RISK ASSESSMENT FOR EXTERNAL VENDORS Luciano Ferrari, CISSP, MBA - - PowerPoint PPT Presentation

risk assessment for
SMART_READER_LITE
LIVE PREVIEW

RISK ASSESSMENT FOR EXTERNAL VENDORS Luciano Ferrari, CISSP, MBA - - PowerPoint PPT Presentation

Dec 09, 2023 180 likes •392 views

RISK ASSESSMENT FOR EXTERNAL VENDORS Luciano Ferrari, CISSP, MBA lferrari@lufsec.com www.lufsec.com November, 2013 Risk Assessment is Difficult Multiple scenarios Interpreted as a negative activity Single method/tool not practical

slide-1
SLIDE 1

RISK ASSESSMENT FOR EXTERNAL VENDORS

Luciano Ferrari, CISSP, MBA lferrari@lufsec.com www.lufsec.com November, 2013

slide-2
SLIDE 2

Risk Assessment is Difficult

  • Multiple scenarios
  • Interpreted as a negative activity
  • Single method/tool not practical
  • Requires key competencies
slide-3
SLIDE 3

Categorize your cases

  • Standardization/Consistency is good
  • Less complexity, less risk
  • Experience is a key element
slide-4
SLIDE 4

Prerequisites for selection a toolbox

  • Typical use cases for Risk Assessment
  • The various approaches for risk assessments
  • The characteristics of available methods/tools

Gather info Analyze Report

slide-5
SLIDE 5

Selecting the tools/methods

Analyze primary use cases

  • Characterize use cases
  • Group similar use cases
  • Aim for three to five

Map against assessment model

  • Characterize typical

assessment methods

  • Map against case

requirements

Derive evaluation criteria

  • Functionality criteria
  • Practicality, actionability and

compatibility requirements

Select tools/approaches

  • 2-4 that will

satisfy most cases

slide-6
SLIDE 6

Examples – functionality assessment

Cases Project/ Procurement DRP/BCP ERM Rollup/ Compliance Security Prioritization Explore: People One-to-one interviews and scenario planning Survey questionnaire Scenario planning and collective brainstorm Survey questionnaire and one-to-

  • ne interviews

Explore: Systems Risk inventory Vulnerability analysis and threat inventory Threat inventory Threat inventory Assess: Qualitative

  • What-if-

modeling Deviance and intuitive Ranking and intuitive Assess: Quantitative Automated calculation

  • Express

Absolute/ scalar ALE Scenarios Dashboard and heat map Heat map and projects/ actions

slide-7
SLIDE 7

Tools/Methods

Explore Assess Express FRAP

Collective brainstorm (facilitated workshop) Intuitive/discussion/ranking Deviance

Scenarios and actions

ISF SARA and SPRINT

Questionnaires/scorecards Quantitative: Intuitive/discussion, deviance from controls/standards

Scorecards

ISF IRAM

Workshops Qualitative: Scenario-based discussion/brainstorm

Status reports and controls

Citicus ONE

Questionnaires/scorecards Qualitative: Intuitive, deviance from controls/standards

Status/heat maps, action plan

OCTAVE

Collective brainstorm (facilitated workshop) Qualitative: intuitive against threat profile, catalog of vulnerabilities

Action Scenarios, projects/actions

GRAM

Scenario planning Qualitative: Delphic what-if modeling

Scenarios

RiskWatch

Survey Questionnaire Qualitative: Deviance from

  • standards. Quantitative:

Monte Carlo simulation

Risk status reports, absolute ALE, return on investment, actions

CRAMM

Asset register, threat/vulnerability inventory,questionnaire, workshop Qualitative: deviance, what if modeling, automated

  • calculation. Qualitative: BIA

Actions: Scenarios: controls, risk profile, register, risk score

slide-8
SLIDE 8

Information Classification

  • If you don’t know what to protect and where it is how can

you protect?

slide-9
SLIDE 9

Information Security is not an island

  • Formal engage with other areas is key
  • Risk Management
  • Legal
  • HR
  • Procurement
slide-10
SLIDE 10

Risk Assessment for Cloud Providers

Control implications of different models Accountability cannot be outsourced

slide-11
SLIDE 11

Master Agreement / SLAs

slide-12
SLIDE 12

Tree of Provider Chains

  • Are you aware of all the

parties?

  • Will you be notified when

parties change?

  • Does your contract require

all parties to comply with it?

  • Do you force clauses

applying to the entire chain

  • f providers?
  • How visible are the finances
  • f the parties?
slide-13
SLIDE 13

What service level to look for?

  • Planned Downtime
  • Service Availability
  • Support/Mean time to restore service
  • Data recovery
  • RTO/RPO
slide-14
SLIDE 14

Risk Assessment on Social Media

slide-15
SLIDE 15

Top Social Media issues

  • Employee productivity
  • Record Retention
  • Company reputation/image
  • Inappropriate content posted by employees
  • Compliance with regulation/laws
  • Discovering and assessing social media risks
slide-16
SLIDE 16

How and what to monitor?

  • Analysis
  • Assessment
  • Mitigation
slide-17
SLIDE 17

Action Plans

  • Don’t wait for a call from marketing to get involved.
  • Think of social media as your most popular cloud

platform.

  • Integrate social media processes and drivers into risk

assessment processes.

  • Accept the reality that your enterprise has social risks to

manage.

slide-18
SLIDE 18

Regulation

  • HIPAA
  • PII
  • PCI
  • GBA
  • SOX
slide-19
SLIDE 19
  • Use the new grouping model
  • Engage other areas or your organization
  • Promote Risk Assessment Awareness
  • Use it for vendor selection criteria
  • Continuous Improvement