Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Vendor Risk Presentation

Vendor Risk Presentation

Maturing 3rd Party Vendor Risk Programs
Hobart Room, San Francisco, CA
RSA - March 1, 2016

VerSprite, Inc

March 01, 2016
Tweet

More Decks by VerSprite, Inc

Other Decks in Business

Transcript

  1. Maturing 3rd Party Vendor Risk Programs GORDON SHEVLIN, CEO, ALLGRESS

    TONY UCEDA VELEZ, CEO, VERSPRITE SCOTT TAKAOKA, VP BUS. DEV. , VERSPRITE MARCH 1, 2016
  2. Agenda Programs That We See Today • Program definition of

    risk – often legal, financial, reputational, cyber • More mature assessing financial risk, least mature assessing cyber-risk • Ramping programs/where to start – product, asset or organization centric • Moving from audit related to active risk management Legal Business Risk Security
  3. VRA Program Maturity Study * S H A R E

    D A S S E S S M E N T, 2 0 1 5 , V E N D O R R I S K M A N A G E M E N T S T U D Y Category C - Level VP/Director Level Manager Level Program Governance 2.9 2.8 3.2 Policies, Standards, Procedures 2.8 2.8 3.0 Contracts 2.7 2.8 2.8 Vendor Risk ID and Analysis 2.4 2.7 2.5 Skills and Expertise 1.9 2.1 2.7 Communication and Info Sharing 2.2 2.3 2.6 Tools, Measurements and Analysis 2.0 2.3 2.9 Monitoring and Review 2.6 2.7 2.8
  4. Takeaways – Discomfort at C-level Challenges o Understanding risk of

    cyber-attack o Communicating risk o Resourcing/improving VRA process
  5. Understanding Risk o Single framework based approaches focused on security

    are common o “Check box”, considered in its own silo o Often lacks granularity and context for accurate measurement of vendor risk Security Posture
  6. Expanding Context for VRA o Business/compliance context – more comprehensive

    view o Map controls to business operational impact o Consider hybrid – ex. NIST CSF + HIPAA Business / Compliance Impact Security Posture
  7. Expanding Context for VRA o Business/compliance context – more comprehensive

    view o Map controls to business operational impact o Consider hybrid – ex. NIST CSF + HIPAA o Threat provides focus for controls o Which controls are most important Business / Compliance Impact Security Posture Threat
  8. How? Organizational Threat Model o PASTA (process for attack simulation

    and threat analysis) o Business impact – examine outsourced process o Threat o Identify top threats, map to processes then vendors o Now evaluate security posture o Identify key controls o Identify metrics + sensitivity o Identify remediation opportunities Business / Compliance Impact Security Posture Threat
  9. Path to Automation o Ensure controls are commensurate with maturity

    level of program o Measurable – ensure control activities can be collected and expressed in metrics o Understand the impact of controls on the business o Measure over time Simple Metric Intermediate Value Add Yearly policy review # of security technical standards Demonstrates sustainable governance program # High risk items remediated <30 days % of control gaps remediated Shows a process for addressing security gaps Participation % in awareness training Social engineering ploys foil by employee security awareness Demonstrates successful operationalization of security
  10. Modular Solution Vulnerability Analysis Security & Compliance Assessment Risk Analysis

    Incident Management Policy & Procedures Third Party Vendor Management Risk Register Insight Risk Management Suite
  11. The Allgress Solution o Centralized data facilitates seamless oversight of

    the entire risk, security, and compliance management life- cycle o Automated prioritization allows organizations to efficiently remediate what matters most o Real-time reporting presented in a business context enables communication amongst IT stakeholders up to senior management
  12. Vendor Risk Management o Automatically identify high-risk vendors o Out

    of the box surveys and/or customizable survey generation o Rapid turnaround with accelerated response times o Alleviate manual efforts with automated workflows and notifications o Comprehensive reporting with real- time status updates
  13. Policy Module o Map policy to both regulatory standards and

    frameworks o Centralized repository for all information and security policies o Author, review, and publish policies to your organization’s user community o Library with over 2,000 policies o View past, present, and draft versions of policies in the same location o Easily identify version differences through versioning and archiving capabilities
  14. Risk Module o Enable prioritization of security budgets and expenses

    based on the probability of adverse events, and prioritize remediation tasks based on evaluated risks o Security risk scenario modeling provides organizations with insight into how decisions impact risk o Heat-map bubble charts display associated risks of business units, networks, asset type and asset groups o Risk communicated in a business relevant context
  15. Partnership to Improve VRA Process o Controls and metrics development

    o Organizational threat modeling o Vendor risk assessment as a service o Automation support in Allgress o Extend finding into Allgress risk register and other modules
  16. Maturing 3rd Party Vendor Risk Programs GORDON SHEVLIN, CEO, ALLGRESS

    TONY UCEDA VELEZ, CEO, VERSPRITE SCOTT TAKAOKA, VP BUS. DEV. , VERSPRITE MARCH 1, 2016