The Six Phases of Successful Third-Party Incident Management

Bob: Thanks Melissa. Hello everyone. Uh today’s topic that we’re going to talk about is incident management and its role in third-party risk management. Um agenda is we’re going to we’re going to start off by talking about uh why incident management is critical to business success. It’s really at the core of ensuring what I refer to as operational resilience. From there, we’re going going to do an overview of incident management, who the key incident management stakeholders are, the different phases of the incident management process, um starting with preparation, which is absolutely key to having a successful program. Incident detection and then communication and reporting procedures, incident containment and recovery, post incident follow-ups, including lessons learned, which is absolutely a key step if you plan to not fix the same thing and address the same incident over and over, and then move on to effective incident management for extended supply chains, by which I mean fourth, fifth, and nth parties. And then summarize what we talked about today. Everyone, please feel free free to use the Q&A and the more interactive this is and the more questions we get the more enriching the whole webinar will be for everyone including myself and without further ado let’s jump into things so why is incident management critical to business success well there are several um key reasons as I said already operational resilience the ability to condi continue to deliver the services and products for those critical business uh services and products that you provide to your customers. Continuity of business ensuring that it’s fully available as needed and the ability to recover from disasters. Incident management protects against geopolitical nation state and crit ical enterprise criminal enterprise threats. So we have in in today’s world a lot of things that we have to deal with whether it’s cyber espionage uh that’s emanating from a nation state whether it’s uh ransomware attacks which some countries use as a revenue source or whether it’s criminal enterprises looking to exploit either through ransomware or the theft and and use of your personal data. Bob: It’s important that you have a process to deal with an incident when it occurs. Not if, but when it occurs. The average time from when a company may be compromised till the discovery of that compromise is 270 days. When you think about that, a lot of damage can be done in that time frame. Incident management also provides defense against system vulnerabilities and misconfigurations. One of the things that we regularly see and in fact we see a lot with cloud migrations is misconfiguration of system resources and applications which then leads to compromise and an incident. So under Understanding that you’re taking proper steps to protect how you configure your systems and your applications is an important step in mitigating the incident and severity of incidents. Incident management allows you to quickly respond to critical third-party and subcontractor incidents. If as often as happened in in particularly in the last six months or so with things like Solar Winds, CASSA, and some of the other compromises. When an incident occurs at a third or fourth party, you’re often scrambling to figure out whether you use that third party. And if you do, are you using the affected software or product that has been impacted by an in it. And when you think about who your critical third parties and fourth parties are, the guidelines that I always use is who among my third, fourth and nth parties am I sharing sensitive information with and which of those suppliers have access to my infrastructure, not just network, but anywhere in my infrastructure application. s where access may have been granted because those are the high value targets that lead to significant compromise. Incident management also helps you mitigate the costs that are associated with responding to incidents from first the reputational and financial damage that may be done but also how it consumes time of the people and resources in your organization. to respond to incidents. So it’s not just well what did they steal or what did you know what damage can be done but also how the organization has to respond and how that can consume parts of your organization for days and weeks in trying to sort out an incident and respond to it. Bob: And then having a sound incident management process process where you can demonstrate your understanding and ability to respond is also a consideration when you think about cyber insurance. So you may want to get an insurance policy, but just like if as if it was an automobile, the insurance company is going to ask you a number of questions to ensure that they’re not taking undue risk by offering you cyber insurance and by demonstrating that you have processes in place to respond to these types of incidents that will allow you to be effective in your application for cyber insurance. So let’s start with an overview of incident management. It is a critical business function and its purpose is to ensure the continued operational resilience of the products and the services that you deliver to your customer. Now, what’s a def what’s a working definition of an incident? Incidents are events. And when we start out, let me just talk about events for a second. Any any and every anomaly that that your business encounters is an event. It may or may not turn into an incident. So, that’s why it’s good to have a working definition and specific about what incidents are. They are events which disrupt or reduce the quality of the business service or threaten to do so. And an incident’s priority, there are two key factors that are involved there. Its impact and its urgency. And depending on how it impacts your organization and how timesensitive that is, that that will determine a lot of the steps that we’re going to talk about in the following slides as we go forward. So what’s a working definition of incident management? Procedures whose purpose is to identify, investigate, and respond to potential security incidents which of which the goal is to maintain and restore normal service operation as quickly as you can. while minimizing the impact to the business. So when you look at an incident management process, there are several steps. Incident management preparation, incident detection and communication and reporting procedures, incident triage and analysis, incident containment and recovery, and then post incident follow-ups, including lessons learned. Bob: Now in order to have an incident management process that’s effective, you need to think about who are the key people who are involved in the process. Who are the stakeholders? And while certain roles are obvious, others may be less so. But in order to have an effective process, you need to think more broadly about who gets impacted by an incident. So when an in occurs, of course, the information security organization’s going to be involved as is the business unit uh that’s affected. Now, when it involves a third party, it’s also going to involve the relationship manager for that third party. Depending on the severity of the incident, senior management and the board of directors may need to be known notified. Also, when you think about that, there may be, depending on the industry you work in, the need to proactively notify your regulators and failure to do so has potentially significant consequences for your organization. So, you need to be aware particularly if you’re in banking or health care, that there are specific requirements where you have to provide notific ation. If your organization has an established enterprise and/or operational risk management function, they should be informed as well. And part of their role in the process is to ensure that root cause of incident is determined and that proper sta step steps for mitigation are put in place to prevent a recurrence of the issue. Depending on the type of issue, whether data is compromised, whether laws have potentially been broken as a result of the incident, it’s important to loop in your compliance organization because they’re the usual channel by which organizations report to outside entities, particularly regulators, that an event has occurred. Business continuity and disaster recovery. organizations are usually key in the process to recovery from an incident. And one of the first things the business continuity folks will ask is well did this or incident originate with us or was one of our third parties affected. So I’ll talk a little bit more later about the need to have visibility into the extended supply chain by which I mean third, fourth and nth parties uh that are associated with your critical business processes. Bob: There may be legal implications. So depending again on the type of incident, ensuring that the general counsel is informed is an important step in managing the incident. If a data compromise resulted as a result of the incident, the chief privacy officer will obviously have a very strong vested interest in understanding which what potential sensitive information may have been compromised. The incident may result or may be targeted at perpetuating a fraud. So, the fraud risk management organization may have a role to play. And then one of the key aspects of what we’re going to talk about going forward here is the organization’s extended supply chain contract. Cont. context, the third, fourth, and the nth parties and how you initiate and maintain and ensure over time that those contacts continue to be valid. So, I’m very fond of a statement which u was made by a general and who then became president of the United States, Dwight Eisenhower, and he said, “No plan survives first contact with the enemy. So what does survive and what gives you the resilience to manage incidents is planning and planning involves not just understanding what your processes are but exercising different scenarios with different audiences to ensure that all of those stakeholders we just talked about understand their role in the process. So first we go about identifying those stakeholders and then from there the value of doing periodic tabletop exercises that involve all of those stakeholders is a critical planning and awareness tool so that when the incident does occur, everybody understands because they’ve been through this tabletop exercise what’s expected of them. instead of scrambling to try to figure out who’s doing what to whom how. And again, the key factor in incident management is how rapidly you can respond to the event that’s occurring. Now, in order to do that, the other part that you need to have is periodic testing of the pro the procedures that you’ve documented as well as the contacts. So, How do you incorporate both within your organization and with your suppliers the process that you use and the contacts that you have? Bob: So when I talk about the contacts, I’m talking about how do you get in touch with people 247 because there’s no knowing what time of the day or what region of the world you may be uh needing to get in contact with to respond to an incident. So regular testing with your critical suppliers who the contact is, what their contact information is, email, cell phone, whatever the process is that you’ve worked out with that supplier in advance. That’s absolutely critical because if you can’t get in touch with persons uh throughout the supply chain who can help you resolve an incident, then it’s going to be a very painful time for everyone involved. Now when you think about incidents and the prevention of incidents, how are you doing your external threat monitoring? So some organizations have cyber intelligence teams which are always out looking uh at incidents that are occurring at other companies and doing research and utilizing resources uh that look at the dark web and known threat actors. to try to understand where potential attacks can originate from. That is the proactive aspect of incident management. The reactive aspect of it is how you respond when you detect an incident and how quickly you can mitigate its threats to the organization. Now, in order to do that, um you have to understand which of your business processes are critical to your organization and you have to understand all of the suppliers in that extended supply chain who deliver a critical part of that business process. So it’s not just good enough to know well we use this third party for process A if the third party is relying on a fourth or fifth party who provides a critical part of that And that plays all the way through from how you educate your suppliers and how you test the resilience of your processes when you do your periodic organization disaster recovery and continuity of business testing. If the first time you have to test is when an incident occurs, then it’s going to be much more difficult to respond. to and limit the damage of an incident. Bob: So, while you may have a handle on who your third parties are that provide support to your critical uh business processes, do you know who the fourth and fifth parties are that your third party is making reliance on to deliver that service to you? And if you don’t, when an incident occurs, it’s going to have a much more severe impact to your organization. So incident detection and then communicating and reporting procedures. So one of the real challenges in the space is how do you detect an incident in the first place? And as I said the average time to detection of a compromise in an organization is 270 days. Some of the biggest acts that have happened of organizations over the last 10 years have been the results of the organization not paying attention to the information that they had readily available to them. So if you’re going to log events that occur at the network level, at the infrastructure level, at the application level, you better make sure that someone’s monitoring those logs and doing it consistently because in almost all cases the fingerprints of the attacker who initiated an incident are going to be there if you had taken the time to see it. And this is one of u the the for me the most important aspects is making sure that you’ve set things up in your technology. So So that at the network infrastructure and application level you are logging events that occur and that you have taken the steps to ensure that the information is preserved. The default configurations on a lot of systems and platforms are you have X capability to log and then when you run out of that capability which may be 24 hours or several days it starts to write over the old information. So you have to make sure that you’ve allocated sufficient resource to preserve those logs. In some cases, you your organization may look directly at uh the logs and have a team that that follows up on that. But many organizations, particularly midsize and smaller organizations, will outsource those activities to uh a managed detection and response of supply fire um who would log and review and escalate any potential incidents that uh they may detect in the logs. Bob: So if you’re doing it yourself, make sure that the logs are all being properly configured to preserve information and that they’re being regularly timely reviewed. And if you’re using managed detection and response ensure that u as part of that process um that you have a good communication process established with your MDR vendor. Now when an incident occurs triaging to determine whether any of the c root cause of the incident involves your third party third parties fourth parties is critical to understanding how to recover from it and having information readily available for your critical business processes, who the third and fourth parties are that support those processes improves your ability to respond timely. So that becomes a very important aspect of how quickly you can recover. Another aspect is is how your third parties self-report incidents to you. And from that context, when you think about your contracts with third parties, there are several things that are important to include in all contracts with third parties. And one of those is the timely reporting of incidents that occur um to you so that you’re aware that they occurred and you know 24 no more than 48 hours particularly if it’s a critical event you know a matter of hours the other two things that I always like to focus on in a contract is the right to audit so that you can actually review processes at your third party and the commitment of the third party to remediate identified issues which in this context is particularly important. So an event occurred at a third party, did they notify you timely and have they committed to resolution timely of the issue that caused the incident? So again, not all incidents have the same severity and urgency for you and you have to know how to triage that so that you can inform the correct people in your organization. according to a timeline that everyone understands and are comfortable with. So obviously when you detect an incident at first you may not even know it’s an incident. You might say well this is an event that’s anomalous we need to do some more digging. Bob: But once you do that and you determine how severe and how how urgent it is for your organization then you need to escalate to the people internally or in your organ. organization. And again, that’s why practicing your incident management process, ensuring that you have the correct contact names for all the persons who need to be escalated to is an important part of the process. And this ties into what many organizations do and what they call their crisis management process. So you may have a crisis management process that you need to invoke depending on how severe an incident has occurred. So once you’ve determined that an incident has occurred, it’s critical to stop the bleeding. So what are the appropriate actions that you need to take to mitigate further exposure and impact and what resources externally may you need to invoke in order to control and limit the damage of an incident? Now Many times what you have to do when you’ve detected an incident um there’s some level of forensic analysis digital forensic analysis that may be required and there may be some activities that you need to take in order to recover from said incident. So if you do not have the resources and the knowledge internally have you put in place contracts with external organizations who can help you with the forensic analysis of that said incident? Um, another aspect Oh, Melissa, is there a question? Melissa: Yeah, I have two for you. Bob: All right. Bob: Okay, let’s do it. Melissa: The first one is, isn’t it the honor system more or less? Bob: Wait, I’m sorry. Can you repeat that? Melissa: Isn’t it the honor system more or less? Bob: Well, if uh the trashin of history is littered with companies that relied on the honor system. If you don’t do things contractually, then you’re leaving your supplier with an out when it’s absolutely essential that you need to know as soon as possible in order to limit the damage. So, from my perspective, if it isn’t in the contract, then you know, then you’re rolling the dice. And from my personal experience, I found the honor system as much as We would aspire to that to be severely lacking in reality. Melissa: All right. And then the second one, how do you independently test that a third party provider reports an incident timely? Bob: Well, so one of the things that you do with due diligence of a supplier is you’ll before you onboard them is look at their history go back 24 months and see whether they have any incident in history and many organizations these days have had incidents that have occurred. How have they responded to those incidents? And secondly, what have they learned from those incidents? And third, as part of the due diligence, it’s perfectly legitimate to ask them what their process for incident management is before you even consider on boarding them as part of your due diligence. And then finally, fourth, um, contractual obligations to do that. So, unfortunately, we’ve we’ve gotten a lot of history with suppliers who have had incidents and we can form some opinions about how they’ve responded to those incidents and whether they’ve been forthcoming with us. And it’s an area that There’s a lot of room for improvement, but relying on the evidence that’s out there by doing your due diligence to check whether a company has had incidents and how they’ve managed those incidents and asking them for that incident management process helps you to independently form an opinion about whether a company is going to be able to respond timely when the incident occurs. Now, I keep saying when, not if. because it’s just a matter of time for everybody. The um the reality is that you know depending on whose numbers you want to quote upwards of 60% of all incidents begin with a third party. What people generally are not aware of and don’t talk about is that if you dig a little bit deeper on the history of these incidents, you see that most of those incidents started with a fourth or fifth party and they use that as a way to tunnel to the third party to get to your organization. So with that as a background, you need to really understand for your critical business processes what that extended supply chain looks like if you’re going to effectively manage incidents. So getting back to the presentation, um one of the things that’s important when incidents do occur is leveraging the industry resources that are available to you. Bob: So one thing for all of the critical infrastructures in the US are the ISAC organizations, the information sharing and analysis centers. You have them across 10 different industries and that’s a way for companies to share anonymized information about incidents that they’ve seen to help the other members. So that is a resource whenever you hear about a big incident to see if anybody’s reported this previously and what you might learn from that. And the Isax also provide a way for your security and incident management teams to interface and to ask questions of other organizations who may have more experience and who can offer suggestions on how to improve your process. So the next part of that is how do you ensure that you eliminate the root causes of incidents? Because one of the things that you see is that all of the incidents that have occurred since we’ve been focused on this thing called incidents uh um information security going back literally 40 50 years. All of the incidents that occurred they’re still around. And periodically you see something from 10 years ago or 20 years ago that pops up that you thought, well, you know, we addressed this 20 years ago, but old technology, bad processes, misconfigurations lead to the recurrence of the problem. And I’ll give you a non-technical example of that. If you are still a person who uses the US Postal Service and you go to a mailbox to mail a letter, you may have noticed that the mailbox have all changed recently and that they have much narrower and longer openings to put your letters in. Why did they do that? They did that because one of the earliest forms of fraud resurfaced, which is something called check washing, where someone steals your envelope with a check and they wash it with chemicals and they change the pay and the amount and they defraud you of a lot of money. Think of uh Frank Abagnell and uh the the movie that Leo DiCaprio was in, u Catch Me If You Can. Well, what they’ve done is they start using uh sticky mouse traps, sliding them into post office mailboxes to pull out the letters to do check uh um checkashing and fraud. So, things that we thought we addressed a long time ago, they have a way of showing up again. Bob: Now, it’s important that Um, after an incident, how is it that you restore and recover and then periodically test to make sure that whatever you fix in the process actually works the way you need it to do it. And then again, as I mentioned earlier, making sure you have the resources available to gather evidence and retention. Um, so that that is done in a proper manner so that if you there are legal proceedings that occur you have the information that that is required. So post incident uh follow-ups tracking uh supplier remediation. This is one of my pet peeves of all the things that that I see is everybody commits to tracking an issue but then people don’t fix it or if your supplier fixes the issue, do you take the time to go back and validate and ensure that the the fix was properly applied? So committing to address an issue, fixing an issue, and then independently validating that the issue has been fixed are essential to avoiding repeat incidents. And whatever needs to to be done in order to do that, for me, this is really the most important part of the whole thing. How do you make sure that the same thing isn’t going to happen to you again and if you don’t um it can have lasting career impact on you. So how do we ensure that our critical suppliers are are doing the things that they need to do to properly support our business processes? Well, once a year assessment of a third party and then assuming everything’s fine because you you had a nice report come back isn’t effective anymore in today’s world. And for those third parties, fourth parties, nth parties that are critical to you, it makes sense that you begin to continuously monitor them because when incidents occur, incidents don’t time it so that it conveniently works out for you when you get that once a year report and it’s important that you have a sound process in place for the lessons that you learn and that that is widely shared both within your organization and with your suppliers. Now, one of the ways that you can mitigate some of the risk that that comes from incidents is through cyber insurance. Bob: But again, as I said before, if you want to use cyber insurance, you want to apply for it, you need to have procedures within your organization for how you manage incidents among many other things. And we’ve seen the premiums for cyber insurance skyrocket because of the associated costs when you factor in ransomware and the theft of data and the disclosure of information. U the potential liability to the insurers has increased significantly and therefore their premiums have. But for companies who have effective processes to mitigate risk they’ve actually seen their rates hold steady or come down. So again, it’s a critical tool. Cyber insurance is and if you have incident management, that’s an effective way to demonstrate it when you apply for cyber insurance. So when we think about our extended supply chains, it’s absolutely critical and and I harp on this, how it is that we understand who those third, fourth, and fifth parties are for our critical business processes. We absolutely have to know who who they are, who the contacts at those organizations are. Test those processes regularly. For example, when we do our disaster recovery testing, but also to simulate incident management, and when you do a tabletop exercise internally in your organization, make sure you you have your suppliers involved, too. do so that your organization has a full appreciation for the impacts and what they need to do to respond to incidents and this is in fact one of the largest risks that you have to deal with. So supply chain incidents they can substantially impact your organization’s reputation, your finances and your compliance. with various regulations whether at a country level or with the different regulators depending on the industry that you’re in and ultimately can have impacts on people’s lives because of the failure to deliver this the services or products that you provide to them. Bob: So this is very very serious business and again going back to the contract point part point make sure that breach notification is included in the contracts that you have with your third for third parties and that those contracts that they extend from the third party through any fourth, fifth, nth parties that may be being used to provide that service to you. So your contracts in fact should be worded in such a way that okay third party this is what you need. need to do along with any suppliers that you use in your extended supply uh chain and we will hold you accountable for that. And sometimes that creates a little bit of stress and tension. But if you don’t say that, then you’re absolving the fourth and fifth parties. And we’re back to that conversation about honor system there. At the end of the day, there is no honor system here. If you don’t have it written down in a contract, you don’t have protection against it. It’s a simple as that. So another aspect of this is when you think about your inventory of third fourth parties that’s that’s absolutely critical to have for an incident management process. But what’s also critical to have and may exist within your organization is a software inventory because more and more of this severe incidents that we’re seeing are the results of software. So you may have a list of third parties that your organization uses, but you have no idea the software that your organization uses. If you can find a way a to determine whether you have a software inventory and then b map that software inventory against a list of third, fourth, and fifth parties that you’re using, that becomes a very powerful tool. pool in the timely response to any incident that may occur. And I cannot emphasize that point enough. So in summary, having documented, periodically tested processes that involve all stakeholders and all suppliers for your critical business processes are essential to being able to have effective incident management. ment. That combined with determining quickly whether an incident severity directly affects your operational resilience and ability to continue to deliver for your customers. Bob: The confidentiality and integrity of yours uh and your customers assets and how it affects your business goals and objectives is essential in this process. And then finally, the need to effect ly and efficiently report to and inform key stakeholders, including your customers, your suppliers, senior management, and your board of directors, any regulatory agencies that you have to report to is critical to your success as a business and avoiding the associated negative reputation, financial, and regulatory impacts that you might experience. And with that, that that uh covers uh the material that I wanted to go through today. Here’s my contact information. I’m happy to talk to any of you anytime about any of these issues. So, feel free to reach out, call me, send me an email. This is what I like to do. So, I’m happy to hear from all of you. And with that, um unless Melissa has some questions for me, I’m going to turn it over to uh Scott. Any questions, Melissa? Melissa: Um, yeah, we sure do, but I’m gonna go ahead and let Scott, you want to do your spiel first or you want sharing? Scott: Yeah, why don’t we kind of get to some of those questions as I’m pulling out my presentation and maybe we can attack some of those, uh, in the inter room here. Melissa: We have plenty to choose from. So, um, Bob: let’s have it. Melissa: All right. So, here we go. Understanding that a right to audit and disclose is key in your agreements, what recommendation would you have when the agreement is redlined with without those provisions, thus giving your supplier an out, i.e. were on the honor system with them. Should you automatically designate those relationships as high-risisk and prompt more close review slash ongoing monitoring with suppliers that don’t agree to such audit/disclosure terms? Bob: Well, honestly, having dealt with my share of contracts for many organizations over the years, I would just walk away from them. I really have not heard heard of red lining of right to audit in contracts. So if that’s their position, how am I going to feel about dealing with them when when things go bump in the night? I would not advocate dealing with anybody who redline the right to audit. And let me talk about contracts for a second because it’s an important point. Too many times when we’re trying to onboard suppliers to our organization, the process becomes a legal exercise. And it wastes enormous amounts of time. And I consistently hear from all the organizations that I deal with that their biggest problem is how to quickly onboard new suppliers. So one way to do this is just to say we want you to abide by all of the commercially acceptable security provisions. Not best practices, but commercially accepted practices. and keep any conversations about anything related to security between the CISOs for the two organizations and out of the hands of the lawyers because otherwise it costs more, it takes longer and it frustrates the business in realizing their goal. Melissa: Perfect. All right, Scott, you want to Are you good to go on your end? Scott: Yeah, I’m good. Uh, can you guys see my screen? Okay. Melissa: Yes, sir. Scott: Awesome. Great. Well, folks, keep thinking of those questions as I get through the rest of my presentation and we can uh you know carve out some time at the end uh to have Bob uh address those at that time as well. So you know everything that Bob talked about in his presentation was essentially about adding discipline and rigor and process to um you know to episodes where there are third party incidents, breaches, cyber intrusions you know whatever. What we have found during our um you know during our time of helping customers do this is that there are three big problems with uh accomplish accomplishing those objectives. First is how manual that process tends to be. You know Bob mentioned you know getting an inventory of your suppliers not just your suppliers and and vendors and partners but also you know the assets and the software that you have. Uh the second big challenge tends to be around um the frequency the recency and the freshness of the data. You know uh great it’s a manual process for us to assess the business resilience practices or incident response practices of our vendors. We’re doing it via spreadsheet. That’s not good. Um, and the minute we execute some sort of assessment or survey or monitoring, whatever, that data is out of date. And then all of a sudden, we find ourselves back at square one. We don’t know what incident we’re trying to resolve through what process if it’s not, you know, somewhat current. And the third big issue is the cooks in the kitchen. Um, you know, you’re probably running that process internally, but then you’ve got a lot of different folks around the enterprise that want have some input into it and have some say into what the outputs are as well. Whether that’s your procurement team, your supplier management team, your vendor team, the legal team, you know, finance, you know, whatever. Um, you know, everyone’s going to want to have some visibility into the data of uh, you know, the vulnerabilities that your third parties are bringing to to to your uh, as a relationship to your organization and what’s being done to help mitigate those risks uh, down the line. So, manual, kind of outdated and, you know, bit of a free-for-all. Um what we’ve done is we’ve tried to solve those problems with the introduction of a service called the third party incident response service u at prevalent. It seeks to solve several problems. Uh number one is it helps to centrally manage all of your vendors in one location. And let me say this this is either a self-service um uh SAS solution that you can manage of course on your own or it can serve as a managed service that we do on your behalf throughout the entire life. cycle of of that particular incident. And it starts with getting all your vendors in one place, onboarding them uh consistently, getting a good inherent risk score for all those vendors. Okay? You’re starting with a good baseline of assets, um divisions, businesses, partners, vendors, whatever, all in a central location so that everybody can view them. Uh and then you can take the appropriate action on them from there. Um second is uh we have pre-built templates in the incident response uh service platform. that allow you to assess uh your vendors, thirdparty suppliers against very specific incidents. An example is Solar Winds. When the Solar Winds attack came, uh we pushed out a questionnaire, an eight questionnaire within 24 hours and then automatically pushed that out to all of our network uh and then via the man service out to our customers uh vendors as well to determine their risk exposure to that particular vulnerability. So that the you know our customers could then determine what their risk exposure was. So we produced reporting and more uh very quickly to enable you know our customers to determine you know what what they had to focus on first uh to to mitigate their attack service. Um third as part of that uh we include automated tracking of uh supplier assessments those incident response assessments um uh uh built-in scoring mechanisms that allow you to apply and weight answers based on what’s important to you. And then we have pre-built uh remediation guidance in the platform as well to to suggest particular paths that your uh vendors and suppliers can take in order to you kind of mitigate mitigate that risk. Um you know we’ve aligned our approach to the NIST 800 161 I think approach that kind of follows that model that Bob discussed you know during his part of the presentation from you know discovery and planning all the way through kind to kind of mitigation recovery and then return to normal operations and that’s very prescriptive. programmatized in the platform to kind of give you a good workflow. You are here type view of determining what the the potential risks are that you’re exposed to in your third party base and then how to kind of resolve those uh and kind of move back to a steady state after that was all the reporting and uh and such from there. You know what we’ve also done is uh publish a a checklist on thirdparty incident response that is again based around uh the NIST 800 uh 61 one um uh incident handling guideline. And what it does is it starts off by examining some, you know, high-profile and particularly damaging thirdparty, you know, cyber security incidents of some sort. We’ve kind of narrowed it to to the cyber security band, but talked about cyber security incidents, what the uh you know, what the results were, what type of recovery there was, you know, how damaging it was to the enterprise, what it cost them in in hard and soft costs, and then what we’ve kind of broken out those stages of of that NIST incident handling guideline and then discussed you know important capabilities that you know you should look for at each one of those stages to make sure that you’re addressing all of those particular concerns. For example, Bob talked about contracting and the importance to have importance of having contracting built uh into your arrangement into the life cycle of managing that third party and having those measures and provisions that are enforceable uh trackable and and measurable um uh you know, we’ve kind of provided some guidance on how to integrate a CLM process into, you know, thirdparty risk. So, as you kind of close that gap there on on, um, on on that life cycle and then after that, um, the key tasks, we’ve identified some key capabilities as well to look for in a solution that kind of helps you close out that that that process from the beginning of preparation all the way to post incident activity. All right. So, you know, highly complex process which we completely understand. Um, you know, we offer way to help you automate that uh you know reduce your meanantime to detection and response uh and then give you some programmatized best practices to align with a standard industry framework uh to add some um you know best practices and resilience measures to to your approach. So anyway, I hope that’s helpful and that’s kind of what we do. You know, I’ll kind of pitch it back to Bob and uh we can talk from there. Melissa: Okay, Melissa, what do we have? Melissa: All right, so we’re gonna go ahead and attack some of these Q&A uh this Q&A box real quick. But while we do that, I’m going to launch our last poll. Um, are you looking to establish or augment a third-party risk program in 2022 or 2023? I know this year is quickly ending. I still have um lots of New Year’s resolutions to tend to, but that’s just me. Um, so let’s go ahead and read a few of them. Let’s see. Can you explain how we could use the Sock 2 reports to support good practices in this space? Bob: Well, SOCK 2 reports while they’re independent assessments of data centers and processes that are used there, they give some level of assurance about sound practices of the organization that provides them. But what they’re not going to do is they’re not going to tell you who you need to call when things go bump in the night and guarantee that person still works for the company or hasn’t changed their phone number. So, SOCKU is clearly beneficial as an indepth independent study of an organization and the processes that they use to manage things. But depending on the type of report you have, did the organization when was the last time they actually did an end toend say test of their incident management process or their disaster recovery process and then when you get into disaster recovery how far did that process actually go to ensure that they could restore the systems that they’re available and did the sock report demonstrate that they have failover capability for your critical business processes when you need to have them and that the primary service provider and the failover aren’t in the same power grid or the same country overseas or whatever the case might be. So there’s so many things to check for. It’s great to have the sock 2 because it does give you some level of assurance, but the devil with incident management is in the details. Melissa: Perfect. And I think we have time for one more. Um you’re surfing the net. You see one of your third parties have suffered a breach. What are top three things to do? Bob: Um, call Ghostbusters. But, uh, after you do that, um, you pick up the phone and you call them and you understand, you invoke your own organization’s incident response process to determine whether the affected third party incident, you know, whatever was compromised, whether you actually use that. So, you know, go back to Solar Winds and when Solar Winds happened, everybody was, “Oh my god, everybody uses Solar Winds.” But if you didn’t use the ver specific version of Solar Winds Orion product that was affected by the compromise, you were okay. But then if you don’t have a software inventory, how do you even know? So, it’s not just having your third third party inventory, it’s mapping that against the software that actually third party software that runs in your organization. So, it’s a layered process. So, Ghostbusters and then picking up the phone and from there executing your incident management process, which was really what we were talking about today. Melissa: Great. Ghostbusters noted. All right, we have maybe time for one more. Um, any thoughts on UKG and their hack at the end of 2021? one, are they a good example or a bad example? And what companies did in response? Um, any lessons learned? Bob: Well, UKG, I’m not familiar with honestly all of the details of what happened there. So, I will defer commenting on something that I’m not, you know, fully aware of because I wouldn’t want to provide anything that was misleading. The important thing is for any company is how forthcoming were they? Did they notify customers? Did they help their customers address the need and then most importantly did they go back and fix it and demonstrate it to their customers? So I mean we could take any incident that you want and it would be this those same steps that you would need to follow to judge whether the company effectively responded. And if quite frankly if companies don’t respond effectively to incidents when they occur, they’re not going to be around that long. And then you’re going to have a different problem like where you get the service from. So, that’s how I would respond to that one. Melissa: All right. Well, that’s a very good political answer, Bob. Um, well, Bob: well, you know, sometimes you have to dance a little, but uh that’s that’s the fact of the matter. Melissa: As long as you call Ghostbusters, right? Bob: That’s right. Melissa: Who are you gonna call? Bob: Go. Seriously, prevalent and then Ghostbusters hopefully. Um, we are at the top of the hour and that’s all we have time for. So, I hope you guys enjoyed this webinar with Bob and Scott and myself, of course. Um, we certainly give you a lot to think about and we’ll be seeing you shortly in your inboxes. Take care. Bye everybody. Bob: Thanks everyone. Bye everyone. Bye. Scott: Bye.