Category Archives: security compliance

How to align the vendors objective and internal risk profile

One of the key issues in correctly assessing and managing vendor risk is the ability to analyze the potential risk exposure of the vendor and execute the risk evaluation process accordingly.

The process should include:

    • Understanding the business process
    • Mapping potential data or processes at risk 
    • Analyzing business or operational impact upon vendor breach
    • Aligning audited controls and categories

For example:
Vendor A is a small software development company, providing us services in 2 separate deals:

Deal 1:

Business owner: IT

The deal:

The vendor is providing outsourced code development services and processes employee data in an AWS environment in which  a breach might cause major business disruptions and should be addressed in terms of security evaluation with the following, beyond traditional security audit:

    • Assessment: Software provider – sensitive.
    • IP exposure analysis: data encryption, employee privileges management,  separation of environments, etc.
    • Privacy related exposures: Private data handling, policies, and procedures, privacy compliance opinion, etc.
    • Cloud security measures required: cloud security posture management, relevant certificates, etc.
    • Timing and severity: the vendor might be assessed annually with a set of findings thresholds that will require high standards of security.

Deal 2: 

Business owner: R&D

The deal:

Technical on site consulting regarding architecture of a planned website renewal of the company, Where no data is being stored by the vendor.

In this case, the assessment term might be minimal and include the following:

    • Assessment: consulting
    • IP exposure analysis: NDA execution, email security.
    • Timing and severity: the vendor might be assessed once and with a set of findings thresholds that will require low standards of security.

Being able to orchestrate and automate the risk assessment requirements and analysis will enable a better understanding of the real exposure, an increase in vendor engagement and commitment and a dramatic reduction of security handling costs and risk evaluation accuracy.


Maintain holistic internal risk management

In order to streamline the ability to perform better security analysis and execute at scale, the following process elements should be addressed with your own organizational terminology.

    1. Vendor/Deal risk exposure mapping as indicated by business owners:
      • Mapping of deal elements
      • Mapping of business impact
      • Mapping of potential assets exposed
    2. Security & privacy requirements:

      • Transformation of the initial vendor/deal mapping into an actionable assessment framework.
      • Determination of benchmark and standards.
      • Determination of repetitiveness.
      • Determination of a minimal risk threshold for assessment execution.


Findings internal risk module

Findings enables you to streamline all internal risk elements into one process and customize your own business logic, policy and terminology as part of it.

The main capabilities provided as part of your account:

1. Business owner page

A customizable wizard enabling the following branded capabilities:

    • Publication of your policy to your business owners across the enterprise
    • New/existing Vendor requests
    • A customizable vendor risk classification questionnaire 
    • An automated calculation of vendor internal risk score
    • Automated triggering of security categories and controls for the assessment
    • An automated pending vendor for security team

2. Vendor management

A comprehensive vendor management page for the security team, including:

    • The ability to open, edit vendor details, send assessments and define vendor assessment policies
    • Review and approval of business owner page results and the system assessment recommendations
    • Self definition of vendor internal risk classification by a member of the security team
    • Maintaining multiple business owner security page results for a single vendor
    • Launching assessments in alignment with the business owner page results

IMPORTANT: The ability to maintain said multiple risk profiles allows the enterprise to assess and certify the vendor for multiple deals and reuse already finalized past assessments to match with new business owner requests.

How to:

Option 1: Your vendor management module :  Vendor tab >> manage vendors >> select vendor >> Edit

Option 2: directly from the notification received from you BO page initiation

3. Notifications

Findings’ powerful notification engine enables the business owner to be notified on the various stages and processes following his/her request. The notifications, as always, are self customizable to your needs.

The standard notifications that the business owner will receive (is CCed to)  include:

    • The assessment sent to the vendor
    • Notification and escalations of delays
    • Vendor assessment finalization 
    • Security review completion

How to:

The notification editor can be found at Profile >> Manage organization >> Notifications

The combination of all  Findings internal risk elements will provide you with a streamlined process, better business risk alignment, better security efficiency and service level to your internal stakeholders.

Give it a try or book a free demo session with our experts.

VRM and Regulations

VRM is becoming a more widespread nowadays, and more and more organizations realize the importance of conducting proper vendor verification process to reduce cyber risk. This awareness is a result of high-profile incidents (such as Target and Lockheed Martin) but also of intimate knowledge of the risk. At a recent survey, two-thirds of respondents reported that their organizations had experienced a software supply chain attack, and 90 percent of those confirmed that they had incurred financial loss as a result.  

But awareness and first-hand experience are not the only drivers towards greater adaption of VRM. Regulation is another driver that influences organizations and forces them to add VRM to their security agenda.  The following regulations/ standards

  1. GPDR

The European Union’s (EU’s) General Data Protection Regulation (GDPR) has been introduced in May 2018 and includes a new set of requirements for third party data processors, as laid out in Articles 28, 32 and 33.

The novelty of GDPR in this respect is that it is extends the reasonability over personal data also to third parties (sub-processors) who process the information.

Article 28 ,” requires contractual protections with data processors and their sub-processors, adequate data protection, and production of evidence of compliance with the GDPR; Article 32, “Security of processing,” requires data processors and their sub-processors (3rd parties) to implement comprehensive information security controls to protect EU personal data;

Article 33 (“Notification of a personal data”) requires data processors (and their respectable 3rd parties) to report compromises of EU personal data to their clients without undue delay; and

Article 36, “Prior consultation,” requires data processors to provide data protection impact assessments (DPIAs) to their clients in certain high-risk situations. 

All the above requirements present a new set of processes, procedures and skills to be implemented as part of one company’s compliance process.

While GPDR isn’t relevant to every country and company, it is the first of many such regulations that tackle the issue of 3rd liability and risk.   

  • NYC DFS (23 NYCRR 500)

The New York Department of Financial Services Cybersecurity Regulation (23 NYCRR 500) is a new set of regulations from the NY Department of Financial Services (NYDFS) that places cybersecurity requirements on all covered financial institutions.

The NYS DFS regulation defines a 3rd party as:” Third Party Service Provider(s) means a Person that (i) is not an Affiliate of the Covered Entity, (ii) provides services to the Covered Entity, and (iii) maintains, processes or otherwise is permitted access to Nonpublic Information through its provision of services to the Covered Entity”. It requires the regulated entities (which include State-chartered banks, Licensed lenders, Private bankers, Foreign banks licensed to operate in New York, Mortgage companies, Insurance companies and Service providers) to have a dedicated Third Party Service Provider Security Policy, that includes “written policies and procedures designed to ensure the security of Information Systems and Nonpublic Information that are accessible to, or held by, Third Party Service Providers”. It requires that, prior to egaging 3rd parties, companies should perform a comprehensive due diligence processes in order to evaluate the adequacy of cybersecurity practices of Third Party Service Providers; and conduct periodic assessment of such Third Party Service Providers based on the risk they present and the continued adequacy of their cybersecurity practices. In addition, companies must designate a senior member as responsible for direction and oversight of the Third Party Service Provider.  

  • CCPA- The California Consumer Privacy Act (CCPA),

The CCPA covers California state resident data and will come into effect in January 2020.

In similar fashion to GDPR and NYC DFS it extends the responsibility over private data to third parties collecting and handling it. For instance, section 1798.115(d) of the CCPA limits third parties’ ability to resell personal information they obtain from your business.

Also, as other data protection and privacy regulations dictate – there is a continuous requirement to map where the data is processes, assess and evaluate the potential exposure risk and manage it continuously.

  • DOD Cybersecurity Maturity Model (CMMC)

The US Department of Defense is working on a new mandatory cybersecurity certification program that would demand that contractors demonstrate their cybersecurity readiness in order to allow them to participate in DOD bids.

The new CMMC certification creates a five-level system. Vendors are assessed on 18 separate “domains,” or elements of cyber security such as incident response plans and risk management policies. Although it seemed at first to have a rather limited reach (impacting only the defense industry), it might be relevant to the entire DoD supply chain of about 300,000 contractors, and as such to have  a far-reaching impact on many vendors, from electronics maker to steel plate manufacturers.


The regulations and standards covered in this post are by no means the only ones that companies should adhere to. Multiple laws and agencies such as The Federal Deposit Insurance Corporation (FDIC) the Office of the Comptroller of the Currency (OCC), the Health Insurance Portability and Accountability Act (HIPAA), the Consumer Financial Protection Bureau (CFPB), the Foreign Corrupt Practices Act (FCPA), Dodd–Frank, the HITECH Act, and the Gramm-Leach-Bliley Act, and even the Open banking standard all call for certain degrees of third party risk management policies and controls.  

While these all vary in their specific requirements, the basic underlying notion is the same- companies cannot ignore their reasonability over 3rd parties they engage with. They need to ensure these 3rd parties adhere to the same levels of scrutiny and regulation as themselves, and take measures to evaluate and be able to demonstrate their supply chain security compliance on a continuous basis.

Navigating this regulatory landscape without the proper knowledge and tools is extremely difficult, time-consuming and risky. Findings can help you map the regulatory requirements and facilitate 3rd party risk management process.

Why VRM ?

findings fav

What is VRM, and how to start applying it to your supply chain risk?

A vendor notified a global enterprise that it suffered a data breach. That vendor was recorded at the Enterprise’s VRM system, which allowed the security and risk personnel to quickly assess the exposure and act accordingly. This manifestation of proper VRM process is what’s expected of modern enterprises and organizations, but sadly, it is very rare.

Gartner defines VRM (Vendor Risk Management) as “the process of ensuring that the use of service providers and IT suppliers does not create an unacceptable potential for business disruption or a negative impact on business performance”.

In a cybersecurity context, this means that organizations needs to ensure that elements in their supply chain, such as vendors, partners, integrated systems and others, does not expose them to unnecessary cyber risks. VRM (which is part of Risk Management) has been in the shadow of the more mainstream IT security, until very recently.

Organizations have invested heavily in securing their own perimeter, training personnel and refining their security procedures, all in the hope of thwarting an attack from an outside hacker. But since cybercriminals are like water- meaning, they always seek the path of less resistance, they found that they could gain entrance into heavily defended organizations by working their way up the supply chain. There, they could identify weaker entities with lesser security mechanisms, and utilize these to gain entry to their final objective. As of 2018, Supply chain attacks have increased 78 percent between 2017 and 2018, and a recent report states that Half of All Attacks in 2019 target the Supply Chain. This fact, alongside some very notable cyber breaches that were manifested through the supply chain (Target was infected via an HVAC maintenance contractor who had weak cybersecurity, WIPRO who was hacked and utilize for further attacks and its customers, etc. ) have brought this subject to the attention of boards, CISOs, Legal and Risk professionals across the world.

But awareness is not enough. Organizations need to understand if they should address this risk and how to mitigate it. Some organizations are mandated by law or regulation to engage in Vendor Risk Management. These include Critical National infrastructure, defense and homeland security industries as well as financial, healthcare entities. Others must address VRM as part of their obligation to adhere to GDPR and other privacy policies and regulations, such as the evolving CCPA. We will cover these aspects in follow- up blog posts. But when an organization decided it needs to address the VRM issue, it is usually shocked by the sheer volume of work ahead. This is a combination of the number of vendors that require validation (could easily reach hundreds for a medium sized organization) and the manual labor required to validate each and every vendor. Traditional VRM process required that a detailed questionnaire will be sent to the vendor, who would then fill to the best of his understanding. The questionnaire will then be sent back to the organization for processing, which required painstaking manual data entry into the organization’s own systems. This is a lengthy and expensive process that could have negative impact on business cycle and project execution times. Furthermore, the process must be revisited on a annual basis, or when switching (or adding) new vendors to the supply chain.

Faced with these challenges, organizations choose to prioritize, and focus their attention on the largest vendors or the ones perceived to pose the greatest risk. It is not uncommon for organizations to focus their VRM process on just 5% of their supply chain, leaving the bulk of their supply chain unaccounted for. Organization that choose to “Roll the dice” and play the Cost VS. Risk game, could find themselves in the crosshairs should they happen to miss out on that one vendor that eventually caused the breach.

Findings approaches this challenge with the view that ALL vendors must verified. We’ve built our technology platform to enable organization to automatically assess their exposure. Moreover, we’ve made it exceptionally easy for vendors to assess themselves. By removing friction we’ve enabled organizations to effectively assess their entire supply chain, without having to “Gamble” on who to check. In the case described at the beginning of this article, a global enterprise have used our system to vet all of its supply chain. That, of course, wouldn’t have been possible to achieve in the “old” (manual) methods. Having the vendor documented in their VRM system allowed them to quickly respond and communicate the necessary actions, both internally (to board of directors and management) and external (To customers, partners and authorities). Likely, the status of that particular vendor was such that no additional action was required. Had it not been validated and recorded in the VRM system, the process of understanding the exposure “post-mortem” would have taken days and not the 15 minutes that it took. Findings solution enabled the following benefits:

  • Complete coverage
  • Accuracy
  • Reduced time for the initial validation process
  • Reduced time of response once an event has occurred.

VRM technology supports enterprises that must assess, monitor and manage their risk exposure from third-party suppliers (TPSs) that provide IT products and services, or that have access to enterprise information. However, without an automated, scalable mechanism to support the data input, they are under-utilized and provide only partial coverage. Findings enables organization to fully utilize these solutions and gain a clear understating of their entire supply chain exposure.