One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 1549139 |
| Date de publication | 2020-02-18 13:00:00 (vue: 2020-02-18 13:01:50) |
| Titre | Why vendor management is a cornerstone of security |
| Texte | When it comes to building a security program, one of the most frequently overlooked areas is that of vendor management. Organizations focus significant resources on internal security, such as vulnerability scans, centralized log management, or user training, while not extending the same diligence towards their third-parties. Organizations end up trusting the security of their network and data to an unknown and untested third-party. As we all know, a chain is only as strong as its weakest link. If an organization cannot verify the security of its third-parties, then it has introduced the potential for risk and reduced the information assurance of their system. It is essential to realize that even if the cause of a breach is due to a third-party, it is still your company’s name and brand that is at risk. The potential cost associated with a breach can include: Fines Loss of trust Brand damage Data loss What damage can vendors do? Despite the warning above, you may still be thinking, “what damage could my vendors really do?”. The answer to that question will vary based on the access, control, and data you provide to them. For example, if your office caterer was breached the overall risk to the organization is easily contained by simply canceling whatever card you offered them. On the other hand, if you have a third-party accountant or lawyer you could be exposed to much more damage. In this example, you would be releasing highly private and potentially valuable data into unknown systems, with unknown controls and unknown users. This line of thinking can apply to any organization and any vendor, regardless of size or industry, and can help you identify where to focus your efforts. Any vendor that has access to your systems or data is inherently a risk to your company. Every threat or vulnerability you face, your vendors will also face. Are you confident they take these threats as seriously as you do? Or are they even aware of them? Regardless of how confident you may feel, I highly recommend you continue reading! The rest of this article is dedicated to providing tips and advice for building a program to assess, vet, and remediate risks related to your third parties. What can you do? Now that you understand the risks vendors pose to your organization, you need to determine what you can do to help to reduce them. There are a few steps any organization can take to develop a more robust stance on vendor management. It must be noted that to build a truly effective and mature program you must be willing to dedicate the time and resources to do it right. I have broken out the necessary steps below and have provided advice for what these steps should cover. A vendor management program should have, at a minimum, the following components: Policy – A vendor management policy should cover the purpose behind assessing vendors, staff responsibilities, communication channels, and other core components of the overarching program. Procedures – Along with the policy, your organization will need several defined procedures to implement and manage the vendor management program effectively. These procedures can include: Assessment outlines/workflows Documentation management Evidence requirements The processes you create should be relevant to the size and scope of your program and must fit your general operations. Rankings – To provide that resources are used effectively, you must come up with a ranking system to classify your vendors. While there is no ‘right’ answer to ranking vendors, a few metrics you can use to determine criticality are: Sensitivity of data they receive Volume of data they receive Importance of service they provide These can be used by themselves or combined to fo |
| Envoyé | Oui |
| Condensat | “what abnormalities above access accountant action actually additional advice agreements all along also answer any apply are are: areas article assess assessing assessment assigned associated assurance at&t att authority aware based because begin behind below best brand breach breached broken build building but buy can canceling cannot card cases caterer cause centralized chain channels classify com combined come comes communication companies company company’s complex component components components: concerns conclusion confident consulting contained continue contract contracts contractual control controls core cornerstone cost could course cover create criticality cybersecurity damage data decisions dedicate dedicated dedicating defined deliver despite determine develop developing diligence documentation due easily effective effectively efforts eliminate employees end escalation essential establish even every evidence example exposed extending face failings fails feel fines fit focus following form frequently from further gaps general hand has have help highly how https://cybersecurity identify implement importance include include: industry information inherently intensive internal internally introduced issues its know lawyer level like line link little log long loss maintain make manage manageable management managing many mature may members metrics minimum monitored more most much must name necessary need network not noted notice now number numerous obligated offered offers office one only operations organization organizations other otherwise out outages outlines/workflows overall overarching overlooked part parties party pick place please points policies policy pose posed potential potentially private procedures processes program programs promised provide provided providing purpose question rank ranking rankings reading realize really receive recommend recourse reduce reduced regardless regularly related releasing relevant remediate requirements resources responsibilities rest right risk risks robust same scans scope security senior sensitivity seriously serve service services several should significant simply size sla slas small solutions specific staff stance standardized steps strong such suffers support supporting sure system systems take task teams term them themselves then these things thinking third those threat threats time tips towards training truly trust trusting type undergo understand unfortunately unknown untested use used user users using valuable vary vendor vendors verify vet visit volume vulnerability warning ways weakest what whatever when where which who why will willing without work working would your |
| Tags | Vulnerability Threat |
| Stories | |
| Notes | ★★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.