The Top 15 NIST Supply Chain Risk Management Controls

Melissa: All right, good morning or afternoon. Melissa: We have people trickling in here. Melissa: Happy Wednesday. Melissa: Uh nice to see everybody start joining. Melissa: While we wait for everybody to come in, I’m going to go ahead and launch our first poll. Melissa: So, take a look at your screen. Melissa: I’m going to do that now. Melissa: All right, there we go. Melissa: If you don’t mind answering that, um we just are curious to see, you know, what’s bringing you to today’s webinar. Melissa: Is it educational? Melissa: Are you in your infancy stages of your third party risk program? Melissa: Are you a current prevalent customer? Melissa: I’m going to leave that poll up um and then I’ll I’ll wait just a moment. Melissa: We have lots of people coming. Melissa: We have hit the hundred mark looks like. Melissa: So, you know, I’m going to get a little bit of an intro started. Melissa: Um we have a very special host here. Melissa: We have Thomas Humphre, content manager here at Prevalent. Melissa: And then we also have the wonderful Scott Lang, our very own VP of marketing here at Prevalent. Melissa: as well as myself. Melissa: And I am Melissa. Melissa: Maybe I’ve seen some of you via email or try to get a hold of you via phone call, but I’m usually the one who will follow up with you after this webinar. Melissa: So, uh, today I’m going to go ahead and waste no time. Melissa: We are going to get started and we’re going to talk about the hot topic entitled the top 15 NIST supply chain risk management controls. Melissa: And we want to be efficient. Melissa: So, please feel free to use the Q&A for all those burning questions. Melissa: Um, don’t put them in the chat. Melissa: They will get lost. Melissa: And just to ease your mind, this will be recorded, so you don’t have to stress about taking notes. Melissa: And the recording will be in your box as well as the slideshow later on, maybe today or tomorrow, depending on what time zone you’re in. Melissa: Um, so make sure you’re utilizing that Q&A box, please. Melissa: Other than that, I’m going to go ahead and pause this poll in just a moment, and I will let Thomas take it away. Melissa: Go ahead, Thomas. Thomas: Thank you very much, Melissa, and hello. Thomas: Yes. Thomas: Um, good afternoon. Thomas: Good evening, good day to everyone. Thomas: My name is Thomas Humphre. Thomas: Um, and I am the content manager um, at Prevalent. Thomas: Um, if just bear with me, I’m just going to share my screen. Thomas: Hopefully, everyone can see um, the beginning of the slides. Thomas: So, yes, I’m Thomas Humphre. Thomas: I’ve I’ve been working at Preent for close to four years now. Thomas: Um, as content manager um, helping to build and design uh, third party surveys and assessments. Thomas: based on um the likes of NIST, ISO, ISF, SIG um to name to name but a few. Thomas: Um prior to this role, I worked as an external ISO auditor focusing on the 27,01 um standards across multiple certification bodies in Singapore and the United Kingdom. Thomas: Um and yes, I’m here today to talk to you about the top 15 NIST controls um from the 853 framework. Thomas: and certainly what they mean for third party risk management and third party engagement as well. Thomas: Um throughout the course of today I’ll be going through um what we’ve identified as as 15 of of of the most critical controls and be doing a comparison between uh the requirements from this but then how uh you can apply it from a third party perspective and some of the key questions uh you should be asking third parties. Thomas: Um I’ll give a brief overview of the importance of NIST 853 particularly for those who are not as familiar with the standard before doing a deeper dive into those 15 controls um and they’re split across four uh control groups of identify detect protect and respond stroke recover um before summarizing um around how to use the 853 for your TPRM or third party risk management um as this is indicated um uh any questions you have throughout the uh webinar, just keep them rolling in and then um at the end of the webinar we should have time for a short uh Q&A session. Thomas: So with that, let’s get started. Thomas: So the importance of NIST 853. Thomas: So briefly for anyone who may not be familiar with the framework. Thomas: So NIST or the National Institute for Standards and Technologies is a USDriven uh standards framework. Thomas: Um initially designed for federal agencies um and and the focus is very much around information and cyber security um but it’s it’s it’s grown such that many organizations globally use this framework um to adopt best practice for information and cyber security. Thomas: Um it provides a very comprehensive suite of of security controls. Thomas: Um and when you’re looking at the full end to end there’s in excess of a thousand uh um but very much built around the concept of control families or control groups in the similar way that ISO and and other frameworks um um sort of design and and and structure these controls. Thomas: What do we mean by control families? Thomas: Um well, we’re thinking about uh personnel security, business continuity, access control, supply chain management um and risk management to name but a few. Thomas: Um but in a similar vein to to ISO and others, there’s very much a lot of clear structure around shaping these these different controls. Thomas: But of course, this always gives rise to a difficulty in an issue. Thomas: A difficulty in deciding what controls to implement or assess organizations against. Thomas: So anything we have in excess of a thousand individual controls built around these uh control families, 20 control families, how do you start and say, well, based on the type of service and and and and business operations we’re engaged with, or based on the type of third parties we’re we’re working with or going to be working with. Thomas: How would you break down those a thousand? Thomas: Do we capture all of them in our assessments? Thomas: Um or for many third parties, is that going to be uh overkill? Thomas: Is it going to be too much information and too much control when we don’t need to go to that level? Thomas: And this has actually caused us to to obviously review them and to say well can you categorize can you list minimum controls controls that uh any organizational party regardless of whether they’re a very large global MNC or a very small or medium enterprise as well that they should have these controls or be able to adopt these controls. Thomas: And that’s very much the purpose of of today’s uh talk and the webinar is to try and break down and to say when thinking about the wider set of controls, these are the ones that we believe um are of most criticality. Thomas: Um but it’s always important to note that like any good practice of of assessing security um and assessing cyber and information security. Thomas: It’s always important to understand the scope and boundaries of what it is you’re trying to assess. Thomas: Um and although we are touching on what we consider to be the top 15 today um as you’d expect with such a large volume of controls naturally there will be others that are of equal importance and there sometimes um um equal criticality given the type of operation. Thomas: and business uh that that that you’re you’re you’re working with and and the type of third parties that you’re engaged with as well. Thomas: So let’s go down to those control functions or control groups into a bit more detail. Thomas: So when considering cyber security controls, functions or groups can be considered as a way of organizing controls and defining a clear course of action. Thomas: So when you look at the wider NIST 853 assess um framework um and there are subsequent uh cyber security uh frameworks that help to to to to to build out this approach we come across five key uh areas or pillars if you will. Thomas: So identify or identify based controls protect or protect based controls detection responding and recovery based controls as well. Thomas: So what we mean by these. Thomas: So from off the top, the identifier is all associated with the foundation for developing a cyber security framework. Thomas: So we’re looking at controls associated with being able to identify risk, being able to identify minimum requirements that you need when developing or acquiring systems or applications or solutions. Thomas: Um we’re looking at the identification of controls when engaging with third parties are the minimum expect ations. Thomas: Um, are there risks that we’ve identified at the early stage that’s going to help us drive protection based controls and detection based controls and anything that’s going to help us to respond or recover to incidents and events. Thomas: Moving on to protectionbased controls then. Thomas: So, we’re talking about limiting or containing threats through proactive control management. Thomas: So, what do we mean by this? Thomas: Well, following off the back of the ident ification uh part of the framework where we’ve identified risks and we’ve identified a clear framework for managing and and and recording those risks and threats to the business. Thomas: It should help us be in a better position to start to look at controls that can already apply to our own systems and solutions that can help protect and minimize against those risks. Thomas: So network security based controls, controls that allow us to manage access into our critical systems. Thomas: and infrastructure, data security based controls such as the need for data backup solutions, encryption, um, uh, DLP and other, uh, key key aspects that may be necessary based on the type of, uh, solutions or informationational data that we’re managing. Thomas: Moving on then to the detection piece. Thomas: So, we’re talking about identifying events and by events, we’re talking about incidents, weaknesses, and or threats and setting controls that allow that detection capability um um through various processes um systems and procedures. Thomas: So controls that allow the detection of threats or weaknesses. Thomas: Um and this uh we’ll go through obviously in more detail later on but but as an overview we’re looking at um controls allow event monitoring of systems and solutions um assessments against your your critical controls. Thomas: So vulnerability assessments, penetration testing and of course all these controls that fit under the identify through to recovery. Thomas: Um although they can be applicable within your own business, they can be equally applicable and important as we’ll see when engaging with the third party and working out what controls do I need to ask, what critical questions do I need to ask of my third party or third parties. Thomas: Then we come to the response and the recover respond and recover based controls and functions. Thomas: So taking action to contain and minimize impact from cyber security incidents. Thomas: So having gone through the process of identifying risk applying controls to protect critical information and systems having controls to monitor for threats and and weaknesses and potential gaps in our solutions where those gaps and weaknesses do occur. Thomas: Do we have controls that allow us to contain and minimize the impact from that incident at the earliest possible stage? Thomas: Now this again could be very technicalbased controls. Thomas: It can be organizational based controls. Thomas: So understanding and and implementing key roles and responsibilities within the business different functions and business functions that can respond quickly can engage with internal and external stakeholders um to demonstrate that should an event an incident weakness or threat occur, we’re responding to it in in in the way you would expect us to. Thomas: And then finally, recover. Thomas: So the restoration of capabilities or services that are impacted by the cyber security event. Thomas: So again, going through the process in a similar manner to the respond section once an event has occurred, the steps that we take um to to get back up and running and and and get business operations um and infrastructure back up to business as usual in as timely um practice as possible. Thomas: So if you now take a wider look at what these 15 controls are on the left hand side of the of the uh of of the chart or the table here we have the different control groups within the NIST framework. Thomas: Then on the right hand side we have individual controls. Thomas: So from an identify perspective, we’re talking about risk assessments, the acquisition process, so acquisition of systems or solutions, system component inventory, asset inventory, asset management, contingency plans and risk management plans. Thomas: So risk is again uh mentioned twice here, but as you can see from the left hand side, this is more concerned with the supply chain risk management um process. Thomas: um as as we’ll explore um shortly. Thomas: Moving on to the protection based controls. Thomas: So we’ve identified boundary protection, access enforcement and identification and authentication onto systems, training and awareness. Thomas: So employee contractor training and awareness where appropriate and change control under the banner of configuration management from a detection perspective, vulnerability monitoring and scanning, event logging as I as I mentioned earlier and and we’ll go into a bit more detail here in terms of what that looks like. Thomas: System monitoring and contingency plan testing some processes to test the success or failure of of plans and and different approaches the organization has identified from the outset. Thomas: And then finally blending both response and recovery solutions together or respond and recover. Thomas: functions together. Thomas: We have incident handling and incident response planning. Thomas: Now, as I say, these are just 15 of the controls. Thomas: When you look at the wider set of control groups within the NIST framework, um there’ll be some that expand considerably um based on um key key topics. Thomas: So, the concepts of secure development or system development for example. Thomas: Um further depth around how risk management is is is identified and managed, contingency and business continuity and recovery planning um to name but a few. Thomas: But of these 15 here from risk assessment through to the incident handling and incident response plan that um we believe the majority if not all organizations should have some capability in place or have a very clear understanding of the importance of these controls or how they apply to their own business. Thomas: Um And as said as we go through we’ll be taking each individual um function in turn and then conducting a a deeper dive. Thomas: Um so if we’re starting off with the identify set of controls. Thomas: So the boxes you can see on the far left represent the requirements captured within in the NIST framework. Thomas: So starting off with risk assessments. Thomas: So conducting risk assessments, documenting the results and reviewing and updating the assessments at defined frequencies. Thomas: So what this is saying here is really setting the scene around how do we identify and manage risks. Thomas: Now there are many best practices out there um ISO 31000, NIST RMF or the NIST risk management framework. Thomas: to name but a few. Thomas: But there’s always a consistency and structure required here in terms of not only the identification of risks but the management, the ownership, the review, the response, the recovery and the continual review and improvement of of the risk management process. Thomas: The focus here is getting organizations to understand well we need that structure to conduct a risk assessment but we need a process to clearly document those results. Thomas: How do we document them? Thomas: There are many solutions and offers out there. Thomas: Whether it’s documentation through Excel sheets and other documentation in that way, whether it’s through an online platform or tool set, but thinking from a third party perspective, of course, what we’re really trying to ask and and and get out of this is to say, does the third party have a structured process and ability to identify and manage risks? Thomas: Um, and it’s important Obviously note as we go through these these 15 individual controls, there’s always going to be a combination of uh questions that you ask third parties areas that may be called out through formed agreements through contracts and terms of agreement and other controls that are best placed for conducting performance reviews on-site remote audits um and other forms of assessment. Thomas: So thinking about the need to have a formal approach to to to assessing risk. Thomas: Are the third parties or do the third parties align to common frameworks such as ISO 31000 or the NIST RMF? Thomas: Um do they have other frameworks that they use? Thomas: But ultimately we’re trying to ascertain um are they in a position where they can really identify risk um be it both internal obviously and external um but also the responsiveness to to to change in the organization systems or external environmental conditions. Thomas: And obviously by having a very well ststructured and systematic approach for for regularly reviewing and managing risks is going to give organizations obviously the confidence that those third parties um are keenly aware of of of of threats and they’re they’re constantly reviewing and updating um the systems in response to those threats. Thomas: Certainly when thinking of um some of the more recent and and ongoing issues uh not least the recent log 4j um and and and the multitude of of ransomware attacks that we’ve seen over the past couple of years. Thomas: Um having processes as we’ll see throughout this talk to to detect such incidents, but to come back and then risk assess them and to capture them within our risk legislators again gives you more confidence that third party has a good process to to handle such threats and weaknesses. Thomas: Identifying security and privacy controls within the acquisition for new system. Thomas: So looking at the acquisition process here um and then this framework sets out clear requirements for identifying security and privacy for that matter controls within acquisition of new systems and solutions. Thomas: So what are we talking about here in terms of security requirements? Thomas: Well, looking at functional security requirements and assurance requirements um minimum criteria for looking at um hardening and baselining configuration of systems for example. Thomas: um how encryption is deployed and and and and built into systems. Thomas: And so certainly if you think about the third party approach of if you’re procuring systems and solutions from a third party or from a vendor, have you already identified those minimum requirements that you expect a system to have in terms of being able to secure data, being able to um minimize any any weak points within the within the system by the time it comes into your hands. Thomas: developing and documenting an inventory of system components that absolutely reflect systems. Thomas: So moving on to the system component inventory piece. Thomas: Um so asset management both hardware softwarebased assets. Thomas: Um the key thing obviously to highlight here is is the use of asset inventories that capture all of those information systems. Thomas: Um Um, and it’s not only capturing those information systems, but it’s also the focus around the level of detail for each system or piece of software. Thomas: So, what type of detail am I referring to? Thomas: Well, we’re looking at system names, software version numbers, software licensing, hardware inventory specifications, asset owners, location of location of assets, being able to identify these assets from the outset. Thomas: Again, particular aligned with the risk approach. Thomas: So knowing where the most critical systems are and what the most critical systems uh uh how they how they are in relation to risks being identified um is is absolutely mission critical for most organizations. Thomas: And again being able to turn that back on to the third parties to say well how are they managing their inventories? Thomas: Does a third party inventory all of their critical assets particularly those where it’s going to be clear uh where access to customer data, customer information, for example, um is going to form part of that system component. Thomas: So, being able to validate that third parties are staying on top of their inventory of assets, um that they’ve logged them correctly, they know the location of them, but also on the on on the other side where assets change, then there’s need to decommission assets or remove them um uh to destroy assets. Thomas: Um Is is the third party um able to review these and log these through their inventory? Thomas: So it’s clear which assets are live, which assets are dormant and and um the level of detail around the hardware configuration, the operating systems used for example. Thomas: So there’s a lot of detail here around obviously structuring an inventory, a component in inventory. Thomas: But the trick here is to make sure that you’ve covered all the key aspects that can tell you um where those assets are, who has ownership of them, um what data um is is is being captured in them. Thomas: Thinking about the concept obviously data flow management um across systems as well. Thomas: So then move on to the managing, coordinating, reviewing, updating and communicating a contingency plan. Thomas: So verging on business continuity uh disaster recovery here. Thomas: Um but in terms of um what what do we mean in terms of contingency planning? Thomas: So the organization’s approach to protecting and recovering critical systems and services. Thomas: Um being able to identify the impact assessment and conducting business impact assessments so we know these are critical solutions. Thomas: These are the areas that we need to pay attention to if uh we need to go through a recovery effort or we need to go through some form of backup capability or backup effort. Thomas: um should an event or an incident occur. Thomas: And so this is this this planning approach um that addresses system restoration um recovery objectives and with an ultimate aim of minimizing system and service downtime. Thomas: Um and as we can see from this idea should be managed and coordinated but continually reviewed, updated and communicated as well. Thomas: And this becomes particularly um important in two angles. Thomas: one internally as an organization where you rely on um key third parties to deliver critical services. Thomas: Do they need to be involved or be aware of your contingency plan and their um responsibilities for helping you recover? Thomas: But on the other side approaching it with the with the third parties themselves have efforts been made to plan for recovery of data, information and systems. Thomas: And I mentioned that many of these controls um they can appear through performance reviews, audits, they could also appear through contracts. Thomas: And this could be one that you can typically find in a third party uh contract or terms of agreement that they have a method of contingency planning in place that should they suffer should the third party suffer um an event or an incident that they are able to recover systems um that that are impacting yourself as a customer. Thomas: Or there may be your own systems that they’re managing on your behalf. Thomas: they’ve got a process to recover them in a timely manner. Thomas: And so there’s different methods that you’d use obviously to assess this, but certainly that critical question to make sure that efforts have been made to plan for the recovery of systems and information um is critical here. Thomas: And then finally, risk management plans. Thomas: We’ve really touched on risk risk assessments, but we’re now looking at risk management plans from the supply chain aspect. Thomas: So what do we mean here? Thomas: It’s thinking about risk assessing suppliers. Thomas: So if you’re engaging with with a third party, they may have other third parties or for one of a better word, your fourth parties and fifth parties um that may have an interaction uh with your own systems and and and data to help support the end product or solution. Thomas: And so we need to find out does a third party risk assess their own supply chain? Thomas: Do they have a formal plan of attack? Thomas: Um or approach to uh address and understand risks associated with their own third parties as well. Thomas: So creating a risk management plan to identify threats and vulnerabilities and calculate risks associated with those suppliers and supply chain. Thomas: Um and of course it’s always important to highlight here that obviously these plans should always be tailored to fit an organization’s risk policy and strategy and also be continuing updated as well to identify risk and controls that are relevant to the business. Thomas: So if there’s a change in service between what the third party is providing to you, there’s an expansion service or an expansion of you know delivery or interaction of data maybe sensitive data or critically sensitive data. Thomas: Um is that going to cause an increase or a decrease in the risk? Thomas: And so do does the suppliers and the wider supply chain need to be re re um reassessed against those risks? Thomas: So Again, in a similar vein to the first risk assessment piece we talked about, it’s that continued improvement and continued review cycle that we need to be um mindful of. Thomas: So moving on to the protect controls now and we start with boundary protection. Thomas: So this requires monitoring and controlling communications at the external and internal managed interfaces. Thomas: So when you’re talking about boundary protection, we’re looking at the network, the wider network um and and putting in systems and capabilities um to monitoring and obviously controlling uh those those networks and particularly any sensitive aspects of the network. Thomas: So there’s some obvious systems and solutions that many organizations will have not least from a firewall capability um uh detection and prevention capabilities. Thomas: So thinking intrusion detection, intrusion prevention solutions, um some of which are combined within firewalls themselves. Thomas: And so understanding the need to protect critical areas um and entryways into your network and and the placement of those solutions, but it’s obviously a bit more than the placement of those solutions as well. Thomas: We’re also looking at the need to set clear rules and ensure that rules within those systems um are are activated. Thomas: So thinking about firewalls um setting denial allow by exception rules that control the flow of traffic um um at at at that at those particular borders. Thomas: And so asking third parties well are controls um in place to manage um and and and protect critical aspects of the network. Thomas: Um our network segregation uh controls and rules applied as well. Thomas: Um where within our network um within your network are you housing critical systems that that may be containing our our information or our assets. Thomas: It’s obviously important to note although we’ve called this up as a as a as a key control and and the overall management of the boundaries of an organization’s network, there are many organizations particularly nowadays that rely more on cloud-based environments and cloud-based providers. Thomas: And so their network is very minimal and any solutions that they’re using that are interacting with with yourselves as an organization are very much driven by the cloud providers and in that case this becomes less of a concern from the internal third parties boundary protection and then more back up to the risk management planning and the assessment of their supply chain and assessment of those cloud uh those cloud providers. Thomas: So again this is This is important to note that the the the criticality in scoping these controls and in scoping what controls are important to us when we view a framework such as NIST um um and and other similar frameworks such as ISF um that the controls being applied are relevant to the type of business type of solution um and type of third party that you’re working with. Thomas: Then move on to access enforcement um and identification authentication. Thomas: So they’re across two areas access control and identification they both fit around the wider access management piece. Thomas: So firstly identifying and authenticating users approved authorization for logical access as well. Thomas: So granting access to information system resources should really be decided based on the defined access control policy. Thomas: policy. Thomas: So of an overarching policy that sets the scene in terms of type of access controls, type of access enforcement and restriction and and and type of access uh capabilities that we need to implement within the business. Thomas: So setting out that requirement for granting and revoking access um and particularly where restriction of access is necessary as well. Thomas: So the use of role-based access controls, the use of privileged account management and privileged access management as well. Thomas: So there’s a lot of obviously consideration here in terms of thinking about the type of systems, the sensitivity of S systems, um the the information or data classification that surrounds those systems and applying the correct levels of enforcement so that only those who need access are granted access. Thomas: But also that process to continually review um and and and and assess those controls um particularly with the determination of whether they need to be remaining or or they need to be revoked. Thomas: So again thinking about how we’d look at this from a third party perspective. Thomas: So asking that question around how is access to critical systems managed. Thomas: Are they using the um principles of least privilege when assigning access to their own employees to systems that may be um uh owned by yourselves, owned by owned by a customer or containing customer sensitive information. Thomas: And so it’s having that that that validity and verification to make sure that the level of access authorization, the level of access um uh enforcement and particularly the level of review that’s performed by the third party is commensurate with the level of uh risk that’s associated with those type of systems or or type of data. Thomas: Um and we quickly obviously move on to identification authentication piece as well. Thomas: Um which we’re looking at uniquely identifying and authenticating all users which includes both obviously employees and contractors. Thomas: Now there’s a lot of different identification authentic authentication methods out there. Thomas: Um more often than not they can differ depending on obviously the type of roles and also the type of systems and data being accessed as well. Thomas: Um perhaps one of the continually and most widely used is still the user ID and password password management uh concept uh setting complex passwords um and having a unique identifier to register each individual user. Thomas: Obviously what’s becoming more common now as well is going beyond that and having a multitude of authentication uh uh systems. Thomas: Um so MFA or two-actor authentication um techniques, biometrics in some cases as well. Thomas: Well, um, in a similar vein to the access enforcement, one of the key considerations here is really looking at are the controls applied uh for for authenticating or or putting authentication onto a system commensurate with the data or information classification. Thomas: So in some cases, if you’re looking at the user ID and password management solution, is that appropriate in systems? Thomas: that are perhaps supporting the end delivery of end product but not containing sensitive data. Thomas: That may be sufficient to have uh a complex password um um of minimum 12 12 characters for example alpha numeric um and and a a unique user ID may be suitable for systems that have highly sensitive data. Thomas: However, that may not be enough and we need may need to look at the use of uh multiffactor or two-factor authentication solutions, we may need to look at the use of biometrics in some solutions, particularly when looking at mobile devices. Thomas: And so again, asking the key questions of the third party to make sure that the level of access control that they are applying fits the level of classification sensitivity of the systems that they’re they’re using or that you you’re uh relying on them to supply. Thomas: Then come to the final two. Thomas: So training and awareness and change control. Thomas: So organization should provide security and privacy training to system users. Thomas: Now it’s often one of the controls that has uh fewer subcontrols in it compared to the likes of access or system acquisition, system development. Thomas: But nevertheless um I think it’s it’s genuinely recognized and and I believe it’s it’s one of the most critical controls any organization should should be applying and should be aware of. Thomas: Um because you can put the most controls in place, you can have a a multitude of controls and policies and practices, but if employees don’t follow them, if they’re unaware of how to follow them or unaware of the practices and responsibilities uh that they should be putting in place, then the controls could amount to nothing. Thomas: in many ways amount to increase in risk. Thomas: And so having a very clear program to identify uh uh security environment responsibilities for employees and contractors uh where contractors are involved. Thomas: Uh having visibility of employee focused security policies. Thomas: So acceptable use policies for example. Thomas: Um but also best practices in terms of common threats and and and and trends and threats. Thomas: as well is equally important. Thomas: Uh so if you think about the increase in the use of uh fishing and fishing emails for example having that awareness to be able to inform employees um how to spot a fishing email for example, how to respond something that looks like it could could be ransomware. Thomas: Um but also how to inform the relevant personnel, how to inform an incident manager or an IT manager or inform someone in the company who’s best placed to to to to react to that and to deal with it. Thomas: So it’s really important that training and awareness is really embedded within the culture of the organization. Thomas: Um and of course when we think of training uh I guess the easiest thing that comes to mind are classroom based trainings, online training, e-learning, but it’s also important to look at the internal awareness piece as well. Thomas: So internal marketing for example that highlights uh critical best practices um that are are posted up around an organization’s office space that again enforces some of those key messages. Thomas: So there’s a lot of capability here to think about and a lot of best practices but ultimately thinking from a third party perspective we need to be um assured that those employees who are handling uh uh customer data sensitive information and assets um have been made aware of their responsibilities have been trained and also regularly trained as well. Thomas: It’s all all very well to say they’re trained upon joining the organization, but it should be a continually evolving effort in a continually evolving cycle, particularly when new and emerging threats arise and the need to uh communicate uh that effectively to employees. Thomas: And then finally, determining and documenting the type of changes to systems, recording changes, and monitoring and reviewing changes as well. Thomas: So change management is a a core component um across many businesses um from a couple of angles both from a system uh uh system change but also from business change as well. Thomas: So change to business services um increase expansion of business um uh use of new systems and infrastructure to better serve customers. Thomas: If you have a clear process to manage that change and to record those changes um but also to able to monitor to say have the impact assessed based on this type of change. Thomas: Um have we got a clear testing procedure in place? Thomas: Do we have a backout procedure should a change fail? Thomas: Again from a third party perspective asking that critical question of how are changes managed within your organization particularly changes that affect our systems or our critical components that affect us as a business. Thomas: Um gives further confidence and reassurance that there’s a systematic process to ensure that changes have as minimal impact as possible or if in the worst case scenario a change were to fail that there are practices and processes in place to make sure the recovery effort is as speedy and timely as possible and the impact based on back to the customer back to your sales is is minimal. Thomas: So having that structured process to manage and control changes So come to the detection controls here and as you can see we’ve got four key aspects here. Thomas: Vulnerability event logging system monitoring and contingency plan testing as well. Thomas: So we start with vulnerability uh monitoring and scanning. Thomas: So monitoring and scanning for vulnerabilities and systems and hosted applications. Thomas: So uh there’s multiple ways to to conduct vulnerability um scanning and and monitoring. Thomas: Uh one of the key aspects here is is really identifying those critical systems and networks. Thomas: Um and the level of scanning required for each um are there systems that need to be scanned on a weekly basis, a monthly basis, is once every two months efficient. Thomas: Um they’re general best practices um uh that that generally thinking think about the wider NIST, ISF, ISO, um SIG and other frameworks um that you should um uh vulnerability assess critical systems um at least on a monthly basis. Thomas: Um certainly if you’re getting to the stage of only six monthly or annually or even ad hoc um you should start to be be concerned if if that’s a response that you receive from a from a third party. Thomas: So being being aware that they have vulnerability assessment capabilities in place. Thomas: They may have vulnerability tools. Thomas: They conduct regular vulnerability uh scanning on critical systems. Thomas: Um and of course the process that sits behind that. Thomas: So the response to where recover where vulnerability assessments identify weaknesses or potential holes and gaps in systems and solutions. Thomas: So the frequency of scanning should be commensurate with the criticality of systems and data being managed. Thomas: So moving on to event logging says systems should be monitored to detect attacks. Thomas: and indicators of potential attacks and identify the type of events systems are capable of logging as well. Thomas: So thinking about event monitoring and event logging. Thomas: So it it generally can be wide reaching there’s a lot of types of logs that could be captured that can be reviewed everything from user logs access logs um administrator based logs as well as system and security based logs as well. Thomas: So being able to identify um and and apply a solution that can monitor a wide range of of of events and and and audit logs um is going to give you uh the best chance of being able to detect any form of weakness. Thomas: Um so think about administrative access, security, privacy changes, external credentials. Thomas: All of these should be considered when planning uh what events and what logs should be should be reviewed and assessed. Thomas: Um and of course security information and event management. Thomas: systems and applications or seams simm um can obviously help with this with help with providing that level of an analysis but also reporting and alerting. Thomas: So for any security alerts being generated and obviously that’s the key thing here we need to be mindful of we not only have a capability to monitor um and to to to to record when alerts um um uh when when there are deviations or issues but there’s some level of alerting and alerting capability and again opposing this or asking this of the third parties as well to understand what level of um of of monitoring do they perform and how regularly is it performed. Thomas: Um and equally from a communication standpoint uh uh should any any security weaknesses or or instance be identified?. Thomas: How is that then communicated back to to us as the as the end user or as the um as as as the customer? Thomas: from a system monitoring perspective. Thomas: So again um systems should be monitored to detect attacks uh any indicators of potential attacks as well. Thomas: So this could be an unauthorized connection for example um and thinking about that structured approach to monitoring the organization’s network and critical systems. Thomas: Now we mentioned at the early stage around boundary protection the use of firewalls and other systems to protect the network intrusion detection systems um and intrusion prevention for that. Thomas: um are obviously key here. Thomas: So, use of intrusion detection tools and automatic scanning any real-time analysis should be considered um particularly the means to aiding a rapid response to suspected attacks. Thomas: Um so, so again thinking back to how you’d engage a vendor or third party in that matter. Thomas: Um obviously asking the question of how do they protect their network, how do they protect their wider boundaries, but thinking of the level of monitoring and threat detection, the use of information, incident detection, um, uh, systems or IDS’s. Thomas: Is it something that’s captured within their firewall and is it something they’ve activated um, or are they using a standalone solution um, uh, to to manage this process? Thomas: And finally, contingency plan testing. Thomas: We stated at the early stage when we identify piece the need to develop a contingency plan. Thomas: Thinking of business continuity and disaster recovery, identifying critical assets, um setting uh recovery targets, um knowing what you’re going to recover, when you’re going to recover, and the timeline or plan’s timeline to recover them. Thomas: By going through the the the testing of that plan on a regular basis um will help to ensure that effectiveness of the plan and also to detect weaknesses as well. Thomas: So, we may have set clear goals in terms of recovery of crit systems through backup solutions, through reliance on third parties, through um uh additional sites, hot sites. Thomas: But if those uh recovery objectives fail or they’re inadequate, we’re actually not going to recover the full operation until 24 48 hours later than anticipated. Thomas: We’ve now got a weakness here. Thomas: So the ability to and the need to continually test that contingency plan and so you can detect those weaknesses, detect those those weak points um in in your recovery efforts um is is absolutely critical. Thomas: Um and of course it’s important to know although we say contingency plan for some organizations it could be a series of plans. Thomas: It could be an overarching plan that covers um every part of the business or it could be a functional plans uh that each each individual part of the organization um uh has to has to identify and in that case it’s making sure that each plan is tested and tested in a regular manner. Thomas: Finally, responding and recovery. Thomas: So, organization should implement an incident handling capability aligned to an incident response plan. Thomas: As I’ve captured these two together, um, So the way the incidents are responded to and recovery capability and the recovery effort as well, excuse me. Thomas: So organizations should implement an instant handling capability uh which includes preparation, detection, analysis, containment, eradication and recovery as well. Thomas: So by having obviously a well- definfined method for managing an incident, being able to for employees to report an incident, to have roles to to to identify the incident, to record it. Thomas: Um, but then to set a process for uh responding, whether it’s internally, whether it’s externally, level of engagement with with key stakeholders, but also level of engagement with uh security expertise as well. Thomas: So there’s a lot of capability and key aspects to cover here. Thomas: Um but certainly managing instance should be instance should be managed by a defined group or set of roles. Thomas: And of course it’s important to recognize that based on the complexity and size of the parties this could be everything from a complete instant management function and team and set of teams to an individual or an individual who perhaps is relying on again security expertise externally to help them manage an instant capability. Thomas: So it’s alwaysant important to sort of understand the complexity and and and and and context of of of of these uh scenarios when when engaging with the third parties. Thomas: Obviously, good incident response processes will include internal external communication as identified and and also methods of capturing the incident. Thomas: So, events, actions that have taken, uh lessons learned and obviously once you’ve got that process of of of responding to an incident, of handling an incident, doing the necessary forensic analysis to understand the root cause and where that incident came from. Thomas: We then got the recovery side of it. Thomas: So how the how the organization is responding to that incident is applying additional security controls to mitigate or minimize the risk that’s occurred. Thomas: Um is it taking a different course of action um through the use of um external bodies to help u manage that incident? Thomas: Um but there should be a a combined process that’s sitting over the overarching incident response and incident recovery capability. Thomas: Um what’s not listed here of course but is is equally important that’s worth noting is of course the business continuity piece. Thomas: We’ve touched on obviously the contingency planning and the testing of contingency plans and it may be in this scenario through the instant process that the decision to activate a contingency plan or act as a disaster recovery um solution is is is announced. Thomas: Uh and so making sure that that that planning uh testing and and and response capability is is is established from the outset. Thomas: Um even if incidents have never occurred in the past for an organization. Thomas: Um it can sometimes be easy to say we’ve never suffered an incident um um in in in all our time and in all our operations, but it’s about having that capability and understanding of what you’re going to do should the time come when you do have a weakness or an incident that you need to to manage. Thomas: And so again, turning this back on to the third party um uh again from a contractual or terms of agreement perspective, making sure the third party has an instant capability, but particularly from the response piece and the recovery piece that there’s clear communication back to yourselves as an organization. Thomas: Um so there are core um uh uh uh call trees and communications from the third party um that alert you when they have um alert to you when they have or have suffered an incident and particularly an incident that’s affecting um uh your solutions or systems. Thomas: So taking a step back we looked at those five pillars identify protect detect respond and cover and I guess if we could sum these up in five key questions from a third party perspective. Thomas: So from an identification has a third party identified its critical systems and components under a riskmanagement framework has identified critical assets particularly assets that are that have access to key uh data information uh of of their customers and have they set a plan to manage and identify uh risks from the outset. Thomas: Are controls to manage access and visibility of critical systems defined and implemented? Thomas: Have they already got a process for applying encryptionbased controls on the critical systems holding sensitive data? Thomas: Do they have processes to manage uh and and restrict access? Thomas: Do they have physical protection controls based on the location um the geography or again nature of what the organization is doing? Thomas: Do they implement CCTV for example as part of physical securityity um protection um and even detection controls for that matter? Thomas: Does VI does visibility to new and emerging threats exist? Thomas: So do they have detection capabilities? Thomas: So through event monitoring, through vulnerability testing and vulnerability assessments, penetration testing um and the use of seam solutions to be continually aware air of threats um and where those threats do exist. Thomas: Conversely, are they then filtered back up to the risk management piece? Thomas: And then from a protection standpoint, the training and awareness piece. Thomas: Can the third party identify and handle incidents and threats? Thomas: So, they have a formal incident process and and and assessment. Thomas: And does the third party have the capability to recover critical systems and services? Thomas: So, business continuity and disaster recovery. Thomas: So, these are some of the key questions that we could be asking um our third parties when we’re engaging with them when they’re trying to set the scene through contract through through terms of agreement, but also through regular performance reviews or sending risk assessments and security assessments out to organizations. Thomas: So, hopefully it gives us a wider visibility and and verification that they’ve got a governance structure in place. Thomas: They’ve applied controls to protect and detect systems. Thomas: And they’ve got processes in place to respond to threats, weaknesses, and and recover systems back to to business operational capability. Thomas: So, with that, I’ll turn it back to um Melissa and to Scott. Melissa: Yes. Melissa: Um Scott, do you want to go first or do you want me to launch the Q&A? Scott: Uh, let me go first, but I need to share my screen. Scott: So, uh, Thomas, if you could stop sharing so I could start sharing. Thomas: Um, stop share. Thomas: Okay. Scott: Awesome. Scott: Awesome. Scott: Uh, okay. Scott: Great. Scott: Uh, just a quick confirmation from you, uh, Melissa, that you can see my screen. Scott: Awesome. Scott: Thumbs up. Scott: Hey, thanks so much everybody for attending today’s webinar. Scott: Uh, I just wanted to draft off of, uh, Thomas’s content just a moment to give a very brief overview of um how prevalent can help you simplify and automate your NIST um top 15 controls or SP 853 controls reporting and mapping. Scott: A lot of what we find is some companies try to use spreadsheets with lists of questions and some control um scoring or ranges or whatever to try and collect this information from third parties across their supply chain. Scott: But we know that that’s a a terribly time consuming, complex process, takes a lot of resources, and it never gets you the data that you need in the way that you need it to help you manipulate it, understand it, and then report on it in the end. Scott: That’s a lot of what we help accomplish with with our platform is to help you automate the collection of key control information from your thirdparty vendors and suppliers. Scott: Centralize it in a single platform to help you visualize it, see it not just for your entire ecosystem, but individually. Scott: per control per supplier. Scott: And they give you automated remediation guidance in there to help you make or recommend critical changes to some of those control weaknesses that you find from, you know, those suppliers and and vendors. Scott: And we don’t do it from a oneanddone perspective. Scott: Uh we do this at every stage of the life life cycle of that relationship uh with that third party. Scott: So if you want to do a pre-assessment on on top 15 controls like we talked about today uh as you’re onboarding a supplier, We can help you automate the the management and analysis and remediation of of uh of that information or we can do it as you progress through whether through an from an annual basis to prepare for an audit uh or as you’re offboarding and terminating a relationship as well. Scott: So again built-in assessment uh capabilities in the prevalent platform to help address every stage of the life cycle uh and then automated responses uh automated remediation recommendations and then built-in compliance reporting to help you prove to the auditors that uh that they align with what you want uh in terms of your control exceptions and acceptable risk thresholds. Scott: We’ve done a ton of this work already on your behalf. Scott: Uh and we’ve written an asset called the top 15 missed thirdparty risk management controls. Scott: It’s a checklist uh to do some supply chain risk management reporting using some of the top controls that Thomas has talked about in the webinar today. Scott: Um we will send you a link to this in the follow-up email uh to today’s web where we have the the recording uh and the PDF of the presentation. Scott: We’ll also give you a link to this uh this NIST download uh to help you kind of consume that, read it, understand it, and then apply it to your perspective businesses as well. Scott: So, Melissa, that’s all I wanted to share. Scott: I’ll pitch it back over to you. Scott: I know we’re at the top of the hour, but probably won’t open it up for questions. Melissa: Okay. Melissa: Um I’m going to go ahead. Melissa: We have one question, but I do want to just launch that last poll. Melissa: Um so, if you are looking to augment or establish a third risk um program in 2022. Melissa: Please fill that out. Melissa: We do follow up. Melissa: Um so don’t just willy-nilly press anything and and get out of here. Melissa: We we are people of our word. Melissa: So make sure you answer that appropriately. Melissa: And then um for those of you who are still on, do we have time for one more question that somebody asked? Scott: I hope so, Thomas. Scott: Um I’m gonna go ahead and read it. Scott: I’ll read it to you. Scott: What is the best way to identify third parties who should be included in BCP testing? Scott: testing and then how do we ensure our third parties are including us in their BCP testing? Thomas: Oh, great question. Thomas: Um, so yes, when thinking out your own business continuity plan, um, is yes, it’s critical to identify third parties who are delivering critical systems and services to you. Thomas: So if you are reliant on um any any any suppliers um to deliver a key product. Thomas: Um I guess that would be my my starter for 10 my my my first port of call. Thomas: So looking across your supply chain where there are critical suppliers that you may be dependent on to get back up and running should you suffer an incident. Thomas: It’d be those type of organizations that you need to start uh uh engaging in and bringing into part of your BCP um um um framework. Thomas: Conversely, how to ensure our third parties are including us in their testing. Thomas: Um so yes, I guess there’s two points here. Thomas: Firstly, uh being being made aware of uh a third party’s continuity plan and a does it cover um and have they considered critical systems that are impacting us? Thomas: So if they have a system that’s holding your data uh your information um firstly obviously you need to make sure uh that uh that system is included as part of that recovery plan. Thomas: Um secondly, um having that engagement with the third party through not only contract but regular reviews and and and and a good relationship um will help to ensure that they make you aware when they’re testing that capability. Thomas: Um when if they have to go into a continuity event in the worst case scenario, um are they making you uh uh aware um that these systems need to be um uh recovered in in a in a quickly in in a quick manner. Thomas: So yeah, there’s there’s a lot of different areas to consider here, but the at the earliest stage being able to engage with the third party and understand um are the systems that are carrying us our information and data. Thomas: Um are they included as part of your recovery planning is is I guess the first key step. Thomas: Um and and and when you test them, can we be involved? Thomas: Um Okay, I think that’s um Melissa: that’s it on my end. Melissa: Thank you everybody for hanging in there a few minutes after and uh we will be seeing you in your inboxes shortly. Melissa: Thanks again.