Monday 1 August 2022

Third Party

 

















INFOSEC

 

Delivering the range of vCISO services for Nettitude including:

- Policies and governance documentation
- Risk assessments
- Internal Audits
- Cyber Incident Preparedness
- Cyber Resilience strategies.
- Security technology optimisation reviews
- Security elements of Data Privacy and Protection
- Strategy setting, program and project management

Working with a global team of information security consultants on a variety of consultancy, retained and embedded engagements such as Interim CISO (as well as vCISO) , vDPO services, Third Party Risk Management (TPRM), Governance documentation, incident response preparedness, cyber resilience strategies, cyber risk assessments and board level cyber engagements both here in the UK and around the world. Delivering ISO 27001, NCSC, PCI DSS, NIST CSF assessments, analyses, reviews and remediation/improvement strategies.


  • Policies, Standards, Guideline and Procedures
  • Risk Assessments
  • Third Party risk management
  • Framework management and maintenance
  • Incident Response planning and management
  • Reporting Material for the office of the CISO Group
  • Control monitoring and surveillance
  • Regulatory Affairs / Audit Management
  • Training and Awareness

  • Develop and manage the IS Policies, Standards, Guidelines and Procedures in alignment with the standard framework and Headquarter requirements.
  • Lead the development and implementation of effective and reasonable policies and practices to secure sensitive data and ensure security and compliance with contracts, regulatory requirements, and industry standards.

  • Integrate IS risk reporting and aggregate reporting into an Enterprise risk framework. Provides a briefing to CISO and report critical issues that may affect business or enterprise IS objectives.
  • Develop strategies and action plans to drive control maturity improvement in areas where controls do not adequately mitigate risks.
  • Partner with cyber architecture and engineering teams to develop risk mitigation strategies, solutions, and recommendations to reduce components, systems, or enterprise security risk.

Manage the 3rd party’s IS risk assessments process to ensure risk transparency and business acceptance, contractual obligations, due diligence assessments and enable risk-based decision making to support the Bank’s Third Party Risk Program

  • Develop, assess, support and sustain IS framework ISO 27001, NIST 800-53, NIST Cybersecurity Framework, FFIEC CAT, NYDFS 500, etc.
  • Manage IS framework using a GRC platform such as, Service Now, or any other
  • Manage Bank’s Incident Response Plan and the plan’s point-of-contact (POC).
  • Working with the other Bank departments to ensure respective play books are properly developed and have aligned with the Bank’s Incident Response Plan.
  • Act as the Bank’s IS Incident Response Handler responsible for responding to security incidents, threats and vulnerabilities through analysis of event logs, computer artifacts, and other data sources to contain and resolve incidents or events, provide recommendations for remediation and determine the root cause.
Training 2. Vulnerability scans as well as the identification of vulnerabilities in the current network 3. Assesses vulnerabilities and recommends course of action to mitigate identified risks 4. Internal IT Risk Assessments 5. Cyber Security Gap Analysis 6. External Risk Assessments 7.

Develops and manages Information Security budget and expenses • Document and assess any security breaches and the resolution of those breaches. • Maintain and evolve Cybersecurity industry contacts • Educate colleagues about security software and best practices for information security.


NIST CSF – TheUS National Institute of Standards and Technology frameworkfor improving critical infrastructure cybersecurity 

  • CIS – The Center for Internet Security critical security controls 
  • ISO/IEC 27001 and 27002 – The International Standards Organization frameworks for best practices around security management and controls 



seven common cybersecurity frameworks.

1.    NIST Cybersecurity Framework

2.    ISO 27001 and ISO 27002

3.    SOC2

4.    NERC-CIP

5.    HIPAA

6.    GDPR

7.    FISMA

 

ISO 27001 and ISO 27002 certifications are considered the international standard for validating a cybersecurity program — internally and across third parties.

SOC2

Service Organization Control (SOC) Type 2 is a trust-based cybersecurity framework and auditing standard developed by the American Institute of Certified Public Accountants (AICPA) to help verify that vendors and partners are securely managing client data.

SOC2 specifies more than 60 compliance requirements and extensive auditing processes for third-party systems and controls. Audits can take a year to complete. At that point, a report is issued which attests to a vendors’ cybersecurity posture.

Because of its comprehensiveness, SOC2 is one of the toughest frameworks to implement — especially for organizations in the finance or banking sector who face a higher standard for compliance than other sectors. Nevertheless, it’s an important framework that should be central to any third-party risk management program.

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) is a cybersecurity framework that requires healthcare organizations to implement controls for securing and protecting the privacy of electronic health information. Per HIPAA, in addition to demonstrating compliance against cyber best practices — such as training employees — companies in the sector must also conduct risk assessments to manage and identify emerging risk.

GDPR

GDPR 

GDPR is a framework of security requirements that global organizations must implement to protect the security and privacy of EU citizens’ personal information.GDPR requirements include controls for restricting unauthorized access to stored data and access control measures, such asleast privilege, role-based access, andmultifactor authentication. 

 

The General Data Protection Regulation (GDPR) was adopted in 2016 to strengthen data protection procedures and practices for citizens of the European Union (EU). The GDPR impacts all organizations that are established in the EU or any business that collects and stores the private data of EU citizens — including U.S. businesses.

The framework includes 99 articles pertaining to a company’s compliance responsibilities including a consumer’s data access rights, data protection policies and procedures, data breach notification requirements (companies must notify their national regulator within 72 hours of breach discovery), and more.













1. Organizational Framework and Governance model – An active governance structure that drives accountability into the day-to-day operating fabric ensures business owners have the proper degree of granular visibility into risks that really matter.  Armed with options on what to do about them, business owners can make intelligent decisions on what remediation efforts to fund. 

2. Risk Profile and Reporting Framework – A set of rationalized processes for the prioritization of key risk and compliance requirements supports GRC reporting across the organization, and to the board. A practical categorization of risk types, threat communities, information, and data classification brings context to risk reporting and decision-making. 

3. GRC Diagnostics – Qualitative and quantitative assessments that follow a common risk and compliance identification and analysis process, supported by consistent controls reviews and testing, provide objective diagnostics required for meaningful decisions on treatment strategies.

4. Risk and Compliance Monitoring Program – Monitoring policies, controls, threats and vulnerabilities against standards and acceptable thresholds provides visibility into risk and compliance profiles on a consistent basis. Key Performance Indicators (KPIs), Key Risk Indicators (KRIs), Key Control Indicators (KCIs) provide early warning alerts that permit organizations to be proactive in their response.

5. GRC Program Optimization – Continuous improvement, communication and awareness programs drive adaption as the external environment presents new and emerging risks and compliance requirements.  Knowledge sharing across stakeholders on the appropriate best practices supports evolution to a target maturity level that is optimal for the organization.

6. Technology Enabling Platform and tools - A technology eco-system that supports a central, secure repository of requirements, policies, control standards, risk analysis, and control test results provides a solid foundation for streamlined workflow, analytics, and reporting.

A well-designed and coherent GRC Framework helps organizations prioritize and respond to risks and compliance requirements with a collaborative and efficient governance process.

Call to Action: An exercise I often use with clients is reviewing the framework, element by element, and marking it up with red, yellow and green to see where your organziation is weak – and then looking at what elements will be key enablers for your GRC Program. Using a GRC Framework model in this way helps prioritize what you need to focus on now in order to deliver real value.

Try this: Review this GRC Framework (or something like it) with some of your key stakeholders and get their assessment of what’s truly important, what they would like to see good progress on, and how they can help. At the very least, you’ll get another perspective on priorities and needs - that will keep you driving your GRC program in the right direction.


An IT risk assessment involves four key components. We’ll discuss how to assess each one in a moment, but here’s a brief definition of each:

  • Threat — A threat is any event that could harm an organization’s people or assets. Examples include natural disasters, website failures and corporate espionage.
  • Vulnerability — A vulnerability is any potential weak point that could allow a threat to cause damage. For example, outdated antivirus software is a vulnerability that can allow a malware attack to succeed. Having a server room in the basement is a vulnerability that increases the chances of a hurricane or flood ruining equipment and causing downtime. Other examples of vulnerabilities include disgruntled employees and aging hardware. The NIST National Vulnerability Database maintains a list of specific, code-based weaknesses.
  • Impact — Impact is the total damage the organization would incur if a vulnerability were exploited by a threat. For example, a successful ransomware attack could result in not just lost productivity and data recovery expenses, but also disclosure of customer data or trade secrets that results in lost business, legal fees and compliance penalties.
  • Likelihood — This is the probability that a threat will occur. It is usually not a specific number but a range.

 

The risk equation

We can understand risk using the following equation

Risk = Threat x Vulnerability x Asset

Although risk is represented here as a mathematical formula, it is not about numbers; it is a logical construct. For example, suppose you want to assess the risk associated with the threat of hackers compromising a particular system. If your network is very vulnerable (perhaps because you have no firewall and no antivirus solution), and the asset is critical, your risk is high. However, if you have good perimeter defenses and your vulnerability is low, and even though the asset is still critical, your risk will be medium.

This isn’t strictly a mathematical formula; it’s a model for understanding the relationships among the components that feed into determining risk:

  • Threat is short for “threat frequency,” or how often an adverse event is expected to occur. For example, the threat of being struck by lightning in a given year is about 1 in 1,000,000.
  • Vulnerability is shorthand for “the likelihood that a vulnerability will be exploited and a threat will succeed against an organization’s defenses.” What is the security environment in the organization? How quickly can disaster be mitigated if a breach does occur? How many employees are in the organization and what is the probability of any given one becoming an internal threat to security control?
  • Cost is a measure of the total financial impact of a security incident. It includes hard costs, like damage to hardware, and soft costs, such as lost business and consumer confidence. Other costs can include:
    • Data loss — Theft of trade secrets could cause you to lose business to your competitors. Theft of customer information could result in loss of trust and customer attrition.
    • System or application downtime — If a system fails to perform its primary function, customers may be unable to place orders, employees may be unable to do their jobs or communicate, and so on.
    • Legal consequences — If somebody steals data from one of your databases, even if that data is not particularly valuable, you can incur fines and other legal costs because you failed to comply with the data protection security requirements of HIPAA, PCI DSS or other compliance








·       Threat intelligence team

·       Information technology

·       Compliance and risk management teams

·       Business leaders and SMEs

·       Security architecture and operations

·       Audit team




What is SOC 2 and why do we need it?

SOC 2 is an auditing procedure and report that is part of the SSAE(Statement on Standards for Attestation Engagements) maintained by the AICPA.  It is one of the more common compliance requirements that companies should meet today to be competitive in the market.  SOC 2 report ensures that a company's information security measures are in line with the unique parameters of today's cloud requirements. 





What are the 14 categories of ISO 27001 controls?

The 14 categories of Annex A controls cover different security areas and dictate the objective of each control in improving your information security. Annex A of ISO 27001 comprises 114 controls which are grouped into the following 14 control categories:

As part of establishing an ISMS, organizations need to consider additional ISO 27000 family standards such as:

  • ISO/IEC 27002:2013 - Code of practice for information security controls
  • ISO/IEC 27003 - Information security management system implementation guidance
  • ISO/IEC 27004 - Information security management - Measurement
  • ISO 31000:2009 - Risk Management - Principles and guidelines

 

1.     Information Security Policies

2.     Organisation of Information Security

3.     Human Resources Security

4.     Asset Management

5.     Access Control

6.     Cryptography

7.     Physical and Environmental Security

8.     Operational Security

9.     Communications Security

10.Systems Acquisition, Development and Maintenance

11.Supplier Relationships

12.Information Security Incident Management

13.Information Security aspects of Business Continuity Management

14.Compliance





Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)

Consisting of 197 control objectives organized into 17 domains, the CCM focuses solely on cloud computing. The 17 domains include:

  • Audit & Assurance
  • Application & Interface Security
  • Business Continuity Management & Operational Resilience
  • Change Control & Configuration Management
  • Cryptography, Encryption & Key Management
  • Datacenter Security
  • Data Security & Privacy Lifecycle Management
  • Governance, Risk Management & Compliance
  • Human Resources
  • Identity & Access Management
  • Interoperability & Portability
  • Infrastructure & Virtualization Security
  • Logging & Monitoring
  • Security Incident Management, E-Discovery, & Cloud Forensics
  • Supply Chain Management, Transparency & Accountability
  • Threat & Vulnerability Management
  • Universal Endpoint Management