book

Cybersecurity and Third-Party Risk

by Gregory C. Rasner

July 2021

Intermediate to advanced

480 pages

9h 38m

English

Wiley

Read now

Unlock full access

Who Will Benefit Most from This BookSpecial Features
The SolarWinds Supply‐Chain AttackThe VGCA Supply‐Chain AttackThe Zyxel Backdoor AttackOther Supply‐Chain AttacksProblem ScopeCompliance Does Not Equal SecurityThird‐Party Breach ExamplesConclusion
Cybersecurity Basics for Third‐Party RiskCybersecurity FrameworksDue Care and Due DiligenceCybercrime and CybersecurityConclusion
The Pandemic ShutdownSolarWinds Attack UpdateConclusion
Third‐Party Risk Management FrameworksThe Cybersecurity and Third‐Party Risk Program ManagementKristina Conglomerate (KC) EnterprisesConclusion
IntakeCybersecurity Third‐Party IntakeConclusion
Low‐Risk Vendor Ongoing Due DiligenceModerate‐Risk Vendor Ongoing Due DiligenceHigh‐Risk Vendor Ongoing Due Diligence“Too Big to Care”A Note on PhishingIntake and Ongoing Cybersecurity PersonnelRansomware: A History and FutureConclusion
On‐site Security AssessmentOn‐site Due Diligence and the Intake ProcessConclusion

What Is Continuous Monitoring?Enhanced Continuous MonitoringThird‐Party Breaches and the Incident ProcessConclusion
Access to Systems, Data, and FacilitiesConclusion
Why Is the Cloud So Risky?Conclusion
Legal Terms and ProtectionsCybersecurity Terms and ConditionsConclusion
The Secure Software Development LifecycleOn‐Premises SoftwareCloud SoftwareOpen Web Application Security Project ExplainedOpen Source SoftwareMobile SoftwareConclusion
Third‐Party ConnectionsZero Trust for Third PartiesConclusion
Onboarding Offshore VendorsCountry RiskKC's Country RiskConclusion
The DataLevel SetA Mature to Predictive ApproachThe Predictive Approach at KC EnterprisesConclusion

Content preview from Cybersecurity and Third-Party Risk

Chapter 7On‐site Due Diligence

The act of going to a vendor site and performing due diligence is an investment in time, resources, and money, and is best left for vendors that a company has determined require this level of commitment. KC Enterprises reserves on‐site assessments for high‐risk vendors and moderate‐risk ones that meet a certain risk category. Vendors with data in a Cloud Service Provider (CSP), such as Google, Azure, or AWS, also will get on‐site assessment due to the risks surrounding the Shared Responsibility model.

The system of record notes both the risk level and last on‐site due diligence visit when required. KC averages 50 vendors in the high‐risk category year after year and another 10 in moderate risk who fit the criteria for a trip to the vendor directly. As business operates normally, some third parties are dropped for others or their relationship changes and they drop to a lower risk category.

This due diligence effort intentionally stays away from checklists. The visit to the vendor, where you are physically at their location and having eye contact with them, is an opportunity that a checklist sent via a portal cannot provide. The purpose and training of the senior analysts who perform this verification visit are taught primarily through on‐the‐job training with leadership emphasis on vendors as partners. (More about job training for this KC role will be discussed later on.)