book

Cybersecurity and Third-Party Risk

by Gregory C. Rasner

July 2021

Intermediate to advanced

480 pages

9h 38m

English

Wiley

Read now

Unlock full access

Who Will Benefit Most from This BookSpecial Features
The SolarWinds Supply‐Chain AttackThe VGCA Supply‐Chain AttackThe Zyxel Backdoor AttackOther Supply‐Chain AttacksProblem ScopeCompliance Does Not Equal SecurityThird‐Party Breach ExamplesConclusion
Cybersecurity Basics for Third‐Party RiskCybersecurity FrameworksDue Care and Due DiligenceCybercrime and CybersecurityConclusion
The Pandemic ShutdownSolarWinds Attack UpdateConclusion
Third‐Party Risk Management FrameworksThe Cybersecurity and Third‐Party Risk Program ManagementKristina Conglomerate (KC) EnterprisesConclusion
IntakeCybersecurity Third‐Party IntakeConclusion
Low‐Risk Vendor Ongoing Due DiligenceModerate‐Risk Vendor Ongoing Due DiligenceHigh‐Risk Vendor Ongoing Due Diligence“Too Big to Care”A Note on PhishingIntake and Ongoing Cybersecurity PersonnelRansomware: A History and FutureConclusion
On‐site Security AssessmentOn‐site Due Diligence and the Intake ProcessConclusion

What Is Continuous Monitoring?Enhanced Continuous MonitoringThird‐Party Breaches and the Incident ProcessConclusion
Access to Systems, Data, and FacilitiesConclusion
Why Is the Cloud So Risky?Conclusion
Legal Terms and ProtectionsCybersecurity Terms and ConditionsConclusion
The Secure Software Development LifecycleOn‐Premises SoftwareCloud SoftwareOpen Web Application Security Project ExplainedOpen Source SoftwareMobile SoftwareConclusion
Third‐Party ConnectionsZero Trust for Third PartiesConclusion
Onboarding Offshore VendorsCountry RiskKC's Country RiskConclusion
The DataLevel SetA Mature to Predictive ApproachThe Predictive Approach at KC EnterprisesConclusion

Content preview from Cybersecurity and Third-Party Risk

Chapter 4Third‐Party Risk Management

Third Party Risk Management (TPRM) is the process of identifying, assessing, and controlling risks presented through the lifecycle of a relationship with third parties. The Office of the Comptroller of the Currency (OCC) defines a third‐party relationship as any business arrangement between a company and another entity, by contract or otherwise. Third parties can perform any number of activities and services both internally and externally at a company, from landscaping and cleaning services, to managing intellectual property, processing customer data, outsourcing business functions, and countless other activities. Businesses also use third parties to grow their existing business (i.e., to attract and grow the customer base) or to improve efficiencies internally (i.e., to allow staff to work smarter, not harder).

The average company has nearly 600 vendors who have access to customer personal identifiable information (PII). On average, nearly 90 vendors can access a company's network on a weekly basis. Because they have access to your customer data or your network, performing due diligence on your third parties is crucial. TPRM amasses all the relevant information from the vendor to gather, review, and provide guidance on their risks. It is an end‐to‐end process, from the intake of the vendor to their offboarding when their service is no longer needed.

Five main areas make up Third Party Risk Management: