Название: Cybersecurity and Third-Party Risk
Автор: Gregory C. Rasner
Издательство: John Wiley & Sons Limited
Жанр: Зарубежная компьютерная литература
isbn: 9781119809562
isbn:
The Control Objectives for Information and Related Technology (COBIT) framework is a high‐level framework for identifying and mitigating risk. COBIT is primarily used in the finance space to adhere to Sarbanes‐Oxley (SOX). SOX is also known as the Public Company Accounting Reform and Investor Protection Act. Developed by information technology (IT) governance professionals to lower risk, it has evolved to align to business goals.
The Ten Steps to Cybersecurity framework is an initiative of the United Kingdom's Department of Business to provide senior leaders with a cybersecurity overview. This framework acknowledges the urgency of giving executives knowledge about information security issues and risks that impact businesses, along with controls to mitigate them. It provides in business English (i.e., non‐technical, non‐jargon) an explanation in wider terms of the numerous cybersecurity risks, defenses, mitigations, and resolutions.
The Technical Committee on Cyber Security (TC CYBER) framework was developed to improve the telecommunication security in the European Union (EU). It contains a series of requirements for improving privacy for companies and individuals. The focus is to confirm that EU residents and citizens have a high level of privacy protection when communicating on all the various mediums in the zone. Although it's focused on the EU, it has been adopted by other countries worldwide.
These cybersecurity frameworks are important in third‐party risk due diligence work. When engaging with vendors about security due diligence, one of the first questions to ask is what cybersecurity framework they adhere to. Their answer will provide valuable information about how their organization performs its own security activities. Many of the frameworks or standards have similar themes and controls because cybersecurity does not vary industry to industry. However, what is often different is its focus or scope. Understanding which industry a vendor is in or the one you are subject to, can establish which framework is best used or a required fit.
Due Care and Due Diligence
Two of the concepts discussed often in this book, as well as in cybersecurity and third‐party risk, is due care and due diligence. Due care is using a reasonable effort to protect the interests of a company. For due care with vendors, it is ensuring they develop and formalize security policies, standards, baselines, and procedures to ensure the security of their environment. Due diligence is performing a reasonable exam and investigation before taking action. The opposite of due diligence is the ad‐hoc process. An ad‐hoc process is one that is not predefined but is essentially done without guidance. In this book, performing due diligence refers to the efforts of researching the risks of third parties. Due diligence is performing the necessary research to understand risk, while due care is performing the actions identified as needed from due diligence.
Internal Security Standards versus External Security Standards
We delve into the policies and legal documentation pertaining to cybersecurity and third‐party risk in later chapters. However, it is worth noting a problem often misunderstood: Why are standards or policies for vendors often more strict than internal corporate standards? Many complain that it doesn't seem fair or is a case of “do as I say, not as I do,” or worse, that it is being hypocritical.
The answer is explained in this analogy: Say you have a hard drive in your house that contains sensitive data, which is likely a 100‐percent accurate statement as nearly every reader of this book surely has a home computer containing sensitive data. This sensitive data, such as electronic bank statements or downloaded documents, is known as PII. Do you specifically lock that up when you leave your home? Not likely; you likely lock your door and turn on your security alarm, which is secure enough.
Let's say you'll be on a vacation while your house is going through a major renovation and while that is going on, you don't want to leave your computer where contractors have access (which is good vendor risk management, by the way). Your trusted neighbor offers to store it in his home while you are away. (He is your neighbor and friend but not family.) Before he receives the computer, you decide to encrypt the hard drive, install a basic input/output system (BIOS) password (i.e., what a user will see when the computer is first starting up), as well as ensure that your Windows account password is complex. (Please stop using your dog's name plus your birth year!) Again, you feel you're taking the proper due care to secure your data before it's given to a third party.
As you drop off your laptop at your neighbors' house, you ask where he plans on storing it. Surprised, because he had not thought about it, your neighbor casually replies, “Over there on that shelf.” This idea makes you uncomfortable for two reasons: First, he does not seem to appreciate how much you value this data. Second, storing it on an open shelf, where people you do not know can walk by and view it, leads me back to the problem with the strangers (i.e., the contractors) in your home. You then bribe him with a promise to bring him back a nice bottle of rum from your trip, in exchange for him storing it in his safe.
In your own home, you did not encrypt the data (not recommending this, just making a point) or have the best access rights administration. In addition, your data never was locked up when it was in your home. When you decided to move the data outside of your area of control, not only did you increase the security on it, but you required your neighbor to place it in a safe. He probably thinks you are ungrateful and demanding, but the thought of the rum is enough to make the extra work worth the effort. Your risk of a data leak is vastly reduced, as the only people who have access to it have the safe's combination. If there is a data breach, the list of culprits likely will not be lengthy.
A vendor has a business relationship with a company—it's business, nothing personal. As a company paying for a service or product, there is nothing wrong with requiring certain risk reduction behaviors that your company does not require internally. Most often the internal and external standards are the same; however, in some areas, such as encryption or access management, they can diverge. For example, internally a company could have a standard of AES‐128 encryption; however, that same company would require a standard of AES‐256 or equivalent externally from others. They want the assurance that their data is kept even more secure when housed outside their environment.
Cybercrime and Cybersecurity
The breaches and security incidents described in this book are primarily caused by cybercriminals and other bad actors. Breaches occur when an unauthorized individual gains access to a network and exposes sensitive data. Cybercrime is when such individuals use computers or the internet to perform criminal activities. The following outlines several types of cybercrime:
Email and internet fraud: A fraudster sends an email enticing the user to a financial gain by offering a scheme, such as you will receive $10,000 or more if you send a portion of that amount to release it.
Identity fraud: This cybercrime occurs when a cyber bad actor uses stolen identity data to commit a crime (e.g., when they apply for a credit card using a stolen identity).
Financial and payment card data theft: Just as it sounds, this cybercrime is the stealing of credit/debit card numbers or nefarious direct access to bank accounts.
Theft and sale of protected corporate data: While the focus is often on PII, there are other types of sensitive data at nearly every company that can be stolen and sold by bad actors, including internal price lists, computer/network information, financial data, СКАЧАТЬ