NIST and Third-Party Risk Management: Pros and Cons

Ashley: Hello and welcome everyone. We are stoked to have you all. I will give you all a minute while we wait for everyone to get situated and dialed in. But in the meantime, I’m going to go ahead and launch our first poll because we’re curious to see what’s bringing you to today’s webinar. Is it educational? Are you in the beginning stages of your thirdparty risk management program? Uh a current prevalent customer? Do you just want to hear our voices? Um either way, let us know. Um, and I can’t forget about some introductions. My name is Ashley. I work in business development here at Prevalent. And we are joined with two very special guests. Thomas Humphre, our content manager. Hey, Thomas. Thomas Humphre: Hey, Ashley. Hey, everyone. Ashley: And, uh, Joe Tolley, our project manager. Hey, Joe. Joe Tolley: Hi, everyone. Hope you’re well. Ashley: And I also can’t forget about our very own VP of product marketing, Scott Lang. Hey, Scott. Scott Lang: Hey, Ashley. Good morning, everybody. Ashley: Good morning. Um, and just a quick reminder, this webinar is being recorded and we will be sending out the recording along with the presentation slides shortly after this webinar. Um, you’re all currently muted, but we do love participation, so please put any questions in our Q&A box so we can go over them at the end of the webinar. Uh, so today Thomas and Joe will be discussing the pros and cons of using the NIST framework. So, gentlemen, I’ll toss the keys over to you and let you start driving. Thomas Humphre: Thank you very much. Joe Tolley: Fantastic. Thomas Humphre: Thank you, Ashley. So, let me go ahead and Share my screen. Is the presentation visible? Joe Tolley: Thanks, Tom. Thomas Humphre: Yep. Fantastic. Okay. Um yes. Uh very good um warm welcome. Um good afternoon, good evening, good morning to everyone on the call. Um my name is Thomas Humphre. Um as as Ashley mentioned, I am the content manager. Um at at Prevalent. And with me, I’m pleased to have Mr. Joe Tolley um the project director at Prevalent as well. Um we’ve covered the key uh obviously housekeeping aspects of today. Um as already alluded to, we do have an open chat window and a Q&A. Feel free to use a Q&A uh throughout uh throughout today’s presentation. Um we always try to leave some time at the end um to answer many questions. But certainly if there are any pertinent questions coming up relevant to the areas and the slides that we are on and the topics that we’re discussing, we may pull up a few of the questions at that time as well. Just a very brief uh introduction uh to myself. Um so I head up uh content development within the within the uh within prevalent. So building frameworks uh based on um known standards locally international standards areas such as NIST and ISO. Um I used to be an ISO auditor for the best part of 10 years uh working very closely with many companies across the UK, Singapore, um Europe uh and America as well. And uh I’ll briefly hand over to Joe. Joe Tolley: Thanks. And hi everyone. Pleasure to meet you all on the call today. I’m Joe Tony the project director at prevalent. I spent a lot of time working with clients in building out programs and helping them get uh their programs set up correctly to assess third parties in a in an efficient way. So process is something I’m very keen on gaining efficiencies. Um as we all know the uh the more inefficiencies we have as we uh assess vendors, the more it sort of multiplies across the program. So here today to um feed off of Thomas‘ technical knowledge on NIST and uh see how we can leverage it to get the best out of a program. Thomas Humphre: Fantastic. Thank you. And um with that we can make a start. So what’s on the agenda today? So the overarching topic is around uh understanding NIST and the pros and cons of the framework. Um we’ll start with getting to know the NIST standards having a wider overview of of what NIST is what it does as an organization and then focusing very much on a lot of the security and cyber security based frameworks before doing a deeper dive in terms of the positives and some of the uh negatives as well as of the frameworks um and what it means uh in terms of developing and continuing your third party risk management program. We’ll then shift gear and looking at how you can adopt the NIST framework and pulling a few of the standards to help whether it’s building the framework for the first time your TPRM or enhancing um and adapting it um for those who already have an existing program. in place. And then we’ll spend a bit of time looking at breaking down specifically the NIST 853 uh controls um and understanding how we can start to piece together what controls uh best fit our programs and and how we can use that alongside um managing and understanding our third parties. So if you take a a wider overview first Um as we see across many many industries now um both locally and internationally there’s a huge increase in the volume of third parties the type of third parties organizations are dealing with there seems to be an everex expanding network of organizations um uh suppliers partners getting involved in in many aspects of the day-to-day running of an organization. Uh many of this is coming from increased you see in in the use of service offerings, the use of digital transformation and some of these topics that have been around for a few years, however, but are still increasing. And of course, what’s what we’re seeing now, of course, is that this increase in suppliers and the wide supply chain is having a wider impact on those critical systems, components, products, and services as well. And naturally, as you’d expect, as the supply chain grows, having a wider uh global um uh uh uh impact a global distribution of where we’re getting products and services from, where we’re getting components from. So this concept of the fourth and end party or wide supply chain keeps on increasing. Um very relevant for many many organizations. But of course, what it does mean is that we need to have stronger control, stronger governance. Um now more than ever, there needs to be uh more focus in terms of how we manage and understand these third parties. and and how we can assess them, review them, engage with them, respond to them, and monitor them based on uh the product and service and systems that they’re providing to us. Um so with an everex expanding um uh network of suppliers and the wider supply chain um more than ever, there needs to be a greater um uh control and and and governance and oversight um in terms of this wider network. Joe Tolley: Yeah. And Tom, are you finding that the number of um the frequency of updates to these types of contents and frameworks changes um more frequently than it used to with these increased systems and uh mechanisms. Thomas Humphre: That’s a very good question. Now, as as we’ll see particularly with with with NIST that many of the what you might call established frameworks and established standards do have a structured approach when they um update themselves and and go through a formal review process to take in more topics, new and emerging trends based on different threats and events um out there in the world. Um but one thing that we are seeing is expansion of new standards from bodies such as NIST, such as ISO. Um whether they’re responding to sector specific calls and sector specific concerns for example in the financial sector we’re finding more um financial bodies and regulators impressing the need for supply chain management, cyber security management for example. So yes, so we are seeing um many standards going through the regular update on an annual every two, three, four, five years. Um we are seeing a a significant uptake in new standards and new frameworks or guidelines um addressing some of some of these concerns which you’d expect um but I think it just very much reflects the nature of um how ingrained and how critical this subject area is um at this point in time. Joe Tolley: It’s great. Thanks. Thomas Humphre: So let’s have a look in a bit more detail around NIST. So NIST, the National Institute of Standards and Technology, it’s a US uh organization. Um and it’s one of its main focuses is on the promotion of of standards across science, across technology, across multiple different disciplines as well. Um one area we are focusing on today is very much around uh information and cyber security and and and the risk that sits around that. But there are many other standards um that NIST as an organization promotes um across across multiple uh industries and sectors. Thomas Humphre: Um as an organization u many of these standards were initially developed for for federal government and government-based uh institutions uh agencies and contractors and and you can see that through through some of the technicality that some of these standards bring and some the temple requirements and expectation they bring with it. But nevertheless, what we’re finding now is uh many of the frameworks such as 853, perhaps one of the more well-known standards in NIST um is becoming adopted more globally both by government-based organizations and government-based uh contractors and non-government um uh uh organizations and institutions whether it’s from the US or outside as well. So, we’re seeing a wider adoption and and intake um which sort of recognizes these best practices and um where NIST has taken these frameworks. Joe Tolley: Yeah. And Tom, out of curiosity, uh we have NIST, we have the likes of ISO 27,01 and SIG, lots of different frameworks and standards out there. Um is there a reason why, you know, apart from the ones that are focused on US federal government agencies and and contractors, is there another reason why other organizations might pick NIST over one of those other standards and frameworks. Thomas Humphre: Yes, it’s a very good a very good question, a good point. It’s it’s there’s there’s a lot of standards and frameworks out there. Perhaps one of the most wellknown is let’s take ISO 27,01. Um, one of the biggest drivers of finding companies choosing the NIST uh 800 standard or series of standards is because one, it’s free. It’s a freely available able uh uh framework uh that can be accessed by by anyone. Um there is a wider global recognition of the framework as well. Um not just again those those organizations who are who are who are tied to to government institutions but out elsewhere and outside we’re finding more companies recognizing the benefits and some of the best practices that come from uh this these technical control standards. Um another factor of course is there is a close relationship again as we’ll see later on today between NIST and some of these other standards such as ISO and SIG. So there’s a a close close relationship and and commonality between some of the controls which of course makes it can make it easier for some companies if they if they start on the path of cyber security with NIST but with the long-term aim to blow through certifications such as ISO as well. Joe Tolley: Okay. So they can start off with um a process of aligning to NIST internally as their sort of local standard framework that they pick and then through aligning developing controls and mapping to the control requirements of NIST it increases the um it simplifies that transition period later on where they might seek to get Thomas Humphre: absolutely Joe Tolley: okay Thomas Humphre: yeah absolutely yes and we’ll see that later on today through some of that commonality of controls and control points as well Joe Tolley: yeah and does NIST keep up to date with as you mentioned earlier about the growing need for privacy and security concerns around data. Does NIST keep in line with those requirements because it has this um need to support US federal government agencies and uh and that aspect? Thomas Humphre: Uh yes it does. Um so um in a not too dissimilar um method or approach to to other organizations like ISO or the IEC um um and other standards bodies. It does have a structured process. of regular of of updating or regular updating it of frameworks um primarily yes to address those concerns. So where there are new and emerging threats um where there’s say a greater increase in data privacy for example or supply chain these are areas where um at a point in time they’ll decide to expand um its standard and in some cases develop new standards as well if the subject area warrants Thomas Humphre: warrants a new standard or a new framework. Joe Tolley: Yeah, sounds great. freely uh freely available um updated in line with Thomas Humphre: with recognized sensitive areas um and it’s something that we can easily convert to ISO 27,0001 later on. So it sounds like a good path to go down for someone that probably hasn’t embarked yet on a uh cyber security program or building um their own internal policies and procedures. Thomas Humphre: Yes, absolutely. There’s a lot of uh it’s an attractive route to go down if if you’re just starting out in in in in the cyber security space or or or other thing to explore that area um um both for yourself as a business but also when dealing with um suppliers and the wider supply chain as well. Joe Tolley: Sounds great. Thomas Humphre: It’s important to note Tesla as you can see in the on on the right hand side. So although we are focusing on 853 um it isn’t the only standard out there that touches on uh risk risk management um and cyber security um in again in a similar vein to other standards bodies. NIST has develop like what I like to call a family of standards. That is to say a series of standards, a series of guidelines um that either complement each other or enhance enhance each other. And it’s it’s always worth noting on on these wider wider range of of standards um because although there may be one that focuses on controls and control development or control requirements, there’ll be others that help complement that. and to to make for a more meaningful uh framework. Joe Tolley: Great. Thomas Humphre: So, N standards can overlap and they can complement each other. And here’s there’s a few key areas to focus on. So, 853 down the bottom there, the security and privacy controls for information systems and organizations. CIS is perhaps the more widely used and widely known framework and it’s it’s it’s this standard. Um, this framework uh that we’re seeing being used to assess uh the wider third party Thomas Humphre: and and the wider supply chain. However, as you can see, sitting around that is a series of other standards um CSF cyber security framework which takes aspects of 853 but puts them in a clearly defined structure. Um and we’ll see later on today how how we can use the CSF when we’re trying to work out How do we organize our controls? How do we determine controls um based on our scenarios? Series of standards focusing on risk management. So developing a clear risk management structure, risk management framework, not too dissimilar to other frameworks such as ISO 30,000 on risk management. Um and as you can see down the bottom there, there’s a supply chain specific framework um that takes controls from 853 and enhanc answers them, but also sets a scene for a more structured approach of from the ground up. How do you build a third party risk management or supply chain risk management process? So from third party engagement to setting management policy risk um and the full wraparound um that a true um TPRM or CRM um will give you. So we can see quite a few different standards and frameworks um that can be used um if in the right way to help complement and and build and strengthen your um your TPRM. Joe Tolley: And when we’re looking here at NIS and we can see those families that overlap with the ISO standards and frameworks, uh is there any reason why you would um well why you might pick ISO 27,0001 for example over the NIST route? Obviously we’ve covered off sort of some of the pros there of NIST but um how about the other way around? Thomas Humphre: Yes, it’s it’s it’s always an interesting debate which which one to go for. Is is is one better than the other? Um is ISO better than NIST and vice versa or is ISO better than SIG? Each one has its own merits. Um one of the biggest drivers with ISO of course is it’s a certifiable standard. Um although there’s necessary costs associated around that whole process that we won’t go into. Um obviously one of the biggest drivers around companies going through ISO is it provides um an independent um oversight and recognition um of an organization security posture uh that you won’t get through the NIST standard. So that’s one route um or or or or one example of why ISO may be chose chosen over NIST. Um another one is the way the controls are developed. Um as we’ll see shortly uh NIST has a lot of complexity around many of the controls that ISO doesn’t go into um there’s a lot of commonality as said at the start but there is a lot of areas that that NIST expands on um in a very technical way um and so in in many industries in many sectors um ISO is still uh seen as a as a frontr runner in terms of um recognized frameworks um but as say each one has its own Thomas Humphre: um pros and cons as we’ll see shortly Joe Tolley: Yes, it sounds like NIS would give you the the um the self-confidence that you’ve aligned to a reliable framework that’s really detailed and covers pretty much what ISC271 does, but it just doesn’t give you that stamp of approval that uh you could share or get recognized for from the rest of the industry. Thomas Humphre: Absolutely. Absolutely. Thomas Humphre: Okay. And consistent terminology, practices and control structure. throughout. Again, it’s always worth noting um it can always be a bit um mind-boggling at first when you’re presented with multiple standards and frameworks. And one of the first things that can um be mind-boggling is just the type of terminology. Um but there is a consistency that obviously NIST brings across its wider as say family of of of of standards and frameworks. Joe Tolley: Yeah, that’s an interesting point actually Tom just to um cover that one off. So if we are leveraging the NIST framework over to 27,01. Should we expect that if we’re engaging suppliers and you know assessing particular control requirements for example that there may be some impact from the supplier not recognizing control references or some of the terminology used and that kind of detail Thomas Humphre: um in in some cases yes. Now one of the one of the benefits I’ve I’ve seen is this are quite evident when you’re looking at those two particular I know we keep touching on ISO but I think it’s quite relevant given the relative close relationship between the two frameworks in terms of what they set out to do and and the terminology particularly um it’s you know the terminology is is always um you know can be a potential minefield um particularly for for companies not used to it for the first time and having to explain well we’ve we viewed it from this angle before we’re now going to different angle is it the same subject is the same meaning does it have the same weight to towards it. Um but there is there is a lot of um uh even in in many of the terms um you know the way NIST for example describes access and the concept of access management and access control versus the way ISO describes it as well and that’s a huge help as well particularly looking at from the other side of those organizations who may be certified to ISO let’s turn it around but they want to use this to expand and mature their framework and mature their their their management system. Um, so there’s just just getting to understand some of these terms and and and and control structures can help greatly in terms of sort of taking you to that next level Thomas Humphre: in terms of management system. So let’s take a step into 853 now. So certainly become the most widely used of the standards on on on sort of risk and security cyber security. So how big is it? So on the right hand side there are 20 controls or control groups to be more specific and across those 20 control groups there are over 950 individual controls. Okay. Um to put that into perspective um 2701 has around 113 controls in the old 2013 standard. I think it’s about 96 in the new 2022 standard. Um, some of the SIG frameworks have around 150 to 200 in the newer versions. So, you can see there’s a lot of controls split across these 20 control groups. Quite significant. Joe Tolley: Yeah. And I have a feeling we’re not going to cover off each control today, Tom, on this webinar. Thomas Humphre: I’m afraid not. No. Thomas Humphre: Um, but hopefully it will give an idea of of of the depth of some of these areas. So, obviously, what does this give as you’d expect with the volume a very the potential for a very in-depth assessment across every control group. Um and uh kept on using the term commonality and some of it is is quite of is quite evident and obvious when you go through the control groups. So access control we’re looking at um user registration and dregistration privileged access multiffactor authentication um and access reviews and so on and so forth instant response to form management. an end to end process of handling an incident. But it’s when you get to some of the other areas that become quite technical looking at very specific aspects. So the use of um architecture for managing address resolution for example deploying uh decoy and decoy controls to to to become targets for for certain attacks for example. Um and the way that uh application man management and application development has expanded um to to look at a greater focus around uh developer training and developer focused training for example. So there’s many areas that NIS touch on but they go that extra level um um which of course allows for reviews at a much more granular level um and as as mentioned at the start um of the topic um I believe a lot of this was was driven based on where 853 came from you know its need to focus on um requirements for federal agencies for critical natural national national infrastructure based organizations and agencies and and and groups and so there’s a need to have that very technical um uh scope. Joe Tolley: Yeah. Joe Tolley: During um drawing that comparison with uh ISO 27,0001 again or even some of the other frameworks as well, I’ve noticed uh they’re not your sort of traditional domains that you see across other standards. Are these additional areas of controls or is it just a different angle of how those controls are mapped to these areas? Thomas Humphre: Um, it’s a bit of both. Um, some of it comes down to to to to the terminology that NIT has used and used historically. Um, other than is simply a um what’s the best word? Almost a rebalancing of of where they they’ve positioned control. in certain areas um um or where they put controls that sit across multiple control groups but all relate to a similar topic area. Joe Tolley: Okay. So it’s more the sort of depth of control assessment rather than differences in controls altogether. Thomas Humphre: Yes. Correct. Yes. Absolutely. Joe Tolley: Great stuff. Thanks Tom. Yeah. So what I’m seeing so far what I’m hearing sorry is um N seems to be great at um detailing all of the controls you could possibly ever want, especially to the level of government agencies, for example. But when it comes to supplier assessments, this might not be um the best approach to just take that copy of controls and ask your supplier to assess against those, for example. Um there’s probably going to be far too many to make this an efficient process. Um and I could also see challenges in taking that vast number of controls and actually focus ing those down to something meaningful to assess a supplier against. There’s going to be some noise there. You’re going to worry about which controls to select to carry forward and which ones not to. Obviously, you mentioned um a few controls there before which sounded uh quite detailed and something you wouldn’t go and ask a supplier about. So, it’s going to be difficult to try and apply that filter and know what to what to address with your supplier and what not to. Um and then we touched on as well the terminology that’s used within NIST. And I just see a note in the comments about uh the control mapping that is provided between NIST and ISO. I think that um although it’s great to have that mapping, if we approach a supplier and ask them to reference a particular NIST control reference and give us some validation whether it’s in place, it’s going to take them longer to get those responses back to us and understand exactly how they should be answering a question because it might not be something they’re particularly used to responding to and have the expertise to response to to respond to as well. So there as well as it being very great at some things, I can also see there are going to be some negatives to do with um the process side of using NIST to assess suppliers. Tom, if you’re able to hop on to the next slide for us, I think we can cover off some of the impacts that these negative points might have. Um process, the bit that I love to talk about the fact that we are well the idea of assessing a supply against lots and lots of controls, it’s obviously going to take longer. Um, so we would want to avoid making that process take longer um because it’s going to cost a lot more resource internally to actually manage an assessment. So, as I said a moment ago, it’s going to be quite valuable in performing an exercise to actually trim those number of controls we care about down to something that’s meaningful. Obviously, the longer a process takes, the more it costs internally. And if we are delving into to some of the detail of some of those more unknown controls that you quoted earlier. Uh it’s going to take more expertise as well to actually look at them, review them, understand them, and know how to respond to them if there’s a finding against some of those uh techiles as well. Joe Tolley: One thing that I find is quite common with supplier assessments is generating too much noise. You know, we ask a lot of questions about controls. Um sometimes those results come back and they’re not that much of a concern to the supplier either because the supplier um maybe doesn’t handle data on behalf of you but we’re asking them data related questions you know those types of scenarios where what we’re asking doesn’t quite align to the service so the more we do that the more noise we’re going to get generated so I think there’s um certainly going to be some value in tuning this process down again to something more meaningful where every time we get a finding or we get um a particular risk gener through the process. It’s something actionable, something meaningful, and something that if we report on is going to be valuable to uh to the organization as well. Thomas Humphre: And I guess Joe, on on that point, I mean certainly yes, we we’ve just seen that there’s there’s upwards of 900 or so um almost viewing on a thousand separate controls. And I guess that’s a challenge, isn’t it? That that knowing um as as as the end user when we’re building our framework building our survey, what are the right controls that we really need to focus on based on ourselves as a business and our own risk appetite and Joe Tolley: yeah it’s nice to know that if you are working with NIST there is this you know you’ve got a portfolio of all the controls that you know are going to be valuable um so it’s you’re not going to have to rebuild any of this or select new pro uh new standards to incorporate or or frameworks to incorporate it’s just going to be an adaptation of those NIS controls that we’re processing against just to find out you know where that sort of sweet spot is of getting valuable information and there is a point on the right there all on its own which I actually think is really important here um to get valuable information from our suppliers actionable items we want a good level of engagement from suppliers we want to be able to perform an assessment have willing participation from the supplier um you’re probably not going to get that if you do assess against 950 controls Uh so the more we can make this process as sort of slick as possible, the more the likelihood increases of actually getting valuable data back, having things turned around in shorter amounts of time and obviously encou encouraging collaboration with our suppliers as well, which I think is hugely important in uh having a a relationship that um that progresses over time. Thomas Humphre: Absolutely. And I guess Thomas Humphre: Go ahead, Tom. Thomas Humphre: Yes. And I guess of course, Joe, I guess take you’re looking at these um you could definitely see why why these could I guess put put someone off from this saying it’s it’s it’s just far too much. It’s far too detailed. It’s far too complex and and certainly like you say if if if we’re lacking the expertise and the knowledge or or or or we’ll end up upsetting our vendors um saying fill out a thousand question um assessment for us. So I guess the ultimate question then is how How can an organization take this and take something like NIST and then turn it around to make it a more targeted, more relevant framework for for that business? Joe Tolley: Yeah, I think there’s a couple of options here. We can obviously work with NIST as a whole and tune it down based on our risk appetite internally. What do we care about? What do we care about for our suppliers? Um, you know, what do we expect them to have in place when we deliver certain services? Uh, another approach that that could be really beneficial here is actually not reinventing the wheel but leveraging some of the experience of other standards and frameworks. So we know here that NIST has more controls than ISO 27,0001 or um I think from the SIG perspective as well. We could actually use a bit of a hybrid approach of mapping to ISO 27,0001 or another recognized standard and actually leveraging what they think is important as Well, so that we sort of trim down NIST into something that is a a bit more of a hybrid and and a collaborative um bit of content that we know would be recognized if someone did recognize the ISO 27,0001 standard or did leverage you know SIG internally for example. Thomas Humphre: Yeah. So really using the best of both worlds or m multiple worlds to say we can demonstrate best practice um but it could perhaps be more uh advantageous to the w the sort of stakeholders, stakeholder groups and other interested parties as well. Joe Tolley: Exactly. Thomas Humphre: Um, and I guess a lot of this starts from taking a step back and really working out, you know, what are we trying to achieve? What are we trying to get out of this? And and and you know, what are our objectives when developing um a TPRM um and using the likes of likes of of NIST um and Certainly at the top level it’s it’s it’s all about establishing those best practices. Um establishing you know what are we trying to achieve from the outset. Um when we think about our our vendors, the type of companies that we’re engaged with with uh the type of product and service they’re supplying or or or the sectors they’re in or even the geographies they’re in. All of these can impact what type of controls we’re using um or or or should be using. Um Um and on top of that looking at well how can we use them to gain that assurance from a third party that they have a good security posture um a good privacy or cyber security posture um whatever the topics are. Um so having a very clear baseline first of working out where we want to be and then following that through with are we going to get the return from that investment from these third parties from these vendors that we’re that we’re working with. And of course to your point earlier Joe as well of course that that that continual um positive relationship um that we should get from from these organizations that we engage with um both in the short and long term. Thomas Humphre: So having a look at those objectives and standard that we need to set the scene. We need to have of have of have of have of have of have of have of have have uh good relationships with our organizations with our our vendors and partners. Well, how can we determine that success um when we’re building or when we’re enhancing or updating our risk framework? Thomas Humphre: So, establishing that best practice as I’ve mentioned those most appropriate controls that are relevant to supplier services. Each supplier is very different. Um each each supplier whether it’s the size of the supplier that complexity, the type of service they’re delivering. Um, they may not all warrant the same volume and same type of controls. Um, and so making sure that content um is is is the most relevant is going to give us the most value and and return. Once we’ve set the scene in terms of identifying those controls, we know what we want to achieve. We know the control groups from this that are important to us um as a business or or important to the industry, we can then start to go down further and look at the efficiencies around what are those critical control areas. What are the risk areas that most concerning to us because those are the ones that we need to focus on. Once we have those assessments, we conduct those those those surveys, those audits on the vendors. Um when risks start coming back or we have areas and gaps that we need to focus on, do we know what we need to focus on? Um have we identified what those critical areas are? um so we can be efficient with our time. Um Joe Tolley: yeah, and I guess that works both ways, doesn’t it, Tom? Because you’ve got the so the recipient of an assessment that might be well having to fill out questions or give you information about controls that might not be relevant, but then you’ve also got the other side of this where you actually have to review these controls as well. So you get sort of noises on both sides. Um so yeah, the the more efficiency we can gain through that proc process the less uh less time is wasted on both sides which is always a good thing. Thomas Humphre: Absolutely. Um in terms of the third objective Joe I mean what what sort of tips would you generally say? What’s what’s what’s a I guess a typical approach to making sure that okay we’re sending out this this assessment to these this vendor or series of vendors. How do we make sure that they’re actually going to be engaged and going to level of assurance? Joe Tolley: Yeah, I think those first two points are going to be hugely beneficial. You know, from our portfolio of controls, we’re selecting only the ones that are meaningful and giving us value. I think that’s going to be the sort of number one priority to to gain efficiency there. And obviously, the more efficiency you have, we have the more engagement we have as well. Um the other aspect to this is making sure the process of assessment is going to be something that’s user friendly as well. Um we want to make sure it’s a a simple process for a vendor to give us this information. which I guess is also why you know having these mappings to other recognized standards that the the vendor might be using may speed up the process of giving us information. Why that might be might be valuable. Obviously using a form of automated platform is always going to be beneficial. Um we want to make sure we are collecting as much of this important information uh with the fewest interactions with a supplier. It shouldn’t be a process where we’re reaching out asking a question um they may respond to it and suddenly we have a finding that we need to to review and because of that there’s several other follow-up questions and that process is multiplied by the amount of controls that we’re assessing against. So one thing I’d always recommend is collecting as much of that important information as possible within our first interaction with our assessment content as you’re well aware Tom when we build out our um our series of questions If we identify a finding, there may be some follow-up questions already embedded in our process. So, we’re still getting that information we need through the uh through the supplier supplier assessment. So, yeah, I would say making sure we’re using the right content uh to assess efficiently and then making that collection process and that engagement process with the vendor as slick as possible so that we get all the information we need um so that we can make some informed decisions on uh on how to manage that particular vendor. Um and of course one one area that’s always worth worth highlighting um for any um um uh part of the of the of the the TPRM journey is is this idea of continual monitoring, continual review u because obviously businesses change uh vendors, partners change um as do the standards as we discussed earlier. Um and when when emerging threats occur um and and frameworks are updated or where where businesses expand and take on um new work or new systems and new processes. It means there will be naturally be changes in the type of questions we want to ask or or or risks that could occur or potentially could occur as well. And having that continual engagement and continual monitoring um to make sure vendors remain accurate or the profiles that we have on them remain accurate it is very critical as well um if you want to get the best out of the process. Thomas Humphre: I mentioned at the start of discussion that there are a series of frameworks and although we’ll be focusing more on 853 um there are other other standards that the minister has developed. One of them is CSF or the cyber security framework and I thought this is a good just juncture just to show and highlight how particularly when you’re you’re you’re looking at standards and and you’re trying to work out which controls are best for us. Um, one of the daunting tasks is is is focusing too much on the volume. So what CSF does is it takes the controls and it breaks them down into these five areas or the cause identify, protect, detect, respond and recover. Thomas Humphre: And so under each of these particular topics or subject headings um you start to break down the type of controls So why is this important? So when you look at risk management and and and and you look at assessing the risks or potential risks uh to your vendors, you’ll naturally come up with um more critical risk areas than others. And to deal with these risks and to address these risks, you’ll naturally need some controls over others. There’ll be more technical or operational organizational controls. There will be more uh controls focusing on how a business responds, how it recover from an event such as continuity um and and availability for example um or controls for focusing on how a business may protect data um and the necessary data security controls around it and so the CSF helps to break up and and and to to to to put these controls into respective buckets. So protection based controls focusing on limiting containing threat to respond and recovery based controls so restoring capability or a service. And so obviously this can help when you’re trying to work out well or based on what these vendors do um what type of control should we we be focusing on. And so this gives you an indication and an insight into how you can take the control from 853 but then use other areas of the NIST standards um to help embellish or enhance the understanding um of what controls are relevant. Joe Tolley: Yeah, it’s really interesting. So is this um is this a an approach that’s unique to the NIST um framework or do other standards that you’ve come across incorporate this type of approach? Thomas Humphre: Um so interestingly we were talking about um um uh ISO we were making comparisons with ISO um their brand new stand well the update to their standard so 27,000 2022 does make reference to a similar concept this idea of identifying control olves based on you know protection based controls operational controls um response or responding and detection based controls as well um and it’s it’s a good approach to take personally I I really like it because it can really help you know structure and determine what controls are best for these scenarios um and and particularly if you’re having trouble trying to work out um you know where do we start so we are seeing other other standards bodies adopt a similar concept Um but um I think NIST have had this for quite some time and they’ve certainly had a um uh they’ve embedded it well um in in in the way they get across controls. Joe Tolley: Yeah, it seems appropriate for uh yeah identifying which controls are best suited for suppliers I think using this type of approach. So it’s really good to see. Thomas Humphre: Absolutely. I have a very short comparison just to show you um how how in depth NIST can can go um to have some very very typical controls on the right hand side from access control and configuration management um managing inventory of systems and system components and data backup um and development as well um so development processes so for software application development and the full development life cycle as well on the left side we can see where there’s direct mapping to ISO 2701 um I believe these controls are actually the 2013, not the 2022 um control numbers. Apologies there. Um what’s interesting to see is if we take a subject like A14 in ISO that covers a lot of depth around developing um uh uh system uh system development life cycles, principles of secure development and testing. And this captures these these controls very well as well and then goes into the same level of depth. But then They also cover training specifically for developers and and and and some of the nuanced skill sets that developers need. They also cover requirements for when you need to do customized developments outside of the standard process. And these are areas that ISO for example to take that standard do not cover. Um I think we covered a few other areas earlier around uh system architecture, the use of decoys, the use of honeypotss and other other um technical components. And again, this just highlights that NIST takes many common uh uh subject areas such as access or system development or system uh building and integration and greatly expands them. Some cases to a very technical nature and very technical need, others um just providing a wider clarification on on the subject area. Um again, I think larger list comes from from more the historical side uh where where it was you know the businesses the agencies who it’s designed for. Um this hopefully just gives a short introduction into um how it can take common topics but also can go one step further and and and cover um completely different areas in a lot more depth as well. Joe Tolley: Yeah, it’s good stuff. I think um yeah, which segus quite nicely onto this um because it’s really really emphasizing the need to address the scope of your assessment. Um for example, those controls we just went through, although they were very detailed, I guess they could be very um occasional scenarios where they are relevant, it’s just making sure that we only include them when they’re relevant to improve on those efficiencies we discussed earlier. Thomas Humphre: Exactly. Joe Tolley: Which is why that monitoring piece you mentioned also comes into play quite a bit. Um where we’re using profiling and taring exercises that we’re seeing clients use much much more often these days to identify who a vendor is, what they’re what service they’re providing, and how critical they are to you know your operations and your business as a whole. Um, and there’s some real simple questions you can use to identify that uh like a basic framework that’s standardized so you can identify tearing or criticality of vendors really really easily. You know, understanding what the impact would be that vendor was to to fail in the performance or delivery of of a service to you. Um, and they may span across things like operational aspect or the risk of losing data for example. And we can use some basic thresholds to provide some quite good detailing on um on which type of of tier a particular vendor should fall into. And using that information, we could then choose to include certain question sets or more detailed question sets for those most critical vendors which is going to be you know something that gives you that additional level of assurance that you might feel you need in those scenarios. Um the other topic that’s quite interesting here is looking at service specific uh question sort of layers. So you may start off with your basic core control layer and then based on the service they’re providing we might choose to include these other modules if you like. So using that example a second ago where we had the development um example brought up on the screen. You know, we may only need to include those development questions where the service includes in-house development, for example. Or if we know they’re interacting with personal data or sensitive data on our behalf, we might choose to include some more focused data security questions um and things like business continuity and um and disaster recovery may be more important for hosting providers. You know, those types of logic that we can apply to our question sets based on our prof filing and tearing exercises can then make this process more efficient because we’re choosing selective content that you know fits the profile of a vendor. Uh and that’s why that exercise could be hugely valuable. Making sure we keep in tune with our vendor, making sure we’re collecting attributes on a regular basis that might impact how we assess the vendor and even remediate a vendor could be really valuable. Um, one other point to note to note here as well is um Performing these profiling and tearing exercises is actually really useful for maintaining the relationship. You know, making sure we’re kept up to date with who we should be speaking to at the vendor side and making sure that year on year some of the impacts to our business haven’t changed. There’s some really useful exercises we can gain from a short questionnaire or short engagement with a vendor to understand some of these key attributes. AB Thomas Humphre: absolutely completely agree and Yeah, all all this does is help strengthen that relationship, doesn’t it? And particularly around, yeah, on both sides, making the the the experience with the vendor a pleasurable one in terms of um you know, making sure we’re not overloading them with with with questions, with asks that are just irrelevant to them as a business. Also, making sure when we do get back uh actions, risks, activities, um that they’re telling us what we want. to know about that organization and and it’s not um as as I think a term we used earlier just noise um and unwarranted information or sometimes non-risk Thomas Humphre: that’s not relevant as a business and it can skew perhaps the perception of that organization Joe Tolley: um if we haven’t done that due diligence um correctly. Thomas Humphre: Yeah. Thomas Humphre: So taking a step back we’ve had a look at NIST focused on NIST 853. This very in-depth um very detailed um uh cyber security control assessment. Um we identified that there’s a wider variety of standard frameworks out there that can help complement um 853 such as the CSF. Um and so of course first key aspect is really that identification of your TPR requirements, those minimum controls and best practices uh that you alluded to, Joe, in terms of that profiling and taring and understanding. Are there certain standards that we want to pay attention to such as ISO or or um or SOCK 2 or other regulations and best practice frameworks? Then building if you haven’t done already that formal TPRM um standards such as 800161 that has the full end when life cycle of supply chain risk management is always a good place to start and building and continually reviewing and updating that profiling and tiering approach. And then when we have that process in place then working with the standards using this CSF in collaboration with 853 to create that baseline of controls. So here are say 100 controls or 50 controls um that we need to look at um then they may be streamlined based on that profiling and taring. So we’re not asking development questions from a non-development vendor for example and designing that in this assessment based on those controls and where we want to focus on mapped best practices such as 27K and beyond. Thomas Humphre: Yeah. Joe Tolley: Sorry Joe. Joe Tolley: Yeah. And would you say a good place to start if you’re sort of unsure about you know which controls to select or um even which standard or framework should be should be leveraged would be to um use that sort of hybrid approach or at least compare some of the standards and frameworks and see you know what their purpose is. Is it for a particular regulation? Um do they include controls that are heavier in some areas that might be more relevant to you? Um or should we look at these standards and frameworks and actually as I said really create a bit of a hybrid approach of um of leveraging the experience of all of them together. to be able to Thomas Humphre: I’ve always I’ve always liked the hybrid approach. I mean, you can look at these things in isolation, of course, but there’s so much commonality and there’s there’s there’s so much um you know, there there’s so much benefit to to to to taking a standard, but then then building off it all the additional best practice frameworks. Um so, you really can get the best of multiple worlds in terms of having a governance structure, a risk structure, having technical control that goes to the level that say N can provide you versus the level that ISO or or or other frameworks can provide as well. So there’s a lot of merit in in using a structured framework and then um building off it those standards, regulations um um um and other guideline uh practices as well. Joe Tolley: Very helpful. Thomas Humphre: And generally we’re finding that as well that that there there are more companies adopting to this this concept of this hybrid approach Thomas Humphre: as well. Um, are there any final closing comments for yourself, Joe? Joe Tolley: Um, nothing for me. As I, as I was saying, I’m really focused on process here. So, you know, I think the really valuable exercise here is taking a selection of of controls that are meaningful to give you the output you need um to to make your program as efficient as possible. Um, and not sort of blindly asking questions or assessing controls that you’re not going to be following up on or getting meaningful data from. It’s quite common that we see clients or programs started or even midway through their programs and you see sort of pools of data that aren’t being leveraged or put to good use because that information isn’t currently valuable to them. Joe Tolley: So, I would say that um yes, it’s great to start with a standard or framework that’s something referenceable and you you got some justification for why these controls are there, but um certainly bear in mind this tuning and this ability to match your sort of tuning activity to the profile. of you know your organization and the types of third parties you’re interacting with. Thomas Humphre: Absolutely. Um before we continue um I’d just like to pause there and I believe uh Scott um there’s a a few pieces you would like to cover. Scott Lang: Yes, please. I will share my screen now really quickly. Just have one slide to cover uh with you. Uh let’s see here. Quick check. Thomas, can you see my screen. Thomas Humphre: I can. Scott Lang: Awesome. Uh folks, I’ll dispense with the usual uh prevalent overview because we’re nearing the top of the hour and I do want to make sure we have time for uh questions uh based on uh Tom and Joe‘s uh you know, great presentation here. Uh I do want to call everybody’s attention to a couple of uh uh compliance checklists that we have published on the prevalent website. One in particular uh directly related to today’s topic. Uh we’ve got the top 15 NIST thirdparty risk management and supply chain risk management controls. Uh what we’ve done is we’ve scoured through several of the NIST requirements. You saw a lot of them today, 853, 161, 171, uh and others and pulled out some of the most salient uh controls that you should use to build your program around and uh or that you can use to kind of assess the key controls uh for your third party vendors and suppliers. We’ll include a link to that in the follow-up email with the recording and the presentation from from uh from today’s session, but I do encourage you to take a look at that that will help you kind of simplify and distill down, you know, what the most important pieces of NIST are to pay attention to uh in your environment. So, that’s all I wanted to share. I’m going to kind of pitch back over to Ashley. Actually, we can uh talk about any questions that are asked. Ashley: Thanks, Scott. I know we’re coming up at the top of the hour here, so we won’t have time unfortunately to get through all these questions, but um I do have one that came in who asked, uh you can’t possibly ask all questions on the 950 plus controls. But if you leave out an important one that comes to hunt in the future, how can you avoid that? Efficiency versus eventually. Joe Tolley: I probably can grab this one, Tom, and you can add to it. I think this is where the um uh the benefit of that profiling exercise comes in and plays a huge role. We shouldn’t be emitting questions that we could later rely on if there’s an element of potential risk or exp exposure based on that control. So if we understand that a particular supplier is critical and needs a deeper level of assessment, then that’s the type of assessment that you know should be fitting for that particular vendor. Tom, what are your thoughts? Thomas Humphre: I Yep. I I I completely agree. It’s it’s it’s of underlines the importance of of um having a very conducting a very in-depth risk assessment as as much as practical and and aligning that with with that profile because the more you understand about the vendor, about what they’re doing, it will make it so much easier to understand what are the controls or what are the risk areas that we’re more concerned about um that we need to then focus on based on these type of controls. Ashley: Thanks guys. And one last question here before we wrap things up. Do you have any recommendations for being able to calculate score based on written responses uh received from vendors on their assessments or is this usually done in accordance to an organization’s defined risk tolerance? Thomas Humphre: Um, yes. So, this that’s that’s an interesting question. So, I I always champion um it’s is important to make sure that when when you’re looking at scores and saying how do we determine whether this is a let’s say a critical or or 25 versus a a low or a medium and everything in between. Um, first Yes, it should come off off the back of an organization’s risk appetite and risk tolerance. Um, you know, under what condition would you be happy to say we accept that risk if it were to occur? How detrimental is it going to be to our own operations, our brand, reputation um and and and some of those areas. It’s important to understand the impact areas first. I think um following on from that should then make it slightly easier to work out if we know these are our top critical risks because this is going to give us the largest damage um we can then do a always like the ISO version of of impact over likelihood and that traditional risk scoring process um but I think yeah it’s goes to hand inhand um or it should go hand inhand with your risk uh appetite and criteria for risk acceptance would you agree Joe? Joe Tolley: Yeah certainly I think as much as we can steer away from the free text style of responses the better. You know, we have quite binary um sets of control requirements mapped to controls in standards. So, I would always suggest that if the more we can map to those, the more efficient our process becomes because it becomes more of a binary exercise whether things are or are not in place. Um and it’s easier to score that way as well. And of course, it’s easier to work on remediation with that type of information as well. You know, if they’re missing one out of three control requirements, it’s that one that we can grab onto very quickly and engage with the vendor about. Thomas: Yes. Ashley: Well, thank you Scott, Thomas, Joe, and everyone for all of your questions. Uh they give us some great information to take in today. So, I hope to see all of you either in your inbox or at a future private webinar. Cheers everyone and enjoy the rest of your Wednesday. Thank you. Thanks. Bye.