trust better?
• Verify that tr...
intelligent information securityA N I T I A N
THIRD PARTY TRUST BUT VERIFY PROCESS
Inventory Trust
Verify
Manage
Risk
INVENTORY
intelligent information securityA N I T I A N
WHAT THIRD PARTIES DO YOU HAVE?
• Services
• Developers
• Resellers
• Manage...
intelligent information securityA N I T I A N
CLASSIFY
• Gather initial list to produce a “best guess” inventory
• Organiz...
intelligent information securityA N I T I A N
22
intelligent information securityA N I T I A N
?
!
intelligent information securityA N I T I A N
LET’S TALK ABOUT INVENTORY
• Have discussions with business process owners t...
intelligent information securityA N I T I A N
THIRD PARTY INVENTORY
• Document all your data in a matrix
• This is just fo...
TRUST
intelligent information securityA N I T I A N
TRUST LEVELS?
• Rather than ask what threat the third party poses, ask what ...
intelligent information securityA N I T I A N
PLOT ACCESS VS IMPORTANCE
Trusted Strategic
Informal Partner
Sensitivity of ...
intelligent information securityA N I T I A N
• Do you trust the vendor?
• Is the level of trust commensurate with the rel...
intelligent information securityA N I T I A N
RISK MANAGEMENT ACTIVITIES
• Risk management activities verify trust:
• Inde...
intelligent information securityA N I T I A N
MAP RISK ACTIVTIES TO TRUST LEVELS
Strategic Partner
• Independent
risk asse...
intelligent information securityA N I T I A N
FLEXIBILITY IS IN THE PLOT
Trusted Strategic
Informal Partner
Sensitivity of...
VERIFY
intelligent information securityA N I T I A N
ASSESSING RISK
• Once you have determined their trust level, you assess thei...
intelligent information securityA N I T I A N
COMPLETE WASTE OF MONEY: EYECANDY
intelligent information securityA N I T I A N
WORST: QUESTIONNAIRES / RFI
• Weakest form of data
• Never ask YES/NO questi...
intelligent information securityA N I T I A N
BETTER: CONTRACTUAL ASSURANCE
• Service level agreements
• Termination claus...
intelligent information securityA N I T I A N
BETTER: CONTRACTUAL ASSURANCE
• Service level agreements
• Termination claus...
intelligent information securityA N I T I A N
VERY GOOD: INTERNAL VALIDATIONS
• Access reviews
• Firewalls / VPN accounts
...
intelligent information securityA N I T I A N
BEST: INDEPENDENT TESTS AND CERTIFICATIONS
• Compliance standards are useful...
intelligent information securityA N I T I A N 2016 SF ISACA FALL CONFERENCE OCTOBER 24-26 HOTEL NIKKO - SF
CISACGEIT CSXCI...
intelligent information securityA N I T I A N
WHAT ARE YOUR TOLERANCES?
• Can you trust them?
• Does the risk match the le...
intelligent information securityA N I T I A N
TOLERANCE BRIEFING
• A hyper-simplistic way to present risk tolerance
Dimens...
intelligent information securityA N I T I A N
RISK BRIEF
• Deeper way to document risk for relevant relationship owners
• ...
intelligent information securityA N I T I A N
RISK REDUCTION STRATEGIES
• More insurance
• More assurance
• Reduced access...
intelligent information securityA N I T I A N
QUALITIES OF BUSINESS TRUST
• Authentic – is the relationship mutually benef...
intelligent information securityA N I T I A N
TRUST MANAGEMENT IS BALANCE
TRUST
Value of
Relationship
Sensitivity of
Acces...
intelligent information securityA N I T I A N
DO I NEED A GRC PLATFORM?
• Archer, Lockpath, Metricstream, Rsam, etc.
• No,...
intelligent information securityA N I T I A N
FINAL THOUGHTS
• This is an immense challenge, but we do it everyday
• Indep...
intelligent information securityA N I T I A N
THANK YOU
EMAIL: andrew.plato@anitian.com
TWITTER: @andrewplato
@AnitianSecu...
Prochain SlideShare
Chargement dans…5
×

Trust But Verify - A New Approach to Third Party Risk Management

2 595 vues

Publié le

Third-party risk assessments are the traditional method to provide vendor assurance. However, it is obvious this is not working. Third party risk must evolve to ensure that vendors not only profess to have security controls, but those controls actually work.
In this presentation, we define a new approach to third party management. Rather than managing risk, manage trust. We will explain how to structure a program to handle a diverse array of third parties while providing scientifically valid risk data.

Publié dans : Technologie

Trust But Verify - A New Approach to Third Party Risk Management

  1. 1. ANITIAN TRUST BUT VERIFY MANAGING THIRD PARTY RISK
  2. 2. intelligent information securityA N I T I A N MEET THE SPEAKER – ANDREW PLATO • President / CEO of Anitian • Principal at TrueBit CyberPartners • 20+ years of experience in security • Authored thousands of articles, documents, reports, etc. • “Discovered” SQL injection in 1995 • Helped develop first in-line IPS engine (BlackICE)
  3. 3. intelligent information securityA N I T I A N Vision: Security is essential to growth, innovation, and prosperity. Mission: Build great security leaders. ANITIAN Rapid Risk Assessment Compliance Assessment and Audit Full-Spectrum Security Testing Managed Threat Intelligence Intelligent Information Security
  4. 4. intelligent information securityA N I T I A N OVERVIEW • Intent • Discuss the challenges of third party risk management • Define strategies to inventory, classify, and assess third parties • Assumptions • This is a gigantic topic, we cannot cover it all • Our focus is IT-centric, but the concepts apply everywhere • Our approach assumes trust is more effective, efficient, and profitable that suspicion
  5. 5. intelligent information securityA N I T I A N WHAT IS YOUR INTENTION? • Do you want to be compliant or secure? • COMPLIANT • Ignore this presentation • Go find the cheapest checkbox auditor you can find • SECURE • You’re in the right place
  6. 6. THE CHALLENGE
  7. 7. intelligent information securityA N I T I A N 63% OF BREACHES ARE CAUSED BY THIRD PARTIES
  8. 8. intelligent information securityA N I T I A N THEY’RE EVERYWHERE THIRD PARTIES
  9. 9. intelligent information securityA N I T I A N LURKING THREAT
  10. 10. intelligent information securityA N I T I A N OUTSOURCED WHERE?
  11. 11. intelligent information securityA N I T I A N
  12. 12. intelligent information securityA N I T I A N RISK TOLERANCE THREAT IGNORANCE
  13. 13. intelligent information securityA N I T I A N
  14. 14. intelligent information securityA N I T I A N RELATIONSHIPS ARE VALUABLE
  15. 15. intelligent information securityA N I T I A N WORKS
  16. 16. intelligent information securityA N I T I A N RELATIONSHIPS VS REGULATION Third Party TRUST Management • Foundation of trust • Values relationships • Flexible, but structured • Trusts, but verifies • Business decision Third Party RISK Management • Foundation of suspicion • Values compliance • Rigid, creates impediments • Technical decision • Does not trust, attempts to verify
  17. 17. intelligent information securityA N I T I A N THE THIRD PARTY RISK CHALLENGE • How do we: • Trust better? • Verify that trust, honestly • Manage the complexity of third party vendors • Answer: Trust, but verify
  18. 18. intelligent information securityA N I T I A N THIRD PARTY TRUST BUT VERIFY PROCESS Inventory Trust Verify Manage Risk
  19. 19. INVENTORY
  20. 20. intelligent information securityA N I T I A N WHAT THIRD PARTIES DO YOU HAVE? • Services • Developers • Resellers • Managed services • Contractors and contingent staff • Consultants • Financial services / payment processors • HR services (benefits, recruiters, background checks) • Legal, accounting, marketing, etc.
  21. 21. intelligent information securityA N I T I A N CLASSIFY • Gather initial list to produce a “best guess” inventory • Organize into logical categories • Software • Hardware • Services • Vendors • Facilities • Who... • Owns them? • Uses them? • Manages them? • Why do you have them?
  22. 22. intelligent information securityA N I T I A N 22
  23. 23. intelligent information securityA N I T I A N ? !
  24. 24. intelligent information securityA N I T I A N LET’S TALK ABOUT INVENTORY • Have discussions with business process owners to validate items • How important is this relationship to the company? • What access do they have? Need? • How could they hurt us? • Why do we have this relationship (rationale)? • Validate the owner and relevant custodians • What do you share with them? • Are there service level agreements? What are they? • Who are the contacts? • How was the vendor selected? • How much leverage do we have with them?
  25. 25. intelligent information securityA N I T I A N THIRD PARTY INVENTORY • Document all your data in a matrix • This is just for documenting the vendors, not for risk assessment • Typical data you want to capture in this inventory: • Add to this as you see fit • NAME • Type • Description • Rationale • Relationship Owner • Technical Owners • Importance • Access required • Type of data handled • Trust level • Controls in Place • SLAs • Term • Applicable regulations • Third party certifications
  26. 26. TRUST
  27. 27. intelligent information securityA N I T I A N TRUST LEVELS? • Rather than ask what threat the third party poses, ask what level of trust is reasonable for them? • Trust levels are a simple way to classify trust (rather than risk) • To assess trust, consider the two Dimensions of Trust: • How important is the vendor to your business? • How much access does the vendor need?
  28. 28. intelligent information securityA N I T I A N PLOT ACCESS VS IMPORTANCE Trusted Strategic Informal Partner Sensitivity of Access ImportancetoBusiness Low Access Low importance High Access Low importance High Access High importance Low Access High importance
  29. 29. intelligent information securityA N I T I A N • Do you trust the vendor? • Is the level of trust commensurate with the relationship? • Is there anything you can do about it? • Do you need to verify that trust? – Yes, we need to verify trust Then execute one or more Risk Management Activities – No, verification unnecessary Decision made. Vendor trusted. TRUST LEVELS
  30. 30. intelligent information securityA N I T I A N RISK MANAGEMENT ACTIVITIES • Risk management activities verify trust: • Independent risk assessment • Request for information (RFI) • Technical testing (penetration testing, code review, etc.) • Contractual assurances • On-site walk through • Named insured • Third party assurances (SOC2, ISO, etc.) • Compliance certifications (PCI, HIPAA/HITRUST, NERC, etc.) • Review cycle • Financial guarantees (bonds, etc.) • Access reviews
  31. 31. intelligent information securityA N I T I A N MAP RISK ACTIVTIES TO TRUST LEVELS Strategic Partner • Independent risk assessment • Technical testing • Contract assurance • Quarterly review • Monitoring plan • Named insurance Partner • Table-top risk assessment • In-house technical testing • Contract assurance • Annual review Trusted • RFI • Contract assurances • Annual validation Informal • Vendor trusted without verification • Annual validation of trust level
  32. 32. intelligent information securityA N I T I A N FLEXIBILITY IS IN THE PLOT Trusted Strategic Informal Partner Sensitivity of Access ImportancetoBusiness Low Access Low importance High Access Low importance High Access High importance Low Access High importance
  33. 33. VERIFY
  34. 34. intelligent information securityA N I T I A N ASSESSING RISK • Once you have determined their trust level, you assess their risk based on the level • This provides the verify aspect of trusting • There are many ways you can verify trust • Key question: Is the vendor meeting their risk management commitments? • How do you answer this question?
  35. 35. intelligent information securityA N I T I A N COMPLETE WASTE OF MONEY: EYECANDY
  36. 36. intelligent information securityA N I T I A N WORST: QUESTIONNAIRES / RFI • Weakest form of data • Never ask YES/NO questions • Make them describe how they do things • Are they lying? Would you know? Question Description Answer Data protection Describe the methods used to encrypt sensitive data? Access Control How do you enforce least privileged access rights on users? Background Checks How do you conduct background checks on employees? How often?
  37. 37. intelligent information securityA N I T I A N BETTER: CONTRACTUAL ASSURANCE • Service level agreements • Termination clauses • Breach notification requirements • Named insurance • Compliance requirements (PCI, HIPAA) • Indemnification • Business associate agreements • Can you really enforce them? • Are they reasonable?
  38. 38. intelligent information securityA N I T I A N BETTER: CONTRACTUAL ASSURANCE • Service level agreements • Termination clauses • Breach notification requirements • Named insurance • Compliance requirements (PCI, HIPAA) • Indemnification • Business associate agreements • Can you really enforce them? • Are they reasonable?
  39. 39. intelligent information securityA N I T I A N VERY GOOD: INTERNAL VALIDATIONS • Access reviews • Firewalls / VPN accounts • Active directory accounts and rights • Internal segmentation • Backhaul channels • Encryption • Data storage and access • Internal scans and tests • Spot checking what is shared
  40. 40. intelligent information securityA N I T I A N BEST: INDEPENDENT TESTS AND CERTIFICATIONS • Compliance standards are useful: PCI, HIPAA • Certifications: ISO, SOC2 • Financial audits • Third party assessors (like Anitian) • Security tests (penetration tests) • Are they honest? • Are they current? • Do you trust the auditor?
  41. 41. intelligent information securityA N I T I A N 2016 SF ISACA FALL CONFERENCE OCTOBER 24-26 HOTEL NIKKO - SF CISACGEIT CSXCISMCRISC MANAGE TRUST
  42. 42. intelligent information securityA N I T I A N WHAT ARE YOUR TOLERANCES? • Can you trust them? • Does the risk match the level of trust? • How much leverage do you have? • Don’t like how Big Company does things – tough • Worried that Little Company is bankrupt – can you change that? • Does the access match the importance? • Who decides that? • Does that person understand the risk?
  43. 43. intelligent information securityA N I T I A N TOLERANCE BRIEFING • A hyper-simplistic way to present risk tolerance Dimension Risk Description Tolerance Remedy Compliance High Vendor is not PCI compliant. They also have no independent certifications. Temporarily  Require PCI compliance attestation within one year.  Terminate vendor if not met by 6.15.2016 Reputational Low Vendor is not in an industry that could cause the business much reputational risk Yes None
  44. 44. intelligent information securityA N I T I A N RISK BRIEF • Deeper way to document risk for relevant relationship owners • Information to present: • Keep it under one-page • Do we trust this vendor? • Vendor name • Description of what they do • Value of relationship • Overall risk ranking • Trust level • Access required • Sensitivity of access • List of top risk dimensions • Risk reduction recommendations • Date of assessment • List of artifacts (optional)
  45. 45. intelligent information securityA N I T I A N RISK REDUCTION STRATEGIES • More insurance • More assurance • Reduced access • Alternative partners • Data / service redundancies • Require certifications • Independent testing
  46. 46. intelligent information securityA N I T I A N QUALITIES OF BUSINESS TRUST • Authentic – is the relationship mutually beneficial? • Consistent – do behaviors match words? • Transparent – do they openly address issues? • Respectful – do they respect you? • Dependable – can you count on them? • Honest – do they work to maintain trust? • Assured – do they respect risk and genuinely want to reduce it?
  47. 47. intelligent information securityA N I T I A N TRUST MANAGEMENT IS BALANCE TRUST Value of Relationship Sensitivity of Access Impact to Business Leverage
  48. 48. intelligent information securityA N I T I A N DO I NEED A GRC PLATFORM? • Archer, Lockpath, Metricstream, Rsam, etc. • No, you can run an entire Third Party Risk program with spreadsheets and emails, however… • GRC platforms can help with data and workflow management • Do not buy a GRC tool until you have a program in place • Extremely time-consuming to setup • Remember, questionnaires are your least trustworthy source of information
  49. 49. intelligent information securityA N I T I A N FINAL THOUGHTS • This is an immense challenge, but we do it everyday • Independent validations = most reliable source • Questionnaires = least reliable source • Ask how and why questions, not yes/no • Get out and speak to people face to face • Business leaders generally have higher tolerances to risk • Be decisive and clear in your recommendations • Anitian can help you build this program • Trust, but verify
  50. 50. intelligent information securityA N I T I A N THANK YOU EMAIL: andrew.plato@anitian.com TWITTER: @andrewplato @AnitianSecurity WEB: www.anitian.com BLOG: blog.anitian.com SLIDES: bit.ly/anitian CALL: 888-ANITIAN

×