48
SECURING THE CHAIN A PRACTICAL APPROACH TO SUPPLIER RISK MANAGEMENT
| Date post: | 24-Jan-2017 |
| Category: |
Technology |
| Upload: | risk-factory |
| View: | 4 times |
| Download: | 0 times |
SECURING THE CHAIN A PRACTICAL APPROACH TO SUPPLIER RISK MANAGEMENT
CHAT UP LINE # 23
“Over 75% of reported breaches over the last 18 months were sourced to a trusted connection”.
ONE WORD…
TWO WORD…
WHERE TO START?
Practical (adjective): of or about the actual doing or use of something rather than with theory and ideas: or of an idea, plan, or method; likely to succeed or be effective in real circumstances; feasible.
DEFINE “SUPPLIER”
Supplier (noun): A person or entity that is the source for goods or services.
WRITE “IT” DOWN & LIST THEM
WHAT IS “IT” YOU’RE TRYING TO PROTECT ?
INFORMATION?
INTELLECTUAL PROPERTY?
PHYSICAL PROPERTY?
PERSONNEL?
BRAND?
ACCESS TO YOUR SYSTEMS?
ACCESS TO OTHER SYSTEMS?
WRITE “IT” DOWN
INFORMATION CLASSIFICATION GUIDE
NON-DISCLOSURE AGREEMENT
INTELLECTUAL PROPERTY AGREEMENT
BRAND IMPACT STATEMENT
MINIMUM CONNECTIVITY REQUIREMENTS
LOCATE & DOCUMENT “IT”
DISCOVERY SCANNING (YOUR NETWORK)
ASSET REGISTER
RISK REGISTER
SUPPLIER MANAGEMENT OWNER
DISCOVERY SCANNING (THEIR NETWORK)
CONFIRM WHO HAS ACCESS TO “IT”
COMPANY ACCESS REGISTERS
LIST AUTHORISED PERSONNEL (YOURS)
LIST AUTHORISED PERSONNEL (THEIRS)
PROFILE THEM
SUPPLIER CLASSIFICATION SCHEME
SERVICE RENDERED
LENGTH OF CONTRACT
SENSITIVITY OF INFORMATION PROCESSED
AMOUNT OF INFORMATION
COMPLIANCE REQUIREMENTS (PCI, DPA, OTHER…)
HOW: PROCESSED, STORED OR TRANSMITTED
SORT THEM
SUPPLIER CLASSIFICATION SCHEME
SERVICE RENDERED
LENGTH OF CONTRACT
SENSITIVITY OF INFORMATION PROCESSED
AMOUNT OF INFORMATION
COMPLIANCE REQUIREMENTS (PCI, DPA, OTHER…)
HOW: PROCESSED, STORED OR TRANSMITTED
EXAMPLE
Category 3: MEDIUM
Supplier processes up to 25,000 records of PII data subject to the DPA or ; Supplier is connected to systems or ; data is accessed by a 3rd party
Category 1: CRITICAL
Supplier processes over 25,000 records of Sensitive PII records subject to the DPA or ; Supplier processes over 25,000 records subject to the PCI DSS
Category 4: LOW
Supplier processes data not subject to the DPA and; Supplier is not connected to systems and; data is not accessed by a 3rd party
Category 2: HIGH
Supplier processes up to 25,000 records of Sensitive PII records subject to the DPA or ; Supplier processes up to 25,000 records subject to the PCI DSS or ; Supplier processes over 25,000 records of PII data subject to the DPA
DETERMINE HOW SHOULD THEY PROTECT “IT”
SPECIFY SECURITY CONTROLSFRAMEWORKAPPLICABLE?ENFORCEABLE?
SPECIFY CONTROL OBJECTIVES & EVIDENCESPECIFY CONTROL TESTING REQUIREMENTSSPECIFY REMEDIATION PERIODSDEFINE ISSUESWEIGHT SECURITY CONTROLSCREATE RISK FORMULASPECIFY AUDIT PERIODS
DETERMINE RISK METRICS
SUPPLIER RISK MANAGEMENT
SUPPLIER RISK
FORMULA
CONTROL RISK
FORMULA
CONTROL WEIGHTING FORMULA
CONTROL FRAMEWORK
SUPPLIER CLASSIFICATION SCHEME
CONTROL FRAMEWORK
CONTROL CLARITY
Control Objective Evidence Testing Procedure
CONTROL WEIGHTING
1. Published information security policies 2. Asset Register3. Risk Register4. Anti-malware 5. 2-Factor authentication for remote
access to your systems6. Incident Response Plan7. Business Continuity Plan8. Security requirements in 3rd party
contracts9. Network penetration testing program 10.Compliance program
CRITICAL STANDARDAll non-critical (90)
WEIGHTING FORMULA
89 controls weighted at .5 = for total of 4511 controls weighted at 5 = for total of 55
RISK INDICATOR
0-35 = HIGH Risk 36-75 = MEDIUM Risk76-100 = LOW Risk
SPREAD SHEET EXAMPLE
EVIDENCE
SUPPLIER RISK MANAGEMENT
SUPPLIER RISK
FORMULA
CONTROL RISK
FORMULA
CONTROL WEIGHTING FORMULA
CONTROL FRAMEWORK
SUPPLIER CLASSIFICATION SCHEME
DETERMINE REPORTING METRICS
REPORTING METRICS
REPORTING PERIOD(S)SUPPLIER CLASSIFICATIONSSUPPLIER RISK PROFILECONTINUOUS PROFILERISK WATCH LISTISSUESRECOMMENDED ACTIONS
SITE ASSESSMENTS
Review service(s) & deliverables provided Review amount, sensitivity & locations of data processed,
stored & transmitted Review of ICT systems infrastructure (scan) Review remote & 3rd party connections to ICT systems Review 3rd party services Review office access control systems Review responses to framework questionnaire Random verification of 25% controls.
SERVICE LEVEL AGREEMENTS
DISCOVERY SCANNNING REQUIREMENT
CLASSIFICATION GUIDE REQUIREMENT
SECURITY RESOURCE REQUIREMENT
ASSET REGISTER REQUIREMENT
RISK REGISTER REQUIREMENT
ACCESS PRIVILEGES
CONNECTIVITY REQUIREMENTS
SECURITY CONTROLS
CONTROL EVIDENCE REQUIREMENT
EMERGENCY RESPONSE REQUIREMENT
INTERRUPTION OF SERVICE CLAUSE
BUSINESS CONTINUITY PLAN REQUIREMENT
SECURITY TESTING CLAUSE
BREACH CLAUSE
REPORTING CLAUSE
OVERSIGHT & AUDIT AUTHORITY CLAUSE
LIABILITY OWNERSHIP CLAUSE
CONTRACT PENALTIES CLAUSE
INSURANCE CLAUSE
SECURITY TESTING CLAUSE
BREACH CLAUSE
REPORTING CLAUSE
OVERSIGHT & AUDIT AUTHORITY CLAUSE
LIABILITY OWNERSHIP CLAUSE
CONTRACT PENALTIES CLAUSE
INSURANCE CLAUSE
THE BIG PICTURE
PRAGMATIC APPROACH
DEFINE SUPPLIERDEFINE “IT”LOCATE “IT”CONFIRM WHO HAS ACCESS TO “IT”PROFILE THEMSORT THEMDETERMINE HOW THEY SHOULD PROTECT “IT”DETERMINE RISK METRICSDETERMINE REPORTING METRICSSERVICE LEVEL AGREEMENTSMUST BE PART OF A BIGGER PICTURE
OUR NEXT LESSON…
YOUR SUPPLIER’S SUPPLIERS
LAST THOUGHTS
SLOWLY, SLOWLY CATCH-EE MONKEY
NEVER REQUIRE SOMETHING YOU’RE NOT DOING YOURSELF
NEVER REQUIRE SOMETHING YOU CAN’T / WON’T ENFORCE
DON’T BE A CLIENT - BE A MENTOR
A DIFFERENT PERSPECTIVE FROM:
www.riskfactory.com0800 978 8139
www.riskfactory.com0800 978 8139
