Gregory C. Rasner

Cybersecurity and Third-Party Risk


Скачать книгу

      392 408

      393  409

      394  411

      395  413

      396  414

      397  415

      398  416

      399  417

      400  418

      401  419

      402  420

      403  421

      404  422

      405  423

      406  424

      407  425

      408  426

      409  427

      410  428

      411  429

      412  431

      413  432

      414  433

      415  434

      416  435

      417  436

      418  437

      419  438

      420  439

      421  440

      422  441

      423  442

      424  443

      425  444

      426  445

      427 446

      428 447

      429 448

      430 449

      431 450

      432 451

      433 452

      434 453

      435 454

      436 455

      437 456

      438 457

      439 458

      440  ii

      441 iii

      442  iv

      443  v

      444  vi

      445  vii

      446  xvi

      447  xvii

      448  459

      Third Party Threat Hunting

       Gregory C. Rasner

      Third‐party risk (or supply‐chain security) are not new disciplines, and there have been frameworks, regulatory directives, professional certifications, and organizations that all attest to its maturity. Cybersecurity could be considered more mature, since it has been around in some form since computing came of age in the 1970s. Nowadays, it's even more complex in terms of frameworks, disciplines, certifications, regulatory guidance and directives, and avenues of study. Why do the surveys, time after time, indicate that well over 50 percent of organizations do not perform any type of Third‐Party Risk Management (TPRM), and even fewer have anything other than an ad hoc cybersecurity due diligence program for vendors? Reasons for this lack of attention and collaboration can be found in hundreds, if not thousands, of breaches and security incidents that were the result of poor third‐party oversight and a lack of any due diligence and due care for the vendors' cybersecurity.

      The book is designed to not only help you build a program, but to take an existing program from one of compliance checkbox work to an active threat‐hunting practice. Many programs that do currently exist are designed and run as an obligation to “check a box” for a regulator or an internal auditor. Yet, no one has ever secured their network or data by doing only what the regulators told them to do. Security is an ongoing activity that requires its application in third‐party risk to be equally active and ongoing. Its activities and results should emulate a cyber operations or threat operations team that focuses its efforts on reducing cybersecurity threats externally at the suppliers. Get away from checking boxes and filling out remote questionnaires and take a risk‐based approach that engages your highest risk and/or most critical third parties in conversations to build trust and collaboration to lower risk for both your organization and the vendor.

      Looking Ahead in This Book

      This book is divided into two sections. Section 1, titled “The Basics,” lays the case for the need of a robust and active Cybersecurity Third‐Party Risk Management program as well as the necessary and basic due diligence activities and processes needed. These are not basic as in “simple,” but in terms that they are the foundation necessary to building a mature program, which is covered in Section 2, titled “Next Steps.” This section details what comes next, after you have built the basic foundation. This “Next Steps” section describes cyber legal language, cloud security, software security, connectivity security, offshore vendors, and how to build predictive reporting that focuses on the highest risk vendors.

      Chapter 1 opens with a detailed description of risk by using examples