book

Cybersecurity and Third-Party Risk

by Gregory C. Rasner

July 2021

Intermediate to advanced

480 pages

9h 38m

English

Wiley

Read now

Unlock full access

Who Will Benefit Most from This BookSpecial Features
The SolarWinds Supply‐Chain AttackThe VGCA Supply‐Chain AttackThe Zyxel Backdoor AttackOther Supply‐Chain AttacksProblem ScopeCompliance Does Not Equal SecurityThird‐Party Breach ExamplesConclusion
Cybersecurity Basics for Third‐Party RiskCybersecurity FrameworksDue Care and Due DiligenceCybercrime and CybersecurityConclusion
The Pandemic ShutdownSolarWinds Attack UpdateConclusion
Third‐Party Risk Management FrameworksThe Cybersecurity and Third‐Party Risk Program ManagementKristina Conglomerate (KC) EnterprisesConclusion
IntakeCybersecurity Third‐Party IntakeConclusion
Low‐Risk Vendor Ongoing Due DiligenceModerate‐Risk Vendor Ongoing Due DiligenceHigh‐Risk Vendor Ongoing Due Diligence“Too Big to Care”A Note on PhishingIntake and Ongoing Cybersecurity PersonnelRansomware: A History and FutureConclusion
On‐site Security AssessmentOn‐site Due Diligence and the Intake ProcessConclusion

What Is Continuous Monitoring?Enhanced Continuous MonitoringThird‐Party Breaches and the Incident ProcessConclusion
Access to Systems, Data, and FacilitiesConclusion
Why Is the Cloud So Risky?Conclusion
Legal Terms and ProtectionsCybersecurity Terms and ConditionsConclusion
The Secure Software Development LifecycleOn‐Premises SoftwareCloud SoftwareOpen Web Application Security Project ExplainedOpen Source SoftwareMobile SoftwareConclusion
Third‐Party ConnectionsZero Trust for Third PartiesConclusion
Onboarding Offshore VendorsCountry RiskKC's Country RiskConclusion
The DataLevel SetA Mature to Predictive ApproachThe Predictive Approach at KC EnterprisesConclusion

Content preview from Cybersecurity and Third-Party Risk

Chapter 11Cybersecurity and Legal Protections

Cybersecurity third‐party risk is not confined to due diligence efforts and security evaluations. One of the key components of lowering cybersecurity risk as a company is to use contract language that addresses this risk. This is not to say that cybersecurity professionals need to be attorneys as well to their respective firms; rather a cybersecurity team must be prescriptive to the legal team about what security controls need to be met by vendors prior to contract signatures and execution. Cybersecurity begins with defining the security standards for third parties—the criteria for when cybersecurity language is appropriate. Then, those definitions are taken further by defining criteria of when cybersecurity is engaged for legal terms and conditions; there must be a clear definition of how the process is completed, and the process defined for when there is a Risk Acceptance (RA) for any item(s) that presents a risk to the organization.

Legal Terms and Protections

Starting with a Security Standard or Policy, the cybersecurity team lays out exactly what a vendor is required to meet. While the actions surrounding this have been covered in previous chapters, this chapter discusses the legal terms and protections that cover the domains of access management, encryption, vulnerability management, patching cadence, right to perform audits/assessments, privacy, data center security, and so on. As the standards are written, they are linked ...