book

Cybersecurity and Third-Party Risk

by Gregory C. Rasner

July 2021

Intermediate to advanced

480 pages

9h 38m

English

Wiley

Read now

Unlock full access

Who Will Benefit Most from This BookSpecial Features
The SolarWinds Supply‐Chain AttackThe VGCA Supply‐Chain AttackThe Zyxel Backdoor AttackOther Supply‐Chain AttacksProblem ScopeCompliance Does Not Equal SecurityThird‐Party Breach ExamplesConclusion
Cybersecurity Basics for Third‐Party RiskCybersecurity FrameworksDue Care and Due DiligenceCybercrime and CybersecurityConclusion
The Pandemic ShutdownSolarWinds Attack UpdateConclusion
Third‐Party Risk Management FrameworksThe Cybersecurity and Third‐Party Risk Program ManagementKristina Conglomerate (KC) EnterprisesConclusion
IntakeCybersecurity Third‐Party IntakeConclusion
Low‐Risk Vendor Ongoing Due DiligenceModerate‐Risk Vendor Ongoing Due DiligenceHigh‐Risk Vendor Ongoing Due Diligence“Too Big to Care”A Note on PhishingIntake and Ongoing Cybersecurity PersonnelRansomware: A History and FutureConclusion
On‐site Security AssessmentOn‐site Due Diligence and the Intake ProcessConclusion

What Is Continuous Monitoring?Enhanced Continuous MonitoringThird‐Party Breaches and the Incident ProcessConclusion
Access to Systems, Data, and FacilitiesConclusion
Why Is the Cloud So Risky?Conclusion
Legal Terms and ProtectionsCybersecurity Terms and ConditionsConclusion
The Secure Software Development LifecycleOn‐Premises SoftwareCloud SoftwareOpen Web Application Security Project ExplainedOpen Source SoftwareMobile SoftwareConclusion
Third‐Party ConnectionsZero Trust for Third PartiesConclusion
Onboarding Offshore VendorsCountry RiskKC's Country RiskConclusion
The DataLevel SetA Mature to Predictive ApproachThe Predictive Approach at KC EnterprisesConclusion

Content preview from Cybersecurity and Third-Party Risk

Chapter 5Onboarding Due Diligence

As part of Third‐Party Risk Management (TPRM), the first step in engaging the lifecycle of a vendor's due diligence is during intake. As a new vendor is identified by a business, it is required to perform an initial review of the vendor's risk domains. For the cybersecurity domain, this is generally performed via a remote questionnaire or during question and answer (Q&A) sessions. Initially, an intake questionnaire, known as an Intake Risk Questionnaire (IRQ), should be provided to assess the initial risk. This list of questions should be short and determine which risk domains are relevant and require due diligence.

Intake

During this part of the lifecycle of the vendor, a business has all the leverage. Once the contract is signed, good intentions aside, no one will want to renegotiate on stricter cybersecurity terms. Also, items discovered at this point in the process—security gaps, process concerns, lack of required certifications, and due diligence—are all best done before contracts are signed. In many cases, even if the vendor can't meet the security or other risk requirements at the time needed to initially, the remediation of those items can be listed within the contract with milestones tied to payments. These milestones require the cybersecurity teams to be actively engaged in the Intake process. See Figure 5.1. which illustrates that we are in the Onboarding phase.

Transparency is the approach needed for the intake; however, the process ...