fbpx

Monthly Archives: April 2020

How to align the vendors objective and internal risk profile

One of the key issues in correctly assessing and managing vendor risk is the ability to analyze the potential risk exposure of the vendor and execute the risk evaluation process accordingly.

The process should include:

    • Understanding the business process
    • Mapping potential data or processes at risk 
    • Analyzing business or operational impact upon vendor breach
    • Aligning audited controls and categories

For example:
Vendor A is a small software development company, providing us services in 2 separate deals:

Deal 1:

Business owner: IT

The deal:

The vendor is providing outsourced code development services and processes employee data in an AWS environment in which  a breach might cause major business disruptions and should be addressed in terms of security evaluation with the following, beyond traditional security audit:

    • Assessment: Software provider – sensitive.
    • IP exposure analysis: data encryption, employee privileges management,  separation of environments, etc.
    • Privacy related exposures: Private data handling, policies, and procedures, privacy compliance opinion, etc.
    • Cloud security measures required: cloud security posture management, relevant certificates, etc.
    • Timing and severity: the vendor might be assessed annually with a set of findings thresholds that will require high standards of security.

Deal 2: 

Business owner: R&D

The deal:

Technical on site consulting regarding architecture of a planned website renewal of the company, Where no data is being stored by the vendor.

In this case, the assessment term might be minimal and include the following:

    • Assessment: consulting
    • IP exposure analysis: NDA execution, email security.
    • Timing and severity: the vendor might be assessed once and with a set of findings thresholds that will require low standards of security.

Being able to orchestrate and automate the risk assessment requirements and analysis will enable a better understanding of the real exposure, an increase in vendor engagement and commitment and a dramatic reduction of security handling costs and risk evaluation accuracy.

 

Maintain holistic internal risk management

In order to streamline the ability to perform better security analysis and execute at scale, the following process elements should be addressed with your own organizational terminology.

    1. Vendor/Deal risk exposure mapping as indicated by business owners:
      • Mapping of deal elements
      • Mapping of business impact
      • Mapping of potential assets exposed
    2. Security & privacy requirements:

      • Transformation of the initial vendor/deal mapping into an actionable assessment framework.
      • Determination of benchmark and standards.
      • Determination of repetitiveness.
      • Determination of a minimal risk threshold for assessment execution.

 

Findings internal risk module

Findings enables you to streamline all internal risk elements into one process and customize your own business logic, policy and terminology as part of it.

The main capabilities provided as part of your account:

1. Business owner page

A customizable wizard enabling the following branded capabilities:

    • Publication of your policy to your business owners across the enterprise
    • New/existing Vendor requests
    • A customizable vendor risk classification questionnaire 
    • An automated calculation of vendor internal risk score
    • Automated triggering of security categories and controls for the assessment
    • An automated pending vendor for security team

2. Vendor management

A comprehensive vendor management page for the security team, including:

    • The ability to open, edit vendor details, send assessments and define vendor assessment policies
    • Review and approval of business owner page results and the system assessment recommendations
    • Self definition of vendor internal risk classification by a member of the security team
    • Maintaining multiple business owner security page results for a single vendor
    • Launching assessments in alignment with the business owner page results

IMPORTANT: The ability to maintain said multiple risk profiles allows the enterprise to assess and certify the vendor for multiple deals and reuse already finalized past assessments to match with new business owner requests.

How to:

Option 1: Your vendor management module :  Vendor tab >> manage vendors >> select vendor >> Edit

Option 2: directly from the notification received from you BO page initiation

3. Notifications

Findings’ powerful notification engine enables the business owner to be notified on the various stages and processes following his/her request. The notifications, as always, are self customizable to your needs.

The standard notifications that the business owner will receive (is CCed to)  include:

    • The assessment sent to the vendor
    • Notification and escalations of delays
    • Vendor assessment finalization 
    • Security review completion

How to:

The notification editor can be found at Profile >> Manage organization >> Notifications

The combination of all  Findings internal risk elements will provide you with a streamlined process, better business risk alignment, better security efficiency and service level to your internal stakeholders.

Give it a try or book a free demo session with our experts.

Your business continuity and the Coronavirus crisis

man inspection his supply chain BCP

Your supply chain is your weak spot during the Coronavirus crisis – how to prepare yourself

Different scenarios and how to protect yourself using a free tool we created for the community

 As the concern regarding the global outbreak of coronavirus (Covid-19) increases rapidly, companies are facing the need to quickly adjust their processes to various situations which can affect their business continuity.

The global nature, spread and infection pace of the coronavirus and their implications indicate that no company should rest assured assuming it could go by unscathed and every CISO, CIO and CEO should prepare and evaluate a business continuity plan (BCP) immediately.

Living in an interconnected world makes every business vulnerable to 3rd party business continuity risks that can disrupt its processes’ continuity, data and reputation.

One of the main issues to address is the company’s supply chain and other 3rd party readiness measures. Maintaining supply chain BCP in this challenging time is crucial to the ability to ensure minimization of potential impacts.

In the case of Coronavirus, the disruption is mainly created as a result of availability issues rising from the many employees that will be forced to work from home or be hospitalized.

From the supply chain perspective, the main risk scenarios are:

  1. The need for many employees to immediately shift to remote work.
  2. Staff availability issues resulting from employees being hospitalized in cases of illness and being unavailable for long periods of time.
  3. Lack of preparedness of vendors to enable remote and secured operation.
  4. Low compatibility of vendor’s infrastructure (endpoint, connectivity, etc.) with the proper requirements to maintain operation.
  5. Information security issues due to major and uncontrolled changes in the infrastructure serving the business.

Therefore, we decided to provide everyone with a FREE tool that will help you assess and manage your supply chain coronavirus readiness and resiliency.

You can subscribe for your free account here and immediately launch a vendor assessment process.

Your account is now equipped with a ‘Coronavirus resilience assessment’ type. By selecting it under either the ‘add new vendor’ or ‘manage assessment’ tab – your vendors will be able to quickly provide you with an overview of your supply chain weak spots.

The tool will also provide you with automated findings, recommendations and time stamps that will help you manage vendor gaps effectively.

Want to perform a self readiness assessment? No problem – just choose the ‘Coronavirus resilience assessment’ at the ‘manage assessments’ and choose ‘ self assessment’ 

If you already have your Findings account – contact our customer success team to activate the tool.

Just click on the link or the button below and start your on-boarding. 

Stay healthy! 

GE Discloses Data Breach

GE data breach in supply chain

Tech Giant GE Discloses Data Breach After Service Provider Hack

The recent data breach of a GE supply chain service provider resulted in the theft of PII for many of the company’s employees. 

GE currently has customers in more than 180 countries and in employment of 280,000 employees according to the company’s 2018 annual report.

“The breach occurred at Canon Business Process Services (Canon), a GE service provider, where an email account of a single employee was breached, resulting in an unauthorized party gaining access to an email account that contained documents of certain GE employees, former employees, and beneficiaries entitled to benefits that were maintained on Canon’s systems”.

Also, GE stated that the sensitive personal information exposed during the incident was uploaded by or for current and former GE employees, as well as “beneficiaries entitled to benefits in connection with Canon’s workflow routing service.”

GE reported the incident to the Office of the California Attorney General and have notified the affected individuals according to data breach laws and the CCPA.

They said that GE’s IT systems were not affected by the Canon security breach and that it’s taking all the necessary measures to prevent a similar incident from happening in the future.

Supply chain cybersecurity risk 

This attack highlights the issues of Supply Chain and Third-Party Provider attacks

As companies seek to reduce costs and improve operational margins, they rely on suppliers of business services or providers of products to take advantage of the lower costs these partners incur to specialization and economies of scale.

These strategies are sound business practices in the growing trend toward collaborative eco-systems. In fact, it’s impossible for an organization the size of GE to operate without an efficient global supply chain spanning across tens of thousands of subcontractors and vendors.  

The cybersecurity risks, companies face are the lack of control they have when it comes to protecting the data which they now share or have hosted by these suppliers – due to it not always being protected with the same level of security that the company itself, as a data owner, may impose on its own resources. 

The inability to determine the financial impact of these types of breach attacks makes it very hard for cost-conscious outsource/third-party services or goods suppliers to assess the right sizing of risk and breach mitigation measures.

The attackers that are leveraging these third-party or supply chain attacks are often identified as Political Cyber Warriors, Financial Hackers, Disgruntled Employees, and Industrial Espionage Agents. 

These actors have already done the math in terms of assessing the value of such purloined information in terms of financial value, and have sufficient resources behind them to invest in the attack methods that will enable these penetrations and exfiltration – and make a positive return on investment. 

As the number of attacks and the size/prestige of victims of these breaches increases, companies must be much more diligent in coping with these risks.

What can you do?

When selecting third-party service providers or supplier partnerships, companies must perform reasonable due diligence to assure themselves and their stakeholders that the selection process does not just focus on cost. 

The first step is for companies to assess the financial impact such a breach will have on their business in terms of reputation and survivability. 

This can be accomplished by firstly quantifying the risk in monetary terms – A Cyber Risk Quantification exercise can put a financial impact number to each type of asset’s compromise. 

Companies should perform this themselves or with the assistance of independent professionals.  This should not be done by the out-source provider.

Secondly, each potential provider should demonstrate that they are adequate to data security and relevant privacy measures by performing a defensive maturity assessment – ensuring that all security measures are in place, current and fully configured. 

There are several industry-specific standards such as ISO, NIST, and others that can provide standard yet independent expertise to conduct the assessments. 

These assessments should be performed as necessary-  Prospective clients/organizations should ask for and receive these security assessments during their selection or on-boarding process as well as on a periodic basis according to the risk exposure of the vendor.

Obviously, such operation of performing manual assessments on such a large scale isn’t practical, meaning an automated solution must be implemented to facilitate this process.

Summary

Cyber mitigation has become a fact of life and therefore, companies must make sure that they deal with it effectively.  Out-sourcing services or products for resale in an eco-system can be extremely beneficial and enables organizations to move investment off-balance sheet and gain the benefits of markets in sourcing such services, yet they must act aggressively to ensure that their partners are delivering on protecting the company from risks.

A 3rd party assessment cannot and will not prevent a cyber incident, but will help organizations create a robust supply chain and to respond quickly and decidedly when an attack occurs –  just like GE did.