Название: Cybersecurity and Third-Party Risk
Автор: Gregory C. Rasner
Издательство: John Wiley & Sons Limited
Жанр: Зарубежная компьютерная литература
isbn: 9781119809562
isbn:
388 404
389 405
390 406
391 407
392 408
393 409
394 411
395 413
396 414
397 415
398 416
399 417
400 418
401 419
402 420
403 421
404 422
405 423
406 424
407 425
408 426
409 427
410 428
411 429
412 431
413 432
414 433
415 434
416 435
417 436
418 437
419 438
420 439
421 440
422 441
423 442
424 443
425 444
426 445
427 446
428 447
429 448
430 449
431 450
432 451
433 452
434 453
435 454
436 455
437 456
438 457
439 458
440 ii
441 iii
442 iv
443 v
444 vi
445 vii
446 xvi
447 xvii
448 459
Cybersecurity and Third‐Party Risk
Third Party Threat Hunting
Gregory C. Rasner
Introduction
Third‐party risk (or supply‐chain security) are not new disciplines, and there have been frameworks, regulatory directives, professional certifications, and organizations that all attest to its maturity. Cybersecurity could be considered more mature, since it has been around in some form since computing came of age in the 1970s. Nowadays, it's even more complex in terms of frameworks, disciplines, certifications, regulatory guidance and directives, and avenues of study. Why do the surveys, time after time, indicate that well over 50 percent of organizations do not perform any type of Third‐Party Risk Management (TPRM), and even fewer have anything other than an ad hoc cybersecurity due diligence program for vendors? Reasons for this lack of attention and collaboration can be found in hundreds, if not thousands, of breaches and security incidents that were the result of poor third‐party oversight and a lack of any due diligence and due care for the vendors' cybersecurity.
This book is designed to provide a detailed look into the problems and risks, then give specific examples of how to create a robust and active Cybersecurity Third‐Party Risk Management program. It begins by covering the basics of the due diligence processes and the vendor lifecycle, with models and illustrations on how to create these basic but necessary steps. Then it goes more in depth about the next parts in the creation of a mature program: cyber legal language, offshore vendors, connectivity security, software security, and use of a predictive reporting dashboard.
The book is designed to not only help you build a program, but to take an existing program from one of compliance checkbox work to an active threat‐hunting practice. Many programs that do currently exist are designed and run as an obligation to “check a box” for a regulator or an internal auditor. Yet, no one has ever secured their network or data by doing only what the regulators told them to do. Security is an ongoing activity that requires its application in third‐party risk to be equally active and ongoing. Its activities and results should emulate a cyber operations or threat operations team that focuses its efforts on reducing cybersecurity threats externally at the suppliers. Get away from checking boxes and filling out remote questionnaires and take a risk‐based approach that engages your highest risk and/or most critical third parties in conversations to build trust and collaboration to lower risk for both your organization and the vendor.
Who СКАЧАТЬ