Post on 24-Jan-2017
transcript
CHAT UP LINE # 23
“Over 75% of reported breaches over the last 18 months were sourced to a trusted connection”.
Practical (adjective): of or about the actual doing or use of something rather than with theory and ideas: or of an idea, plan, or method; likely to succeed or be effective in real circumstances; feasible.
INFORMATION?
INTELLECTUAL PROPERTY?
PHYSICAL PROPERTY?
PERSONNEL?
BRAND?
ACCESS TO YOUR SYSTEMS?
ACCESS TO OTHER SYSTEMS?
INFORMATION CLASSIFICATION GUIDE
NON-DISCLOSURE AGREEMENT
INTELLECTUAL PROPERTY AGREEMENT
BRAND IMPACT STATEMENT
MINIMUM CONNECTIVITY REQUIREMENTS
DISCOVERY SCANNING (YOUR NETWORK)
ASSET REGISTER
RISK REGISTER
SUPPLIER MANAGEMENT OWNER
DISCOVERY SCANNING (THEIR NETWORK)
SUPPLIER CLASSIFICATION SCHEME
SERVICE RENDERED
LENGTH OF CONTRACT
SENSITIVITY OF INFORMATION PROCESSED
AMOUNT OF INFORMATION
COMPLIANCE REQUIREMENTS (PCI, DPA, OTHER…)
HOW: PROCESSED, STORED OR TRANSMITTED
SUPPLIER CLASSIFICATION SCHEME
SERVICE RENDERED
LENGTH OF CONTRACT
SENSITIVITY OF INFORMATION PROCESSED
AMOUNT OF INFORMATION
COMPLIANCE REQUIREMENTS (PCI, DPA, OTHER…)
HOW: PROCESSED, STORED OR TRANSMITTED
EXAMPLE
Category 3: MEDIUM
Supplier processes up to 25,000 records of PII data subject to the DPA or ; Supplier is connected to systems or ; data is accessed by a 3rd party
Category 1: CRITICAL
Supplier processes over 25,000 records of Sensitive PII records subject to the DPA or ; Supplier processes over 25,000 records subject to the PCI DSS
Category 4: LOW
Supplier processes data not subject to the DPA and; Supplier is not connected to systems and; data is not accessed by a 3rd party
Category 2: HIGH
Supplier processes up to 25,000 records of Sensitive PII records subject to the DPA or ; Supplier processes up to 25,000 records subject to the PCI DSS or ; Supplier processes over 25,000 records of PII data subject to the DPA
SPECIFY SECURITY CONTROLSFRAMEWORKAPPLICABLE?ENFORCEABLE?
SPECIFY CONTROL OBJECTIVES & EVIDENCESPECIFY CONTROL TESTING REQUIREMENTSSPECIFY REMEDIATION PERIODSDEFINE ISSUESWEIGHT SECURITY CONTROLSCREATE RISK FORMULASPECIFY AUDIT PERIODS
SUPPLIER RISK MANAGEMENT
SUPPLIER RISK
FORMULA
CONTROL RISK
FORMULA
CONTROL WEIGHTING FORMULA
CONTROL FRAMEWORK
SUPPLIER CLASSIFICATION SCHEME
CONTROL WEIGHTING
1. Published information security policies 2. Asset Register3. Risk Register4. Anti-malware 5. 2-Factor authentication for remote
access to your systems6. Incident Response Plan7. Business Continuity Plan8. Security requirements in 3rd party
contracts9. Network penetration testing program 10.Compliance program
CRITICAL STANDARDAll non-critical (90)
WEIGHTING FORMULA
89 controls weighted at .5 = for total of 4511 controls weighted at 5 = for total of 55
SUPPLIER RISK MANAGEMENT
SUPPLIER RISK
FORMULA
CONTROL RISK
FORMULA
CONTROL WEIGHTING FORMULA
CONTROL FRAMEWORK
SUPPLIER CLASSIFICATION SCHEME
REPORTING METRICS
REPORTING PERIOD(S)SUPPLIER CLASSIFICATIONSSUPPLIER RISK PROFILECONTINUOUS PROFILERISK WATCH LISTISSUESRECOMMENDED ACTIONS
SITE ASSESSMENTS
Review service(s) & deliverables provided Review amount, sensitivity & locations of data processed,
stored & transmitted Review of ICT systems infrastructure (scan) Review remote & 3rd party connections to ICT systems Review 3rd party services Review office access control systems Review responses to framework questionnaire Random verification of 25% controls.
DISCOVERY SCANNNING REQUIREMENT
CLASSIFICATION GUIDE REQUIREMENT
SECURITY RESOURCE REQUIREMENT
ASSET REGISTER REQUIREMENT
RISK REGISTER REQUIREMENT
ACCESS PRIVILEGES
CONNECTIVITY REQUIREMENTS
SECURITY CONTROLS
CONTROL EVIDENCE REQUIREMENT
EMERGENCY RESPONSE REQUIREMENT
INTERRUPTION OF SERVICE CLAUSE
BUSINESS CONTINUITY PLAN REQUIREMENT
SECURITY TESTING CLAUSE
BREACH CLAUSE
REPORTING CLAUSE
OVERSIGHT & AUDIT AUTHORITY CLAUSE
LIABILITY OWNERSHIP CLAUSE
CONTRACT PENALTIES CLAUSE
INSURANCE CLAUSE
SECURITY TESTING CLAUSE
BREACH CLAUSE
REPORTING CLAUSE
OVERSIGHT & AUDIT AUTHORITY CLAUSE
LIABILITY OWNERSHIP CLAUSE
CONTRACT PENALTIES CLAUSE
INSURANCE CLAUSE
PRAGMATIC APPROACH
DEFINE SUPPLIERDEFINE “IT”LOCATE “IT”CONFIRM WHO HAS ACCESS TO “IT”PROFILE THEMSORT THEMDETERMINE HOW THEY SHOULD PROTECT “IT”DETERMINE RISK METRICSDETERMINE REPORTING METRICSSERVICE LEVEL AGREEMENTSMUST BE PART OF A BIGGER PICTURE
LAST THOUGHTS
SLOWLY, SLOWLY CATCH-EE MONKEY
NEVER REQUIRE SOMETHING YOU’RE NOT DOING YOURSELF
NEVER REQUIRE SOMETHING YOU CAN’T / WON’T ENFORCE
DON’T BE A CLIENT - BE A MENTOR