SlideShare a Scribd company logo

Where Is Your Sensitive Data Wp

T
tbeckwith

White Paper on Where is your sensitive data

1 of 8
Download to read offline
Where is Your Sensitive Data - And Who is Protecting It? (Keys to managing business partner relationships - Part1) By Bill Carver, Director - Governance Risk & Compliance • CISSP, CISM, CRISC Securely Enabling Business ID# 11WP0009 Last Modified 01.09.2012 Corporate Headquarters 1710 Walnut St. Kansas City, MO 64108 • 888.732.9406 © 2012 FishNet Security. All rights reserved.
Where is Your Sensitive Data - And Who is Protecting It? (Keys to managing business partner relationships - Part1) By Bill Carver, Director - Governance Risk & Compliance • CISSP, CISM, CRISC Securely Enabling Business Introduction As organizations continue to move toward outsourcing and other extended business relationships as part of their primary operating models, information security related to those relationships continues to be a serious issue. Organizations have moved so quickly to enjoy the benefits of the “World is Flat” business model, that data security has been relegated, in many cases, to an afterthought. The business plan for many organizations is to outsource a portion of their operations, or in some cases, as much as possible. This outsourcing typically involves sharing sensitive information with external partners, and in most situations, we know very little about the security posture of these partners. The result has been an increase in the number and severity of data breaches that are often a direct result of this information-sharing. Newspapers and other media outlets report, almost daily, stories about corporate data loss. While organizations feel the negative financial and reputational impact of data breaches, growing organizations are not the only ones to realize there is a large problem with data security as it relates to the outsourcing/ partnering model. The U.S. government, in addition to many state and international governments, have implemented legislation that requires organizations to assess the information security risks associated with their extended business relationships. Regulatory requirements and vertical-specific mandates such as HIPAA, GLBA and PCI, to name a few, all require the assessment of information security risks related to third-party relationships. These factors have created a situation where organizations have a glaring need to assess the security of their extended business relationships, but they lack the in-house expertise or resources to execute these assessments. Given the need to avoid even the suggestion of risk to reputations and the potential imposition of sanctions or fines, many organizations are feeling increasing pressure to implement business partner assessment programs and the need to get started as soon as possible. (Note: For purposes of this white paper, the term “business partner” will refer to any type of extended partner relationship, which may include: vendors, contractors or other third parties.) ID# 11WP0009 Last Modified 01.09.2012 Corporate Headquarters 1710 Walnut St. Kansas City, MO 64108 • 888.732.9406 © 2012 FishNet Security. All rights reserved.
Where is Your Sensitive Data - And Who is Protecting It? (Keys to managing business partner relationships - Part1) By Bill Carver, Director - Governance Risk & Compliance • CISSP, CISM, CRISC Securely Enabling Business The Challenges When it comes to assessing the risks related to business partner information-sharing, most organizations are faced with several challenges. One of the primary challenges is not knowing where to start. Many organizations have hundreds, potentially thousands, of third-party relationships. How can an information security professional, tasked with helping protect the organization, possibly handle assessing the overwhelming number of the organization’s business partner relationships? There are so many different assessment methodologies and approaches out there to choose from; where does one begin? Another challenge is resources. Most information security organizations are stretched thin as it is, and that’s without the added work of assessing the security risks associated with business partners. Managing business partner risk typically takes a backseat to other information security tasks. Some feel as if outsourcing certain business operations is a way to “outsource risk.” This is a dangerous approach, and could not be further from the truth. Sharing sensitive information with third parties does not exclude your organization from the standard obligations associated with data protection. In fact, the sharing of sensitive information with outside organizations increases your risk profile — and obligations. Claiming a lack of resources will not provide a defensible position in the face of a data breach or other information security- related incident. If you are part of one of the few organizations that has a formal business partner assessment program, chances are that you are struggling with some of the many other challenges inherent in managing the program and business partner risk issues. Primarily, how to assess all of your partners, how to manage and address the mountains of assessment data, and how specifically should partner issues be handled? What to do Tackling the problem of where to begin does not have to be as daunting as it seems. By leveraging a risk-based “crawl, walk, run” approach, you can make enormous strides toward improving your business partner security profile in a short period of time, without a tremendous drain on your resources. Step 1: Ensure there is a corporate policy in place related to business partner relationships Establishing a corporate policy for business partner relationship requirements will ensure that the requirements for data protection are clearly stated in high- level business terms, and will establish the foundation for the business partner assessment program. The policy will also lay the groundwork for enforcement and accountability. ID# 11WP0009 Last Modified 01.09.2012 Corporate Headquarters 1710 Walnut St. Kansas City, MO 64108 • 888.732.9406 © 2012 FishNet Security. All rights reserved.
Where is Your Sensitive Data - And Who is Protecting It? (Keys to managing business partner relationships - Part1) By Bill Carver, Director - Governance Risk & Compliance • CISSP, CISM, CRISC Securely Enabling Business Step 2: Identify the types and risk profile of a majority of your partners One of the most common mistakes that organizations make is trying to assess all of their business partners using the same approach. All business partners are not created equally, and accordingly, each type of partner should be assessed in a specific way. A simple method to accomplish this quickly and easily is to define business partner “tiers” based on inherent partner risk (e.g., High, Medium and Low). Develop a short set of questions that can be used to identify the inherent risk of a partner. A typical approach may include questions related to: • Amount and type of information shared with the partner • The method that is used to share the information between the organizations • Understanding what the partner does with the data once it is in the partner’s possession • Determining the impact to the business if the partner were not available • Understanding the financial impact that could result from the partner incurring a data breach • The potential regulatory impact associated with the partner • Other questions specific to your organization that can help determine the inherent risk profile of a business partner The questions used to help us determine inherent business partner risk will not provide us with any information about the partner’s security posture; the goal is to understand the “out of the gate” risk the partner presents to the business. This will help us determine the level of effort we apply to each tier of partner as part of the assessment process. We want to ensure that we are spending the most time assessing the partners that present the most inherent risk. As a general rule of thumb, when determining which partners will be included in the different inherent risk categories, if more than 10-15% of your total partner population falls into the “high risk” category, you may want to consider reevaluating your criteria and scoring algorithms. As we will review in the upcoming sections, high-risk partners will require a substantial amount of effort, and having too large of a population of this type of relationship will compound some of the challenges described earlier. For example, it may be difficult to sustain a business partner assessment program that includes 30% of your partners being in the high-risk category, simply due to the amount of assessment time and remediation time required. Step 3: Establish the assessment type and frequency requirements for the different partner tiers Once we have developed our process for “tiering” our business partners, we now must establish the assessment requirements for each category and the necessary frequency of review. Below are some high- level examples of what the assessment activities may include for each category. The examples are by no means exhaustive or appropriate in all situations, but they should provide a foundation for the basic concept of increasing levels of assessment rigor based on inherent partner risk. ID# 11WP0009 Last Modified 01.09.2012 Corporate Headquarters 1710 Walnut St. Kansas City, MO 64108 • 888.732.9406 © 2012 FishNet Security. All rights reserved.
Where is Your Sensitive Data - And Who is Protecting It? (Keys to managing business partner relationships - Part1) By Bill Carver, Director - Governance Risk & Compliance • CISSP, CISM, CRISC Securely Enabling Business Examples: • Low-Risk level assessment - This assessment type generally consists of some type of information security questionnaire only. Due to the low level of risk that the relationship poses to the organization, a basic, high-level questionnaire is used to determine the security posture of the extended business relationship. The types of questionnaires vary slightly depending on the type of organization being reviewed and they are typically 50–200 questions in length. The questionnaires are not intended to be exhaustive, but they should provide the organization with a general understanding of the information security risks related to an external partner. The questionnaires are typically emailed to a partner, then completed and returned. The focus at this level is to ensure that that the questionnaires are being completed and returned and that the results are evaluated. Because the partner was determined to be a “low inherent risk,” we are comfortable only spending a minimal amount of time focusing on an assessment (approximately 3–5 hours). This approach helps to ensure that we are not simply ignoring the partner, but that the amount of time we spend with assessment is commensurate with the level of risk. There is the possibility that, based on responses to the questionnaires, that additional follow-up is required, but ultimately, the level of effort spent with the low-risk partners should be small compared to the medium- and high-risk levels. • Medium-Risk level assessment - Increasing in the level of rigor, this assessment typically consists of the same activities conducted in the low-risk level assessment, but then adds additional activities. Due to the increased level of risk that the relationship poses the organization, a questionnaire is used to determine the security posture of the extended business relationship, but then other assessment activities can be added as well. The questionnaires used at this level are typically more comprehensive, 100–300 questions, and additional information may be requested from the partner, such as: ͳͳ Independent assessment reports ᵒᵒ SAS 70 (SSAE16) ᵒᵒ PCI/ROC ᵒᵒ * Shared Assessment SIG or AUP ᵒᵒ ISMS Certification ᵒᵒ Third-party vulnerability assessments or penetration tests ͳͳ Any supporting information that helps demonstrate the security posture of the third party *http://www.sharedassessments.org ID# 11WP0009 Last Modified 01.09.2012 Corporate Headquarters 1710 Walnut St. Kansas City, MO 64108 • 888.732.9406 © 2012 FishNet Security. All rights reserved.
Where is Your Sensitive Data - And Who is Protecting It? (Keys to managing business partner relationships - Part1) By Bill Carver, Director - Governance Risk & Compliance • CISSP, CISM, CRISC Securely Enabling Business • Generally at this level, we increase the amount of visibility and communication with the business partner as well. This may include conference calls, or potentially even a site visit. By spending more time interacting with the business partner, more information can be gained, and a greater understanding of its risk profile can be determined. In most cases, the amount of time spent assessing the medium-risk level partners is approximately 10–20 hours, depending on their complexity. • High-Risk level assessment - Based on the high level of inherent risk that these partners present to the organization, we want to ensure this is where we focus the majority of time and energy. Not to suggest that the other risk level relationships do not warrant attention, but sticking to our risk-based approach, we want to focus most intensely on the high-risk relationships. The high-risk level assessment typically consists of the same activities conducted in the medium-risk level assessment, but then adds additional activities. In addition to a more comprehensive questionnaire and supporting documentation reviews, on-site physical security reviews and interviews are strongly recommended, along with more general on-site time for interviews, inquiry and analysis. Additionally, at this level, if there are technical components to the relationship, we may want to include vulnerability assessments, penetration tests and, potentially, targeted application assessments. At this assessment level, the questionnaires are primarily used to help set up our on-site interviews with key personnel of the business partner being included. Typically, at this risk level, we would expect to spend approximately 80–120 hours, possibly more, assessing these partners. Referring back to our recommendation regarding the number of high-risk level partners you have, you can see why having too large of a percentage will likely result in serious challenges for maintaining the program. Regarding frequency, as a general practice, low-risk level relationships can be revisited once every two years, whereas medium-risk and high-risk partners should be evaluated annually (unless specific regulations or other factors necessitate a more frequent analysis). An important note about partner tiers: Don’t forget to reassess the inherent risk of existing partners on an annual basis to ensure they are still properly categorized. Stakeholders within your business will often change the manner in which the partner is being used. They may increase the level and sensitivity of information being shared; there may be changes to the methods of data transmissions or other factors that could increase the level of inherent risk a business partner poses to the organization. ID# 11WP0009 Last Modified 01.09.2012 Corporate Headquarters 1710 Walnut St. Kansas City, MO 64108 • 888.732.9406 © 2012 FishNet Security. All rights reserved.
Where is Your Sensitive Data - And Who is Protecting It? (Keys to managing business partner relationships - Part1) By Bill Carver, Director - Governance Risk & Compliance • CISSP, CISM, CRISC Securely Enabling Business Step 4: Follow up and remediation activities One of the common pitfalls for many business partner assessment programs is the failure or inability to follow up with your business partners regarding discovered issues and required remediation. It’s imperative that once issues are identified with a partner, that those issues and subsequent remediation activities are assigned to people for accountability purposes and that they are followed through with until completion. Identifying risk and failing to ensure that risks are managed to your requirements, either mitigated or properly accepted, may actually function contrary to the intent of developing the program in the first place. Assigning internal “relationship managers,” usually from the business area responsible for the partner relationship (or even from information security or your project management office) to help manage the process, is an effective way to help ensure the partners are addressing security issues and that remediation activities are not falling through the cracks. Step 5: Ensure proper contract language exists Once the program has been established, and the assessment criteria defined, it’s then necessary to ensure your information security requirements are built into your business partner contracts. When defining your information security requirements within the contracts, be sure to include breach notification requirements and the right to assess (including on-site). These are two of the areas that are commonly absent from third-party contracts. Benefits There are many benefits to developing and executing a business partner assessment program. From meeting regulatory and vertical-specific mandates to reducing the organizations risk profile, developing this type of program has several invaluable benefits. Even if your organization is one that is not highly regulated, you may not be in a position to withstand the negative publicity that comes from a partner data breach incident. Reputation risk is critical to almost every organization, and when data breaches occur as a result of partner negligence, the news outlets typically do not elaborate on the partner’s involvement, but rather focus on the fact that “Company X” (your organization), was responsible for losing sensitive information. That type of negative impact to your reputation can be difficult for many organizations to overcome. ID# 11WP0009 Last Modified 01.09.2012 Corporate Headquarters 1710 Walnut St. Kansas City, MO 64108 • 888.732.9406 © 2012 FishNet Security. All rights reserved.
Where is Your Sensitive Data - And Who is Protecting It? (Keys to managing business partner relationships - Part1) By Bill Carver, Director - Governance Risk & Compliance • CISSP, CISM, CRISC Securely Enabling Business Conclusion With the outsourcing-focused business model that many organizations are leveraging, information security risks are introduced via external relationships. The risk is that, with any extended business partnership, there is the possibility of data-sharing. While sharing sensitive data with business partners may reduce cost or lead to increased efficiencies in business operations, it also creates risks for the organization. This risk cannot be passed along to the business partner and smart organizations will develop strategies for managing the risks associated with using business partners. A organization’s security posture is only as strong as its weakest link, and an extended relationship is often the weak link. Many times the outside services being leveraged by an organization require sharing sensitive data. The data may be an organization’s critical proprietary data, employee/customer personally identifiable information, or other non-public information that the organization has an obligation to protect. Organizations have a need to assess the risk associated with these relationships and make decisions regarding risk mitigation. With this paper, we hope to provide you and your organization with enough information to get your business partner assessment program “crawling” … maybe even “walking.” In our next white paper — Part 2 of this series, we will focus on enhancing the program, and expanding upon the benefits of a well- performing third-party assessment program. This will include: • Casting the net – making sure that all third parties are included in the process • Automation – how to use tools to automate some of the manual assessment processes • Cost savings – exploring ways to leverage the program in a way that helps reduce third-party expenditures across the organization • Metrics and reporting – understanding key metrics and reporting options that can help demonstrate a return on investment for the program • Training and awareness – how to promote the program and educate the organization about the requirements and benefits • Process improvement – looking for ways to continuously evaluate and improve the third-party assessment program About FishNet Security We focus on the threat so you can focus on the opportunity. FishNet Security, the No. 1 provider of information security solutions that combine technology, services, support and training, enables clients to manage risk, meet compliance requirements and reduce costs while maximizing security effectiveness and operational efficiency. For more information about FishNet Security, visit www.fishnetsecurity.com, www.facebook.com/fishnetsecurity and www.twitter.com/fishnetsecurity. ID# 11WP0009 Last Modified 01.09.2012 Corporate Headquarters 1710 Walnut St. Kansas City, MO 64108 • 888.732.9406 © 2012 FishNet Security. All rights reserved.

Recommended

To Be Great Enterprise Risk Managers, CISOs Need to Be Great Collaborators
To Be Great Enterprise Risk Managers, CISOs Need to Be Great CollaboratorsTo Be Great Enterprise Risk Managers, CISOs Need to Be Great Collaborators
To Be Great Enterprise Risk Managers, CISOs Need to Be Great CollaboratorsElizabeth Dimit
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015Scott Smith
 
White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...balejandre
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015John Budriss
 
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?EMC
 
Finding a Strategic Voice - IBM CISO Study
Finding a Strategic Voice - IBM CISO StudyFinding a Strategic Voice - IBM CISO Study
Finding a Strategic Voice - IBM CISO StudyIBMGovernmentCA
 
RSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldRSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldEMC
 
The 10 most innovative compliance assessment service provider 2021(1) compressed
The 10 most innovative compliance assessment service provider 2021(1) compressedThe 10 most innovative compliance assessment service provider 2021(1) compressed
The 10 most innovative compliance assessment service provider 2021(1) compressedinsightssuccess2
 

Recommended

To Be Great Enterprise Risk Managers, CISOs Need to Be Great Collaborators
To Be Great Enterprise Risk Managers, CISOs Need to Be Great CollaboratorsTo Be Great Enterprise Risk Managers, CISOs Need to Be Great Collaborators
To Be Great Enterprise Risk Managers, CISOs Need to Be Great CollaboratorsElizabeth Dimit
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015Scott Smith
 
White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...balejandre
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015John Budriss
 
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?EMC
 
Finding a Strategic Voice - IBM CISO Study
Finding a Strategic Voice - IBM CISO StudyFinding a Strategic Voice - IBM CISO Study
Finding a Strategic Voice - IBM CISO StudyIBMGovernmentCA
 
RSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldRSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldEMC
 
The 10 most innovative compliance assessment service provider 2021(1) compressed
The 10 most innovative compliance assessment service provider 2021(1) compressedThe 10 most innovative compliance assessment service provider 2021(1) compressed
The 10 most innovative compliance assessment service provider 2021(1) compressedinsightssuccess2
 
Whitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant EnvironmentsWhitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant EnvironmentsJason Dover
 
The Big Picture: Beyond Compliance To Risk Management
The Big Picture: Beyond Compliance To Risk ManagementThe Big Picture: Beyond Compliance To Risk Management
The Big Picture: Beyond Compliance To Risk ManagementNeira Jones
 
Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity EssayMichael Solomon
 
All clear id_whitepaper__not_all_breaches_are_created_equal
All clear id_whitepaper__not_all_breaches_are_created_equalAll clear id_whitepaper__not_all_breaches_are_created_equal
All clear id_whitepaper__not_all_breaches_are_created_equalNicholas Cramer
 
Secure dataroom whitepaper_protecting_confidential_documents
Secure dataroom whitepaper_protecting_confidential_documentsSecure dataroom whitepaper_protecting_confidential_documents
Secure dataroom whitepaper_protecting_confidential_documentse.law International
 
10 Questions for the C-Suite in Assessing Cyber Risk
10 Questions for the C-Suite in Assessing Cyber Risk10 Questions for the C-Suite in Assessing Cyber Risk
10 Questions for the C-Suite in Assessing Cyber RiskMark Gibson
 
Sask 3.0 Summit Pci dss presentation Bashir Fancy
Sask 3.0 Summit Pci dss presentation Bashir FancySask 3.0 Summit Pci dss presentation Bashir Fancy
Sask 3.0 Summit Pci dss presentation Bashir FancySaskSummit
 
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?Sarah Nirschl
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Erik Ginalick
 
The case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmThe case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmDavid Sweigert
 
speaking-to-board-securiity-whitepaper
speaking-to-board-securiity-whitepaperspeaking-to-board-securiity-whitepaper
speaking-to-board-securiity-whitepaperBilha Diaz
 
Norman Broadbent Cybersecurity Report - How should boards respond
Norman Broadbent Cybersecurity Report - How should boards respondNorman Broadbent Cybersecurity Report - How should boards respond
Norman Broadbent Cybersecurity Report - How should boards respondLydia Shepherd
 
Reputational Risk
Reputational RiskReputational Risk
Reputational RiskIBMGovernmentCA
 
Risksense: 7 Experts on Threat and Vulnerability Management
Risksense: 7 Experts on Threat and Vulnerability ManagementRisksense: 7 Experts on Threat and Vulnerability Management
Risksense: 7 Experts on Threat and Vulnerability ManagementMighty Guides, Inc.
 
Outsourcing
OutsourcingOutsourcing
Outsourcingkarlhennessy
 
Big Data: Beyond the Hype - Why Big Data Matters to You
Big Data: Beyond the Hype - Why Big Data Matters to YouBig Data: Beyond the Hype - Why Big Data Matters to You
Big Data: Beyond the Hype - Why Big Data Matters to YouDATAVERSITY
 
Cyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attentionCyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attentionRamón Gómez de Olea y Bustinza
 
PECB Webinar: Why every company needs a CISO?
PECB Webinar: Why every company needs a CISO?PECB Webinar: Why every company needs a CISO?
PECB Webinar: Why every company needs a CISO?PECB
 
200606_NWC_Strategic Security
200606_NWC_Strategic Security200606_NWC_Strategic Security
200606_NWC_Strategic SecurityChad Korosec
 
Responding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for MerchantsResponding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for Merchants- Mark - Fullbright
 
Risk & Advisory Services: Quarterly Risk Advisor Nov. 2015
Risk & Advisory Services: Quarterly Risk Advisor Nov. 2015Risk & Advisory Services: Quarterly Risk Advisor Nov. 2015
Risk & Advisory Services: Quarterly Risk Advisor Nov. 2015CBIZ, Inc.
 
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...Accenture Technology
 

More Related Content

What's hot

Whitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant EnvironmentsWhitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant EnvironmentsJason Dover
 
The Big Picture: Beyond Compliance To Risk Management
The Big Picture: Beyond Compliance To Risk ManagementThe Big Picture: Beyond Compliance To Risk Management
The Big Picture: Beyond Compliance To Risk ManagementNeira Jones
 
Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity EssayMichael Solomon
 
All clear id_whitepaper__not_all_breaches_are_created_equal
All clear id_whitepaper__not_all_breaches_are_created_equalAll clear id_whitepaper__not_all_breaches_are_created_equal
All clear id_whitepaper__not_all_breaches_are_created_equalNicholas Cramer
 
Secure dataroom whitepaper_protecting_confidential_documents
Secure dataroom whitepaper_protecting_confidential_documentsSecure dataroom whitepaper_protecting_confidential_documents
Secure dataroom whitepaper_protecting_confidential_documentse.law International
 
10 Questions for the C-Suite in Assessing Cyber Risk
10 Questions for the C-Suite in Assessing Cyber Risk10 Questions for the C-Suite in Assessing Cyber Risk
10 Questions for the C-Suite in Assessing Cyber RiskMark Gibson
 
Sask 3.0 Summit Pci dss presentation Bashir Fancy
Sask 3.0 Summit Pci dss presentation Bashir FancySask 3.0 Summit Pci dss presentation Bashir Fancy
Sask 3.0 Summit Pci dss presentation Bashir FancySaskSummit
 
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?Sarah Nirschl
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Erik Ginalick
 
The case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmThe case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmDavid Sweigert
 
speaking-to-board-securiity-whitepaper
speaking-to-board-securiity-whitepaperspeaking-to-board-securiity-whitepaper
speaking-to-board-securiity-whitepaperBilha Diaz
 
Norman Broadbent Cybersecurity Report - How should boards respond
Norman Broadbent Cybersecurity Report - How should boards respondNorman Broadbent Cybersecurity Report - How should boards respond
Norman Broadbent Cybersecurity Report - How should boards respondLydia Shepherd
 
Risksense: 7 Experts on Threat and Vulnerability Management
Risksense: 7 Experts on Threat and Vulnerability ManagementRisksense: 7 Experts on Threat and Vulnerability Management
Risksense: 7 Experts on Threat and Vulnerability ManagementMighty Guides, Inc.
 
Big Data: Beyond the Hype - Why Big Data Matters to You
Big Data: Beyond the Hype - Why Big Data Matters to YouBig Data: Beyond the Hype - Why Big Data Matters to You
Big Data: Beyond the Hype - Why Big Data Matters to YouDATAVERSITY
 
Cyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attentionCyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attentionRamón Gómez de Olea y Bustinza
 
PECB Webinar: Why every company needs a CISO?
PECB Webinar: Why every company needs a CISO?PECB Webinar: Why every company needs a CISO?
PECB Webinar: Why every company needs a CISO?PECB
 
200606_NWC_Strategic Security
200606_NWC_Strategic Security200606_NWC_Strategic Security
200606_NWC_Strategic SecurityChad Korosec
 

What's hot (19)

Whitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant EnvironmentsWhitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant Environments
 
The Big Picture: Beyond Compliance To Risk Management
The Big Picture: Beyond Compliance To Risk ManagementThe Big Picture: Beyond Compliance To Risk Management
The Big Picture: Beyond Compliance To Risk Management
 
Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity Essay
 
All clear id_whitepaper__not_all_breaches_are_created_equal
All clear id_whitepaper__not_all_breaches_are_created_equalAll clear id_whitepaper__not_all_breaches_are_created_equal
All clear id_whitepaper__not_all_breaches_are_created_equal
 
Secure dataroom whitepaper_protecting_confidential_documents
Secure dataroom whitepaper_protecting_confidential_documentsSecure dataroom whitepaper_protecting_confidential_documents
Secure dataroom whitepaper_protecting_confidential_documents
 
10 Questions for the C-Suite in Assessing Cyber Risk
10 Questions for the C-Suite in Assessing Cyber Risk10 Questions for the C-Suite in Assessing Cyber Risk
10 Questions for the C-Suite in Assessing Cyber Risk
 
Sask 3.0 Summit Pci dss presentation Bashir Fancy
Sask 3.0 Summit Pci dss presentation Bashir FancySask 3.0 Summit Pci dss presentation Bashir Fancy
Sask 3.0 Summit Pci dss presentation Bashir Fancy
 
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991
 
The case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmThe case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firm
 
speaking-to-board-securiity-whitepaper
speaking-to-board-securiity-whitepaperspeaking-to-board-securiity-whitepaper
speaking-to-board-securiity-whitepaper
 
Norman Broadbent Cybersecurity Report - How should boards respond
Norman Broadbent Cybersecurity Report - How should boards respondNorman Broadbent Cybersecurity Report - How should boards respond
Norman Broadbent Cybersecurity Report - How should boards respond
 
Reputational Risk
Reputational RiskReputational Risk
Reputational Risk
 
Risksense: 7 Experts on Threat and Vulnerability Management
Risksense: 7 Experts on Threat and Vulnerability ManagementRisksense: 7 Experts on Threat and Vulnerability Management
Risksense: 7 Experts on Threat and Vulnerability Management
 
Outsourcing
OutsourcingOutsourcing
Outsourcing
 
Big Data: Beyond the Hype - Why Big Data Matters to You
Big Data: Beyond the Hype - Why Big Data Matters to YouBig Data: Beyond the Hype - Why Big Data Matters to You
Big Data: Beyond the Hype - Why Big Data Matters to You
 
Cyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attentionCyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attention
 
PECB Webinar: Why every company needs a CISO?
PECB Webinar: Why every company needs a CISO?PECB Webinar: Why every company needs a CISO?
PECB Webinar: Why every company needs a CISO?
 
200606_NWC_Strategic Security
200606_NWC_Strategic Security200606_NWC_Strategic Security
200606_NWC_Strategic Security
 

Similar to Where Is Your Sensitive Data Wp

Responding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for MerchantsResponding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for Merchants- Mark - Fullbright
 
Risk & Advisory Services: Quarterly Risk Advisor Nov. 2015
Risk & Advisory Services: Quarterly Risk Advisor Nov. 2015Risk & Advisory Services: Quarterly Risk Advisor Nov. 2015
Risk & Advisory Services: Quarterly Risk Advisor Nov. 2015CBIZ, Inc.
 
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...Accenture Technology
 
Compliance & data security – the way we work
Compliance & data security – the way we workCompliance & data security – the way we work
Compliance & data security – the way we workPuneet Chopra
 
Cybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfCybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfTheWalkerGroup1
 
TEC/W. Capra Cyber Security and Risk Management Roundtable - January 2016 Sum...
TEC/W. Capra Cyber Security and Risk Management Roundtable - January 2016 Sum...TEC/W. Capra Cyber Security and Risk Management Roundtable - January 2016 Sum...
TEC/W. Capra Cyber Security and Risk Management Roundtable - January 2016 Sum...WCapra
 
Overcoming Hidden Risks in a Shared Security Model
Overcoming Hidden Risks in a Shared Security ModelOvercoming Hidden Risks in a Shared Security Model
Overcoming Hidden Risks in a Shared Security ModelOnRamp
 
Mitigating Data Security Risks at Broker Dealers
Mitigating Data Security Risks at Broker DealersMitigating Data Security Risks at Broker Dealers
Mitigating Data Security Risks at Broker DealersBroadridge
 
State of Security McAfee Study
State of Security McAfee StudyState of Security McAfee Study
State of Security McAfee StudyHiten Sethi
 
8242015 Combating cyber risk in the supply chain ­ Print Art.docx
8242015 Combating cyber risk in the supply chain ­ Print Art.docx8242015 Combating cyber risk in the supply chain ­ Print Art.docx
8242015 Combating cyber risk in the supply chain ­ Print Art.docxevonnehoggarth79783
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementDaren Dunkel
 
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?EMC
 
What CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityWhat CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityKaryl Scott
 
Quantifying Cyber Risk, Insurance and The Value of Personal Data
Quantifying Cyber Risk, Insurance and The Value of Personal DataQuantifying Cyber Risk, Insurance and The Value of Personal Data
Quantifying Cyber Risk, Insurance and The Value of Personal DataSteven Schwartz
 
Law Firm Hacked by Cyber Criminals
Law Firm Hacked by Cyber Criminals Law Firm Hacked by Cyber Criminals
Law Firm Hacked by Cyber Criminals Richard Brzakala
 
Master Data in the Cloud: 5 Security Fundamentals
Master Data in the Cloud: 5 Security FundamentalsMaster Data in the Cloud: 5 Security Fundamentals
Master Data in the Cloud: 5 Security FundamentalsSarah Fane
 
Looking Beyond GDPR Compliance Deadline
Looking Beyond GDPR Compliance DeadlineLooking Beyond GDPR Compliance Deadline
Looking Beyond GDPR Compliance Deadlineaccenture
 

Similar to Where Is Your Sensitive Data Wp (20)

Responding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for MerchantsResponding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for Merchants
 
Risk & Advisory Services: Quarterly Risk Advisor Nov. 2015
Risk & Advisory Services: Quarterly Risk Advisor Nov. 2015Risk & Advisory Services: Quarterly Risk Advisor Nov. 2015
Risk & Advisory Services: Quarterly Risk Advisor Nov. 2015
 
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
 
Compliance & data security – the way we work
Compliance & data security – the way we workCompliance & data security – the way we work
Compliance & data security – the way we work
 
Cybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfCybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdf
 
A data-centric program
A data-centric program A data-centric program
A data-centric program
 
TEC/W. Capra Cyber Security and Risk Management Roundtable - January 2016 Sum...
TEC/W. Capra Cyber Security and Risk Management Roundtable - January 2016 Sum...TEC/W. Capra Cyber Security and Risk Management Roundtable - January 2016 Sum...
TEC/W. Capra Cyber Security and Risk Management Roundtable - January 2016 Sum...
 
Overcoming Hidden Risks in a Shared Security Model
Overcoming Hidden Risks in a Shared Security ModelOvercoming Hidden Risks in a Shared Security Model
Overcoming Hidden Risks in a Shared Security Model
 
Mitigating Data Security Risks at Broker Dealers
Mitigating Data Security Risks at Broker DealersMitigating Data Security Risks at Broker Dealers
Mitigating Data Security Risks at Broker Dealers
 
State of Security McAfee Study
State of Security McAfee StudyState of Security McAfee Study
State of Security McAfee Study
 
8242015 Combating cyber risk in the supply chain ­ Print Art.docx
8242015 Combating cyber risk in the supply chain ­ Print Art.docx8242015 Combating cyber risk in the supply chain ­ Print Art.docx
8242015 Combating cyber risk in the supply chain ­ Print Art.docx
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk Management
 
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
 
What CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityWhat CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber Security
 
Quantifying Cyber Risk, Insurance and The Value of Personal Data
Quantifying Cyber Risk, Insurance and The Value of Personal DataQuantifying Cyber Risk, Insurance and The Value of Personal Data
Quantifying Cyber Risk, Insurance and The Value of Personal Data
 
5 Questions Executives Should Be Asking Their Security Teams
5 Questions Executives Should Be Asking Their Security Teams 5 Questions Executives Should Be Asking Their Security Teams
5 Questions Executives Should Be Asking Their Security Teams
 
Risk assessment
Risk assessmentRisk assessment
Risk assessment
 
Law Firm Hacked by Cyber Criminals
Law Firm Hacked by Cyber Criminals Law Firm Hacked by Cyber Criminals
Law Firm Hacked by Cyber Criminals
 
Master Data in the Cloud: 5 Security Fundamentals
Master Data in the Cloud: 5 Security FundamentalsMaster Data in the Cloud: 5 Security Fundamentals
Master Data in the Cloud: 5 Security Fundamentals
 
Looking Beyond GDPR Compliance Deadline
Looking Beyond GDPR Compliance DeadlineLooking Beyond GDPR Compliance Deadline
Looking Beyond GDPR Compliance Deadline
 

More from tbeckwith

Threat Detect Hipaa Compliance
Threat Detect Hipaa ComplianceThreat Detect Hipaa Compliance
Threat Detect Hipaa Compliancetbeckwith
 
Dlp Methodology
Dlp MethodologyDlp Methodology
Dlp Methodologytbeckwith
 
Identity Access Management Fishnet Security
Identity Access Management Fishnet SecurityIdentity Access Management Fishnet Security
Identity Access Management Fishnet Securitytbeckwith
 
Fns Incident Management Powered By En Case
Fns Incident Management Powered By En CaseFns Incident Management Powered By En Case
Fns Incident Management Powered By En Casetbeckwith
 
Fishnet Security Overview
Fishnet Security OverviewFishnet Security Overview
Fishnet Security Overviewtbeckwith
 
Enterprise Mobile Security
Enterprise Mobile SecurityEnterprise Mobile Security
Enterprise Mobile Securitytbeckwith
 
Fish Net Security Overview
Fish Net Security OverviewFish Net Security Overview
Fish Net Security Overviewtbeckwith
 
Hipaa Gap Assessment.Sanitized Report
Hipaa Gap Assessment.Sanitized ReportHipaa Gap Assessment.Sanitized Report
Hipaa Gap Assessment.Sanitized Reporttbeckwith
 

More from tbeckwith (8)

Threat Detect Hipaa Compliance
Threat Detect Hipaa ComplianceThreat Detect Hipaa Compliance
Threat Detect Hipaa Compliance
 
Dlp Methodology
Dlp MethodologyDlp Methodology
Dlp Methodology
 
Identity Access Management Fishnet Security
Identity Access Management Fishnet SecurityIdentity Access Management Fishnet Security
Identity Access Management Fishnet Security
 
Fns Incident Management Powered By En Case
Fns Incident Management Powered By En CaseFns Incident Management Powered By En Case
Fns Incident Management Powered By En Case
 
Fishnet Security Overview
Fishnet Security OverviewFishnet Security Overview
Fishnet Security Overview
 
Enterprise Mobile Security
Enterprise Mobile SecurityEnterprise Mobile Security
Enterprise Mobile Security
 
Fish Net Security Overview
Fish Net Security OverviewFish Net Security Overview
Fish Net Security Overview
 
Hipaa Gap Assessment.Sanitized Report
Hipaa Gap Assessment.Sanitized ReportHipaa Gap Assessment.Sanitized Report
Hipaa Gap Assessment.Sanitized Report
 

Where Is Your Sensitive Data Wp

  • 1. Where is Your Sensitive Data - And Who is Protecting It? (Keys to managing business partner relationships - Part1) By Bill Carver, Director - Governance Risk & Compliance • CISSP, CISM, CRISC Securely Enabling Business ID# 11WP0009 Last Modified 01.09.2012 Corporate Headquarters 1710 Walnut St. Kansas City, MO 64108 • 888.732.9406 © 2012 FishNet Security. All rights reserved.
  • 2. Where is Your Sensitive Data - And Who is Protecting It? (Keys to managing business partner relationships - Part1) By Bill Carver, Director - Governance Risk & Compliance • CISSP, CISM, CRISC Securely Enabling Business Introduction As organizations continue to move toward outsourcing and other extended business relationships as part of their primary operating models, information security related to those relationships continues to be a serious issue. Organizations have moved so quickly to enjoy the benefits of the “World is Flat” business model, that data security has been relegated, in many cases, to an afterthought. The business plan for many organizations is to outsource a portion of their operations, or in some cases, as much as possible. This outsourcing typically involves sharing sensitive information with external partners, and in most situations, we know very little about the security posture of these partners. The result has been an increase in the number and severity of data breaches that are often a direct result of this information-sharing. Newspapers and other media outlets report, almost daily, stories about corporate data loss. While organizations feel the negative financial and reputational impact of data breaches, growing organizations are not the only ones to realize there is a large problem with data security as it relates to the outsourcing/ partnering model. The U.S. government, in addition to many state and international governments, have implemented legislation that requires organizations to assess the information security risks associated with their extended business relationships. Regulatory requirements and vertical-specific mandates such as HIPAA, GLBA and PCI, to name a few, all require the assessment of information security risks related to third-party relationships. These factors have created a situation where organizations have a glaring need to assess the security of their extended business relationships, but they lack the in-house expertise or resources to execute these assessments. Given the need to avoid even the suggestion of risk to reputations and the potential imposition of sanctions or fines, many organizations are feeling increasing pressure to implement business partner assessment programs and the need to get started as soon as possible. (Note: For purposes of this white paper, the term “business partner” will refer to any type of extended partner relationship, which may include: vendors, contractors or other third parties.) ID# 11WP0009 Last Modified 01.09.2012 Corporate Headquarters 1710 Walnut St. Kansas City, MO 64108 • 888.732.9406 © 2012 FishNet Security. All rights reserved.
  • 3. Where is Your Sensitive Data - And Who is Protecting It? (Keys to managing business partner relationships - Part1) By Bill Carver, Director - Governance Risk & Compliance • CISSP, CISM, CRISC Securely Enabling Business The Challenges When it comes to assessing the risks related to business partner information-sharing, most organizations are faced with several challenges. One of the primary challenges is not knowing where to start. Many organizations have hundreds, potentially thousands, of third-party relationships. How can an information security professional, tasked with helping protect the organization, possibly handle assessing the overwhelming number of the organization’s business partner relationships? There are so many different assessment methodologies and approaches out there to choose from; where does one begin? Another challenge is resources. Most information security organizations are stretched thin as it is, and that’s without the added work of assessing the security risks associated with business partners. Managing business partner risk typically takes a backseat to other information security tasks. Some feel as if outsourcing certain business operations is a way to “outsource risk.” This is a dangerous approach, and could not be further from the truth. Sharing sensitive information with third parties does not exclude your organization from the standard obligations associated with data protection. In fact, the sharing of sensitive information with outside organizations increases your risk profile — and obligations. Claiming a lack of resources will not provide a defensible position in the face of a data breach or other information security- related incident. If you are part of one of the few organizations that has a formal business partner assessment program, chances are that you are struggling with some of the many other challenges inherent in managing the program and business partner risk issues. Primarily, how to assess all of your partners, how to manage and address the mountains of assessment data, and how specifically should partner issues be handled? What to do Tackling the problem of where to begin does not have to be as daunting as it seems. By leveraging a risk-based “crawl, walk, run” approach, you can make enormous strides toward improving your business partner security profile in a short period of time, without a tremendous drain on your resources. Step 1: Ensure there is a corporate policy in place related to business partner relationships Establishing a corporate policy for business partner relationship requirements will ensure that the requirements for data protection are clearly stated in high- level business terms, and will establish the foundation for the business partner assessment program. The policy will also lay the groundwork for enforcement and accountability. ID# 11WP0009 Last Modified 01.09.2012 Corporate Headquarters 1710 Walnut St. Kansas City, MO 64108 • 888.732.9406 © 2012 FishNet Security. All rights reserved.
  • 4. Where is Your Sensitive Data - And Who is Protecting It? (Keys to managing business partner relationships - Part1) By Bill Carver, Director - Governance Risk & Compliance • CISSP, CISM, CRISC Securely Enabling Business Step 2: Identify the types and risk profile of a majority of your partners One of the most common mistakes that organizations make is trying to assess all of their business partners using the same approach. All business partners are not created equally, and accordingly, each type of partner should be assessed in a specific way. A simple method to accomplish this quickly and easily is to define business partner “tiers” based on inherent partner risk (e.g., High, Medium and Low). Develop a short set of questions that can be used to identify the inherent risk of a partner. A typical approach may include questions related to: • Amount and type of information shared with the partner • The method that is used to share the information between the organizations • Understanding what the partner does with the data once it is in the partner’s possession • Determining the impact to the business if the partner were not available • Understanding the financial impact that could result from the partner incurring a data breach • The potential regulatory impact associated with the partner • Other questions specific to your organization that can help determine the inherent risk profile of a business partner The questions used to help us determine inherent business partner risk will not provide us with any information about the partner’s security posture; the goal is to understand the “out of the gate” risk the partner presents to the business. This will help us determine the level of effort we apply to each tier of partner as part of the assessment process. We want to ensure that we are spending the most time assessing the partners that present the most inherent risk. As a general rule of thumb, when determining which partners will be included in the different inherent risk categories, if more than 10-15% of your total partner population falls into the “high risk” category, you may want to consider reevaluating your criteria and scoring algorithms. As we will review in the upcoming sections, high-risk partners will require a substantial amount of effort, and having too large of a population of this type of relationship will compound some of the challenges described earlier. For example, it may be difficult to sustain a business partner assessment program that includes 30% of your partners being in the high-risk category, simply due to the amount of assessment time and remediation time required. Step 3: Establish the assessment type and frequency requirements for the different partner tiers Once we have developed our process for “tiering” our business partners, we now must establish the assessment requirements for each category and the necessary frequency of review. Below are some high- level examples of what the assessment activities may include for each category. The examples are by no means exhaustive or appropriate in all situations, but they should provide a foundation for the basic concept of increasing levels of assessment rigor based on inherent partner risk. ID# 11WP0009 Last Modified 01.09.2012 Corporate Headquarters 1710 Walnut St. Kansas City, MO 64108 • 888.732.9406 © 2012 FishNet Security. All rights reserved.
  • 5. Where is Your Sensitive Data - And Who is Protecting It? (Keys to managing business partner relationships - Part1) By Bill Carver, Director - Governance Risk & Compliance • CISSP, CISM, CRISC Securely Enabling Business Examples: • Low-Risk level assessment - This assessment type generally consists of some type of information security questionnaire only. Due to the low level of risk that the relationship poses to the organization, a basic, high-level questionnaire is used to determine the security posture of the extended business relationship. The types of questionnaires vary slightly depending on the type of organization being reviewed and they are typically 50–200 questions in length. The questionnaires are not intended to be exhaustive, but they should provide the organization with a general understanding of the information security risks related to an external partner. The questionnaires are typically emailed to a partner, then completed and returned. The focus at this level is to ensure that that the questionnaires are being completed and returned and that the results are evaluated. Because the partner was determined to be a “low inherent risk,” we are comfortable only spending a minimal amount of time focusing on an assessment (approximately 3–5 hours). This approach helps to ensure that we are not simply ignoring the partner, but that the amount of time we spend with assessment is commensurate with the level of risk. There is the possibility that, based on responses to the questionnaires, that additional follow-up is required, but ultimately, the level of effort spent with the low-risk partners should be small compared to the medium- and high-risk levels. • Medium-Risk level assessment - Increasing in the level of rigor, this assessment typically consists of the same activities conducted in the low-risk level assessment, but then adds additional activities. Due to the increased level of risk that the relationship poses the organization, a questionnaire is used to determine the security posture of the extended business relationship, but then other assessment activities can be added as well. The questionnaires used at this level are typically more comprehensive, 100–300 questions, and additional information may be requested from the partner, such as: ͳͳ Independent assessment reports ᵒᵒ SAS 70 (SSAE16) ᵒᵒ PCI/ROC ᵒᵒ * Shared Assessment SIG or AUP ᵒᵒ ISMS Certification ᵒᵒ Third-party vulnerability assessments or penetration tests ͳͳ Any supporting information that helps demonstrate the security posture of the third party *http://www.sharedassessments.org ID# 11WP0009 Last Modified 01.09.2012 Corporate Headquarters 1710 Walnut St. Kansas City, MO 64108 • 888.732.9406 © 2012 FishNet Security. All rights reserved.
  • 6. Where is Your Sensitive Data - And Who is Protecting It? (Keys to managing business partner relationships - Part1) By Bill Carver, Director - Governance Risk & Compliance • CISSP, CISM, CRISC Securely Enabling Business • Generally at this level, we increase the amount of visibility and communication with the business partner as well. This may include conference calls, or potentially even a site visit. By spending more time interacting with the business partner, more information can be gained, and a greater understanding of its risk profile can be determined. In most cases, the amount of time spent assessing the medium-risk level partners is approximately 10–20 hours, depending on their complexity. • High-Risk level assessment - Based on the high level of inherent risk that these partners present to the organization, we want to ensure this is where we focus the majority of time and energy. Not to suggest that the other risk level relationships do not warrant attention, but sticking to our risk-based approach, we want to focus most intensely on the high-risk relationships. The high-risk level assessment typically consists of the same activities conducted in the medium-risk level assessment, but then adds additional activities. In addition to a more comprehensive questionnaire and supporting documentation reviews, on-site physical security reviews and interviews are strongly recommended, along with more general on-site time for interviews, inquiry and analysis. Additionally, at this level, if there are technical components to the relationship, we may want to include vulnerability assessments, penetration tests and, potentially, targeted application assessments. At this assessment level, the questionnaires are primarily used to help set up our on-site interviews with key personnel of the business partner being included. Typically, at this risk level, we would expect to spend approximately 80–120 hours, possibly more, assessing these partners. Referring back to our recommendation regarding the number of high-risk level partners you have, you can see why having too large of a percentage will likely result in serious challenges for maintaining the program. Regarding frequency, as a general practice, low-risk level relationships can be revisited once every two years, whereas medium-risk and high-risk partners should be evaluated annually (unless specific regulations or other factors necessitate a more frequent analysis). An important note about partner tiers: Don’t forget to reassess the inherent risk of existing partners on an annual basis to ensure they are still properly categorized. Stakeholders within your business will often change the manner in which the partner is being used. They may increase the level and sensitivity of information being shared; there may be changes to the methods of data transmissions or other factors that could increase the level of inherent risk a business partner poses to the organization. ID# 11WP0009 Last Modified 01.09.2012 Corporate Headquarters 1710 Walnut St. Kansas City, MO 64108 • 888.732.9406 © 2012 FishNet Security. All rights reserved.
  • 7. Where is Your Sensitive Data - And Who is Protecting It? (Keys to managing business partner relationships - Part1) By Bill Carver, Director - Governance Risk & Compliance • CISSP, CISM, CRISC Securely Enabling Business Step 4: Follow up and remediation activities One of the common pitfalls for many business partner assessment programs is the failure or inability to follow up with your business partners regarding discovered issues and required remediation. It’s imperative that once issues are identified with a partner, that those issues and subsequent remediation activities are assigned to people for accountability purposes and that they are followed through with until completion. Identifying risk and failing to ensure that risks are managed to your requirements, either mitigated or properly accepted, may actually function contrary to the intent of developing the program in the first place. Assigning internal “relationship managers,” usually from the business area responsible for the partner relationship (or even from information security or your project management office) to help manage the process, is an effective way to help ensure the partners are addressing security issues and that remediation activities are not falling through the cracks. Step 5: Ensure proper contract language exists Once the program has been established, and the assessment criteria defined, it’s then necessary to ensure your information security requirements are built into your business partner contracts. When defining your information security requirements within the contracts, be sure to include breach notification requirements and the right to assess (including on-site). These are two of the areas that are commonly absent from third-party contracts. Benefits There are many benefits to developing and executing a business partner assessment program. From meeting regulatory and vertical-specific mandates to reducing the organizations risk profile, developing this type of program has several invaluable benefits. Even if your organization is one that is not highly regulated, you may not be in a position to withstand the negative publicity that comes from a partner data breach incident. Reputation risk is critical to almost every organization, and when data breaches occur as a result of partner negligence, the news outlets typically do not elaborate on the partner’s involvement, but rather focus on the fact that “Company X” (your organization), was responsible for losing sensitive information. That type of negative impact to your reputation can be difficult for many organizations to overcome. ID# 11WP0009 Last Modified 01.09.2012 Corporate Headquarters 1710 Walnut St. Kansas City, MO 64108 • 888.732.9406 © 2012 FishNet Security. All rights reserved.
  • 8. Where is Your Sensitive Data - And Who is Protecting It? (Keys to managing business partner relationships - Part1) By Bill Carver, Director - Governance Risk & Compliance • CISSP, CISM, CRISC Securely Enabling Business Conclusion With the outsourcing-focused business model that many organizations are leveraging, information security risks are introduced via external relationships. The risk is that, with any extended business partnership, there is the possibility of data-sharing. While sharing sensitive data with business partners may reduce cost or lead to increased efficiencies in business operations, it also creates risks for the organization. This risk cannot be passed along to the business partner and smart organizations will develop strategies for managing the risks associated with using business partners. A organization’s security posture is only as strong as its weakest link, and an extended relationship is often the weak link. Many times the outside services being leveraged by an organization require sharing sensitive data. The data may be an organization’s critical proprietary data, employee/customer personally identifiable information, or other non-public information that the organization has an obligation to protect. Organizations have a need to assess the risk associated with these relationships and make decisions regarding risk mitigation. With this paper, we hope to provide you and your organization with enough information to get your business partner assessment program “crawling” … maybe even “walking.” In our next white paper — Part 2 of this series, we will focus on enhancing the program, and expanding upon the benefits of a well- performing third-party assessment program. This will include: • Casting the net – making sure that all third parties are included in the process • Automation – how to use tools to automate some of the manual assessment processes • Cost savings – exploring ways to leverage the program in a way that helps reduce third-party expenditures across the organization • Metrics and reporting – understanding key metrics and reporting options that can help demonstrate a return on investment for the program • Training and awareness – how to promote the program and educate the organization about the requirements and benefits • Process improvement – looking for ways to continuously evaluate and improve the third-party assessment program About FishNet Security We focus on the threat so you can focus on the opportunity. FishNet Security, the No. 1 provider of information security solutions that combine technology, services, support and training, enables clients to manage risk, meet compliance requirements and reduce costs while maximizing security effectiveness and operational efficiency. For more information about FishNet Security, visit www.fishnetsecurity.com, www.facebook.com/fishnetsecurity and www.twitter.com/fishnetsecurity. ID# 11WP0009 Last Modified 01.09.2012 Corporate Headquarters 1710 Walnut St. Kansas City, MO 64108 • 888.732.9406 © 2012 FishNet Security. All rights reserved.