成功制定第三方事件响应计划的 5 项必要条件

Amanda: Hello people. Welcome. We’re trickling in. As you guys trickle in, before I start doing the intros, I’m going to add a poll question because we’re curious. And that poll question is, “Hey, why are you here?”. You know what’s up?. Are you here for education?. Are you here for project research?. You have an upcoming project. You don’t know where you are. Well, you’re here for a prevalent third party risk webinar. Tell you that right now. Um, and you’re a prevalent customer, which is great. So, I’m going to add that in there. I’m going to leave it up while I start doing intros. Hey everyone, I’m Amanda. I will be your host and we’ll be joining in and out throughout the session for questions. We’re going to keep this interactive. So, please put your questions in the Q&A below. We will ask on the fly. We won’t wait till the end. So, you guys are kept on your toes here. And today we are talking about thirdparty risk management as you can see here in five things you need for successful thirdparty incident response plan and we have with us Jefferson Pike, director information security and thirdparty risk management at Lowe’s. Hey, how are you Jefferson? Jefferson: Hey, good afternoon. Amanda: Good afternoon to you. Good morning to me and Brenda. We have Brenda here, our very own VP of thirdparty risk here at Prevalent. And today they are going to show us how to create a plan for major security incidents and data breaches and accelerate your response for your third parties before the next big one happens. And we know it is a matter of when, not if. So they will take care of you guys. Please again make sure that you are participating. We love participation. You’ll get an A for effort. I will end this poll in just a second. Um will be recorded and you guys will get it in your inbox tomorrow and if you have any questions again use the Q&A and thanks so much for joining us. I’ll give it over to Brenda. Brenda: All right. Thanks Amanda. Amanda: You’re welcome. Brenda: So normally in our webinars in the past couple of webinars, we’ve had questions that we’ve posed out to you as polling questions throughout the whole thing, but we don’t have that this time because I want to give Jefferson enough opportunity to just freely discuss like a fireside chat how his organization implemented an instant response plan um in order to address all of the different things that we’re facing. So if we look at the last or the most recent three breaches, they’re multiplying and they’re coming at us at a very rapid pace and they’re not small, they’re big and they’re impactful. So Solar Winds, for example, had 18,000 companies and government organizations that were impacted. Excelium was 100 plus high-profile customer. customers that got impacted. And then Microsoft Exchange was the most recent one that we’ve been dealing with and that was 125,000 servers worldwide. So what’s going on with that is there’s a lot of vendors and suppliers and outsourcers that use these types of products andor services. And what happens is the board of your own company and even at Lowe’s or any other company has basically stated that okay, hey, we need to know what’s going on. Who are our vendors that got impacted?. Ed, how are we going to mitigate it?. Did we stop the bleeding?. What plans are in place?. yada yada. There’s so much to understand and sometimes you don’t always know the entire vendor universe. So, we’re going to be talking to Jefferson about things that he put in place specifically when the Solar Wind started. So, he had already started thinking about I need an instant response plan within my TPRM program that addresses third-party incidents. And I believe that when Solar Winds happened, Jefferson. It was something that immediately you turned around and you were able to put something into place quite rapidly. So, we’ll get into those um items right now. So, the first thing that we probably need to talk about is clauses in the contract. So, did you face any um issues with getting responses back from your vendors that may or may not have been impacted or maybe talk about what you decided to do first and then go into was there any contracts uh language that you need to look at after the fact or even before. Jefferson: Absolutely. So, uh you can look at this from several different angles and and one thing to consider is there’s a difference between an event and an incident and not every just like normal incident response, not every event is an incident. So, when we look at having some sort of incident response plan, we want to make sure we have an an event management program where we can handle large scale events like Solar Winds or uh the the exchange incident. or um what’s the difference between that and a single incident where you you learn of something through several ways and have an actual incident with one vendor and how do you handle that quickly and is there a different approach to be handled for that?. So looking at the the the contract the contract of course is the foundation for for everything and we did notice there’s some some things that that some features of the contract that make it very helpful for situation like this and the first piece and you hear about it a lot in in different webinars and and shared assessments and everything else is having that that right to audit clause or right to assess clause in a contract where many times if a a vendor especially if they’re an existing vendor, they may not respond to you at all because there’s been no precedent set for no reason for responding. They don’t need to respond to you. They’re already doing business with you. But if you can when you’re onboarding a vendor and actually have a say in the contract that’s about to be signed, then you can look for things and make sure you have a right to I prefer to call it a right to assess clause more so than right audit because many times the right to audit clause may be mistaken to look at either just financial information and financial controls or the vendor may think it’s a it’s a one-time deal where you’re being, you know, thoroughly audited and and and vetted and and scrubbed by uh the the customer, which is not really the the case. If you have a right to assess, if you word it properly, that gives you the right to actually ask them anytime if there’s an an event like Solar Winds or an actual incident or when you think they should be assessed to have that that discussion and it it allows that the door to be opened where you can actually then you know discuss things with with the the vendor. If you don’t have that in place, they have no reason to talk with you and and probably would not want to talk with you unless absolutely necessary because anything that’s said could be held against them legally in their mindset. So having that that initial door with the the right to assess clause is definitely helpful. And not only that, once you have the right to assess clause, hopefully have a a right to report or remediate clause. And essentially, if you’re conducting an assessment and you find some shortcomings or some some issues that you would recommend be addressed, you need to have a mechanism for actually reporting back to the vendor and telling them that and working with them to address those those issues depending on on the risk of the vendor, which you don’t even know unless you do an assessment up front. So, you need to do that that assessment, the right to be able to do that assessment and then look to give the some remediation answers and Once you have that in place, hopefully you have a security controls addendum, some basic requirements that you want them to be able to meet if they’re going to do business with you, especially if they’re going to connect to your network. So hopefully that’s an addendum in in the contract, but having an incident notification procedure in there is big, too, because not only do you want to give them an email address they should be able to contact in case they do have an incident, and they understand that they should contact you within a reasonable time frame if they have an incident that affects your data, but not only an email address but a phone number as well because you we’ve seen before if a vendor is hit by a ransomware attack they may not be able to email you at all but if they have a phone number they can call you and they can call your your sock if you have one and they need to have somebody to call and not only do they need to be able to contact us but we need to have a contact on their side as well and that should be stipulated in the contract that there is a a certain number and email address to call on our side but we should have a contact on their side so for individual incidents that’s very helpful. That also comes into play as well. If you have that good email contact, then you can do some some batch event management, which is what we did for Solar Winds. Brenda: What’s interesting also is some of these impacts were fourth parties. So in contracting, would you think that there would also need to be some fourth party stipulations to be able to know who the fourth and maybe nth parties are?. And then the other thing that I was thinking about as you were talking is point of contact accuracy. Do you hold them contractually obligated to provide you point of contact s that have an eb and flow throughout a life cycle of a career or a tenure. Jefferson: Absolutely. Definitely the the the fourth party mentioned in there. Ideally, you want them to be responsible for their third party. So, your fourth parties uh so you want that that piece in there and for the the contact information, the accuracy. Hopefully, you mentioned that and the best way to test that is with a tabletop exercise. And I’m sure we’ll probably get that later, but you can actually verify then both on your side that your contact is correct and on their side if something happens. Brenda: Exactly. All right. Well, the next thing that we wanted to cover is creating an easy mechanism for vendors to proactively and that word is very important here, update your organization and who to update during the incident. So, as you were going through one of the events or incidents that you had mentioned, what was your protocol to proactively update them on what was happening? Jefferson: Well, it can be done several ways. I’ve seen it handled differently at at different companies. If you’re a big financial institution, you probably have a very huge or organization that just does this full-time and uh when the bank I worked at actually had this in place where anytime a vulnerability was uh made known and seen in the wild they would blast out to all the vendors for the bank ask them if they had this vulnerability uh seen their system and if so have they remediated that that or do they have a plan to and very laborious and it’s very timeconuming we did something similar for uh for solar winds we were asked to to actually come up with basically a snapshot of how to what extent is our vendor population affected. So we just came up with an automated questionnaire actually well full disclosure prevalent came up with it and then we used it as soon as it it came online and basically asked a set of questions where we could just blast out to all of our third parties that we had in our our inventory that we had already been assessing and just ask them simple questions like have you been affected by this um by this event?. If so to what extent?. What was the impact?. Have your critical systems been affected?. Has our data or have our operations been affected as a result of what happened on your side?. Do you have an incident response plan in place?. Which hopefully you already know that based on your risk assessment you conducted previously and u and ask them if they have mitigating controls in place and very quickly as those responded, those vendors responded, we could aggregate those answers and then at a very high level look and see, okay, X percentage says they’ve been moderately affected, but they have controls in place or X percentage has no clue how to fix this and they are dead in the water. Uh what do we do?. And what we like to do, our approach is is really partner with the the vendor almost taking that uh that walk them to the aisle approach. You know, just like in the middle of the store, if someone asks for screwdriver, you don’t tell them it’s aisle 10. You walk with them to aisle 10 and show them it’s a screwdriver and also make sure it’s the right tool they need for their their job. Same thing with the vendors. We we’re not the bad guys saying you can’t do business with us. We want to help them and partner with them and make sure they have robust controls in place so that our our relationship and our transactions can be secure. So we partner with them and find out if if they are having issues then we can help you know you show them you know best practices and what to do and make some recommendations at a very high level and then also we have that that attestation if they say nothing’s been affected but we also have a question there saying that you we ask them to to research their systems data and make sure that our data is not affected and they agree to notify us if it is and we get their agreement to notify us in in in the future. Then we kind of have that to show we’ve done our due diligence and we’ve done basically all we can at that point to verify that they actually are secure uh from that event. Now we’ll validate that as much as possible. We use a continuous monitoring application as well. There are many out there like security scorecard bits site and and multiple others and you can take data from those applications and see which of your vendors have been affected uh at least on that side looking at at raw data and and seeing you have a potential number of vendors that have been affected. Then we’ll follow that up with questions as well with the same survey uh from the prevalent platform and and tell them we’ve detected this on our you with our security control application or readings application. Is this indeed true?. And do you have systems that are affected and and and have you secure them?. So we can kind of validate the answers that way too or find vendors that we never knew about that were even in our population but we detected them through our other uh tool. can follow it that way. Brenda: Yeah, I like how you said that you used a two-prong approach. So, you had the thread intelligence so you could see the outside in impact and then you validated that or verified it on the other course where sometimes people use the questionnaire first and then use the thread intelligence. So, you kind of flip-flopped it which was awesome. And then I think that um with our questionnaire that you used, we wanted to make sure it was very easy with the vendors so that if they weren’t impacted they answered that one question, I’m not impacted and they were done. It was like one question questionnaire. So it was dynamic enough to say if I’m not impacted or I’m not using Solar Winds Orion, leave me alone so I can go do my work. But if I am impacted then I can tell you the additional 7 to 11 questions. So you find that Jefferson: Yeah having it scalable is definitely very helpful because one thing we don’t want to do this consistent event event management program is just having burnout and fatigue from answering these surveys all the time because no one will enjoy that and it’s it’s a pain for everybody. So we don’t want to create that and have answer questions they have no need for answering. So, um that scalable approach definitely helped us. Brenda: And then if you were to think about how often you had to report up the metrics to who like who did you report them to and how often did you have to report that? Jefferson: Well, it kind of goes back to creating value for your your third party program. So, if you can have that information in your back pocket first of all, so that if you’re asked you can immediately produce something, that’s fantastic because it’s showing you’re being proactive and and you’re you’re thinking outside the box and your leadership will probably you love to to know that, but uh the information can go as high as the board. Many times at least your uh your syso will want to know scum information and they may be asked and if they’re caught in the corner and they can’t give an answer then it makes them look bad. So the more we can do to help our leadership look good and be able to prevent or present information to the board a short notice then the better we all look. Brenda: I’m very glad that you had an automated capability because I remember the day when we did not and we were doing things with sales spreadsheet and email and we had to report up to the board on a daily basis where we were and it was a nightmare. So kudos to you for having some automation. Amanda: That sounds very. Sounds like we have a question or it looks like we have a question. Amanda: Yes. Um curiosity is is the basis of this question. They want to know what was your percentage of nonresponse from vendors. Jefferson: That is a good question. So we look at this two different ways. We had our own percentage and ours is about 50%. Uh not everybody will will respond to anything but about 50%. Their uh other peers are using the same mechanism and they their returns look anywhere from 50 to 60%. So I think the highest we heard of was maybe 60. Uh Brenda, correct me if I’m if I’m wrong. Brenda: From the larger corporations that we have on peer-to-peer groups. I think you’re right. Um it just depends on what type of a questionnaire. We do have a a healthcare industry that’s using a ransomware questionnaire and their percentage is up in the 80 90%. So it really depends on what they’re asking, when they’re asking it. by. But um for rapid response, it it’s um they’re starting to figure out that if I if I have a dynamic questionnaire to answer, it’s no problem going in and saying I’m not impacted because then they’ll they’ll get left alone and it’s shared with other other customers as well. Amanda: Perfect. Oh, looks like we have another one. Brenda: Okay. Amanda: Nope. Nope. Just kidding. I didn’t press answered. Bye. Brenda: Well, okay. Well, as Amanda is disappearing again for a second until question is asked the next thing is how to quantify the business impact what are the steps that you took Jefferson to quantify business impact that is. Jefferson: that’s a good question and uh not easily answered so the short-term answer is looking at the answers back actually pulled everything into a reporting platform and just showed statistically here are the answers you know we know that x percentage are you know they had no issue at all and for the most part uh vendors were not really affected by Solar Winds. Now, that that could be because they honestly weren’t affected or they just didn’t think they were affected and and they were. So, we want to couple that with what we’re seeing through the uh the thread in platform. So, that’s that’s the first piece. The second piece, you can take that a step further and then if you have your vendors in a GRC platform and you’ve done uh some sort of disaster recovery assessment on them as they’re brought on board, which um larger companies will will do that, you can look at their their response tiers and and figure out, okay, here are the companies or the the most critical vendors that, you know, that have the the shortest um um repair time objectives. These are the ones that were affected. These are the most critical. So, we need to report these as well and show the different tiers of vendors that you have. Uh just how many of them have been affected. So, you know, we tier our vendors and stratify them based on different factors. So, we would want to be able to show how many of each set of stratified vendors how how much are they impacted? Brenda: Yeah. And I think that another um company that I’m a familiar with is is they used the responses to identify that they had 15 incidents last year and now it’s creeped up to 51. And then they took the cost of how much it was for their resources to attend to the incident to manage all of the ramifications and the mitigations and they come up they came up with a a quality qualified amount that would be per incident. And so they’re looking at as long as we’re doing these proactive incident response type scenarios andor we’re doing them ahead of the time with ransomware questionnaire sections or something to that effect, they could save the company potentially, this isn’t completely accurate, but potentially $7 million. And that’s huge. So that’s that’s why it’s so important to start looking at your instant management plan within your TPRM. more importantly than what questionnaire am I going to use because you want to address the things that matter right now that we’re addressing from or or finding that we’re being impacted by. So interesting information, but uh we’ll hope to see that that’s truly the case that they’re really finding out that here’s some fishing incidents that may occur if we don’t bridge that gap or here’s some access identity management items that will occur if we don’t bridge that gap. And so really looking and honing in on the most important maybe 11 to 15 key controls is going to help. So if we talk about targeted questionnaires and that kind of goes right into what I was saying. So the right questions for the organization. What are you doing at Lowe’s to help make sure that we’re not causing questionnaire fatigue because now if we’re having so many incidents or events and we keep asking them are you impacted?. Are you impacted?. Are you impacted?. They’re going to be struggling to keep up on those along with the main due diligence. stuff that we have to find out. What is your your thoughts on approach there? Jefferson: Right. Uh well, good question. So the the first piece goes back to that uh you the taring of the vendors having some sort of methodology and there’s no one right answer. It depends on the maturity of the organization and how much time you have to develop this. But um different tiers will will receive different levels of attention, different levels of due diligence. If they are a very lowrisk vendor or maybe only deal with public information and and uh you know have no connections to the network then you just have maybe a very simple set of you know five or six questions you 10 at the most uh to ask them some some simple questions and that can count as the assessment that’s it but as they are higher tier recogn recognized as higher tier vendors then you can ask them uh you know the the full questionnaires from the automated platform which is what we do based on the inherent risk determined at the very beginning but we don’t want to ask everybody the same thing it it may be that if they’re a a vital supply chain vendor, they may get additional questions about ransomware, which you mentioned earlier, and make sure they have certain controls in place. And if, you know, we want to couple out again with the threat intel, uh, but if they’re maybe just a a vendor that only just ships items to somebody, they don’t have much except maybe some limited PII, then we don’t want to ask them the full range of questions that we would someone who’s handling PCI transactions for the business. So, we don’t want to frustrate the vendors, but at the same time, you know, we’ll we’ll work with what we can get. So, if they’re high risk, they get a high number of questions. Low risk, low number of questions. Brenda: and then add-ons, I assume, for anything that is instantaneous, right? Brenda: All right. Question for you, Jefferson. Um, would you do anything different if the third party leverages a cloud platform? Jefferson: Yes, we do have a subset of questions based on uh if they are a cloud application, then there certain things we we’ll ask that if they’re not a cloud vendor, they won’t get those questions in the the dynamic question we use. So thankfully we can do that. Previously, if we’re just using spreadsheets for the word docs like we we used to do, everyone gets the same questionnaire and they just go through and answer NA to a bunch of questions and all it does is frustrate the vendor and frustrate the analyst trying to assess the answers as well. Brenda: So it sounds like you’re just catering to everyone in specific types of questions and that’s good. Jefferson: Trying to and making as as automated as possible. So yeah, we don’t want a person have to go in there and figure out, okay, let’s give them section A, B, and C, but but not D. Um, we’ll let the system do that for us because the more we automate with the limited number of resources, the more we can do. Brenda: Perfect. That’s all for now. Jefferson: I like people. Yeah. Yeah. Brenda: And I like how you talked about the NA. If if it’s going to be NA, they shouldn’t be asked that anyways. So hopefully your NA is at a very small percentage to nil. All right. So, layers of insight needed before a breach and public disclosure. What do you think about that topic? Jefferson: Well, you know, it’s it’s interesting because we look at it from a couple different different ways. We may learn of a breach. First of all, there needs to be that that path of of being informed. And you really only find that out by doing tabletop exercises internally uh even possibly with a third party there in attendance. But, uh no Knowing what a breach is and what a breach isn’t definitely helps because not every event bubbles up to the the level of a breach as we know and many times the vendors won’t necessarily know they’ve had an in we’ll call it an incident. If uh sometimes like with solar winds we found a lot of times vendors didn’t even know they were using solar winds but if we’re using the thread intel platform that says they are then you know we send them the questionnaire saying hey we understand you may be you may have had an issue with Solar Winds can you tell us more about it answer these questions and their response coming back to us would be, well, we don’t use solar winds. Well, it turns out they actually did, but that an the person who’s answering didn’t even know it. So, first I have to verify the answers and make sure that we’re talking with with the the right people. Make sure understand what what a breach is and what a breach isn’t. Uh Ben Wright from SANS and his his legal data investigations class talks about how, you know, not every event that gets reported really needs to be simply because not every event is technically a breach. I mean, depending on how your company defines it and your your risk appetite uh and the the laws in your area the areas where the data is affected. You know the data is encrypted. It was never actually extracted. It may not be a breach depending on your situation. And uh so make sure that before we say that the sky is falling, make sure that we actually do have have a breach. And many times what is initially looked at as a breach may not be. But having a vendor also agree to inform you when they have a breach versus when they think they may but they’re not sure. That will get a lot of push back as well from a vendor because many times they they don’t want to tell you ahead of time because it makes them look bad and and they don’t want to, you know, cause a fire drill. There’s no need for one. So, understanding and and having everybody agree to what actually is a breach, what constitutes a breach and have everybody be on the same page definitely helps because when something bad actually happens, a lot of people will probably argue if you never actually practiced this before and done a tabletop, those are items need to be addressed beforehand. And public disclosure is great. uh if you have a tool can actually identify those public disclosures because many times we may learn of an event that a vendor never told us about uh simply because you know they didn’t disclose it to their actual customers but it shows up in the news and then at that point okay now we’ve learned about it we become aware of it now we need to find out if there actually was an issue so we had to start the whole process then um just because we were informed in a news article that this one shipping company was affected. Brenda: Yeah And I I heard something recently that made me chuckle, but it said that third party risk management was like a company that was dating vendors. And when you’re on a date, you want to have the awareness to know, you know, is this a really good relationship that we’re going to have because this relationship is going to be about honesty and about trust and about forthcoming information and we’re going to have problems and we’re going to have to resolve them and all of these things. So, it was kind of interesting when I looked at this topic that we were going to discuss and it was really about building a relationship from the very beginning. That helps to foster open communication so that they don’t feel like when they are a victim that they can’t tell you what’s happening because in order to stop the bleeding or to stop a problem from spreading, you would have to be able to be able to know, not wait for a disclosure to come out. And then having a vendor risk management database for those companies that are extremely mature that they can see all the interconnections of what companies are working with whom, what business units are being provided services by those vendors that you’re contracted with or outsources or supply chains and then being able to toggle and and pinpoint exactly what will happen to your business with resiliency based on the fact that something’s going on out in the wild andor impacting you already. So those are those are some other layers of insight that I would think would be important to see is just the holistic picture having the relationship and um my crazy analogy that I adopted from someone else that I heard about dating your vendor All right. So, let’s talk about the top two takeaway points. So, we talked about five different things that are important about an instant plan. Um, we didn’t really broach the topic of the too much about the scenario-based tests. We kind of touched the curve of that, but um, what two takeaway points would you think about other than what we’ve talked about right now that would be important for the listeners to know? Jefferson: Well, I think the first takeaway point would just be how it it all goes back to the contract in the very beginning. If you can have the contract in place, it makes life a lot easier because then you’re not blindsiding the vendor and they’re not asking you why are you even talking to us. They they know to expect that anytime there’s an issue because they’ve already agreed to it beforehand and you really have leverage at the very beginning of the process during onboarding when they want your business. They’re going to give you their answers for an assessment if you have if you conduct the assessment then and if you get that buy in where you have the right to assess then you know, everyone’s good. So, you have to have that set up in the very beginning and not only I say the second point is not only is it good to have an instant response plan for yourself and that’s just common that’s elementary at this point. Every company needs to have that but making sure that your vendors have that as well and you know we’re supposed to test our instant response plan and even NIST says now in their cyber security framework under the supply chain domain that we need to test our instant response plans with our vendors but we should also be making sure that our vendors are having an instant response plan in place and testing it as well. And many times they’ll find out that they actually haven’t tested it, but you won’t know that until you do your own testing with them to start with. Brenda: right?. Those effectiveness controls. So my takeaway would be um automating the incident response element and what those tasks are. And so when you have rapid response, there are all of these different things within the wheel that are located on this slide. And automating those critical tasks help to quickly discover and quantify and remediate those risks and then have reporting that you can take up to your organization. So what Lowe’s did was very fabulous in my mind because they were one of the largest companies that took advantage of what we put in place very quickly and they said, “Okay, we’re going to use this questionnaire. We’re going to send it out.”. And I think even at the time you learned about new vendors, so you didn’t even know which vendors it had to go to and all of a sudden they were coming to you with, “Oh, wait a these are also our important vendors. So can you send it out to them as well. So you’ll also find out about more vendor universe and so centrally managing that tracking and scoring um having a prescriptive remediation guidance reporting on the progress and being able to either use what Lowe’s did was internally they did everything themselves but we also have ways of doing it within the network where our managed services takes care of all of it for you and then tells you who’s impacted versus you having to do the leg work. So um it looks like we have a question Amanda. Amanda: This is is kind of a a ask for help kind of scenario. How do you assess a third party when they respond to all their information?. They respond that all their information is confidential. Jefferson: That’s a good question. So, we’ve run into that as well and and it depends if they’re an existing vendor that we just discovered or going through the onboarding process as well. So, again, you have leverage if you’re onboarding them and you insist that that right to assess clause not be redlined out. You have that in there, then that takes away their ability to say that. Um, however, if they’re an existing vendor, well, then you you kind of have to um you have to be delicate with them. So, you you can play hard ball. You make but you make sure that they know that you have an NDA in place. Hopefully, you have an NDA with them um and with the platform you’re using. So, we have NDAs with Prevalent and with uh every vendor we work with. So, make sure they understand that the NDA and put their legal team in in touch with your legal team if you need to. Worst case, if they can provide a sock two type two report that has the the bridge letter and and is actually covering the right scope of your engagement, you know, that’s a judgment call. Do you accept that or not?. You we we like to make it as easy for the vendor as possible. As long as we’re getting the information we need based on the risk of the vendor. So, um you can’t treat everybody with a the same lens. You have to adjust it and be willing to work with it with the vendor. Um if they insist on not giving information because they say it’s confidential. If it push comes to shove, at the end of the day, we make a recommendation to the the business unit that either we either recommend the engagement, we recommend the engagement with remediation, or we do not recommend. And if they refuse to cooperate with the risk assessment, then we do not recommend them. Uh we we can never reject a a vendor engagement, but we can tell the VP of that business unit that we recommend against the engagement unless they answer our questions. At that point, the VP has to actually accept the risk. We don’t accept the risk for the vendor. But um at that point is the VP’s call for that business unit. Brenda: That’s interesting. I feel like I’m learning something new every day here. I have one more question. Is there a difference between right to audit and right to assess? Jefferson: That’s an excellent question. So right to audit many times depending on who’s reading it, u vendor may think that right to audit means just talking about financial controls or they may say that right to audit is way too invasive. we’re not going to do that and they may balk at that. Uh many times if using the the phrase right to assess is softer. It it’s less confrontational and it also is because it’s a little bit more vague. It gives you the right depending on how you define assess gives you the right to you know do a risk assessment as necessary for the security controls but also to do you know instant response assessments as necessary based on events that happen in the wild or supply chain attacks or things that you know we can’t really predict but we know more of those will happen. So It’s really more of a psychological move than anything saying the right to assess. We’re not looking for the financial controls. We don’t care about that necessarily from a from information security perspective. Other groups may care about that. We’re just wanting to assess the security controls that are relevant to our engagement. Brenda: What’s interesting, Jefferson, is I’ve heard this term where um it’s now changed from just right to assess to right to risk assess. And it puts that other little play in there that says, you know, we’re not auditing your company, we are assessing your risks. Yeah, the spec the specificity spec. Amanda: I’m going to go away now. Continue the question. Jefferson: It’s called COVID second shotg. I used to do internal audit and an audit is not the same as an assessment and we will not audit a company. Audits are inv you know incredibly invasive timeconuming and you’re testing all the controls you know looking for evidence of controls and assessment really is you’re taking their word to to a large degree making sure that basic controls are in place they’re saying they are. So you you have their at the station that can be used if there is a breach later on. Uh you want to make sure they’re answering honestly upfront. Just like whenever we answer a question or an assessment for our company, whatever company you work with, you want to make sure you’re giving honest answers because if you say you have a patch management program in place, but then you get hit with an attack that was made possible because you haven’t patched your systems in two years, well there’s an issue because you told us that uh you know that you do have patch management program in place and you told us that you do vulnerability management, you do have an instant response program, but then it turns out if you don’t then you lied on your assessment and that can depending how the contract’s written that can have penalties in there. Brenda: You know, food for thought while you’re saying this like at the end of the day, isn’t it just helpful for the vendor?. Like it’s you’re you’re helping each other. It’s kind of like a Jerry Magcguire situation like help me help you. You answer these questions then you’re going to know if you’re like aligning with whatever you need or like if even if there’s like a you know rapid response scenario where you have a data breach like don’t they want to know if they’re at risk?. It’s just like wild to me like vendors I guess would give you the push back. It’s like they kind of would want to know that right? Jefferson: You it covers the gambit but a lot of vendors are very appreciative because they’re small vendors that don’t have full information security shops or they outsource their their IT programs. They’re thankful for the information because these things they may have never heard before. Uh others may push back because you know they they you know they just don’t have the program in place, don’t want to spend money. So you know there’s there’s that the back and forth you have to have with them. Brenda: I think the more mature companies are doing a great job with sharing the information that they’re receiving from their threat intelligence reports and then identifying the risks that are applicable to the company that’s contracted for the engagement. So it’s been it’s been eyeopening for them. I’ve felt the same thing or experience the same thing when working with vendors. They’re like, “Thank you for all of this. We’ll go work cleaning up our thread intel report, right?. Jefferson: We’ll make sure we do these risk closures and if you have any advice, please point us in the right direction and always point them to frameworks and guidance. Don’t tell them what to do. If they have a breach that you’re kind of held responsible, too, but um it’s it’s helpful for them.” Brenda: Yeah. All right. That was my own my own little thing. Continue. Amanda: Okay. So, we’re gonna open it up for more questions, but I just wanted to remind everybody on the phone for those of you who are new to us, otherwise this is something that you see. Um, we are part of the leadership quadrant in the Gartner um, scale. And so I want to make sure that you know that Lowe’s is listed listed lusted listed listed in the trusted I was putting words together um, area along with some of our other companies that we um, have as premier customers. We we like to be innovative. So we listen to our customer customers and what they need and make changes to the platform and the services in order to supply these types of things to them. And rapid response was one of those. We found out that every individual needed to find out what was going on with their vendors. And so we we put something together as quickly as possible. And then we’re one of the fastest growing vendor network type of companies so that we can make sure that we’re repurposing information for other customers. So we’ll go into the Q&A section, see if there’s any questions that didn’t get asked. by either um myself or through Amanda. And as you have Jefferson here, make sure you take advantage to ask him, you know, things that he’s experienced when it comes to incident event management or rapid response. I don’t have anything yet right now, but I would encourage the troops in the participants category to ask whichever take advantage of this opportunity to do so. But in the meantime, I will put up another poll question. and share that. And let me launch it right now. And we’re curious, you know, what obviously we want to know in the beginning what made you come here, but are you guys looking to augment or establish a third party risk program in 2021?. Um, what do you have going on?. You know, if please answer honestly, too, because I will be the one reaching out to you. So, I don’t want you to get surprised when you see something from me. But if it’s from me or Amy Tweet, who is my counterpart, here at Prevalent. But yeah, let us know. We’re here to help you, obviously. And if you’re curious, you know, Jefferson is a customer of ours, so please take advantage of this now and ask while we have the time. Oh, we have two questions. Perfect. All right. First one is, how do you handle an organization who insists on responding to assessment questions out of context?. For example, responding with general security controls and not necessarily as as they pertain to your relationship with them or the incident being being addressed. Jefferson: That’s a good question. So, really the the initial questionnaire that sets the tone for the conversation and if if they’re very vague or they’re not giving the answers we we need, then we have a follow-up call with them and you ask to have like a 1 hour call and just get further information about what we’re asking and and clarify some some issues or maybe during risk assessment we may have questions about some of their answers. So, we’ll have that that call to answer if they still aren’t very cooperative. Then we’ll have we’ll call it a virtual document review, documentation review or virtual assessment and we’ll do that basically do like an on-site assessment not to that extent almost but almost there and we’ll do it virtually. So you know we’ll ask for evidence of of certain uh items that we’re looking for and we’ll we’ll have that virtual conversation. Worst case then you know if they’re a a very high priority vendor and they’re not giving us answers we need for a risk assessment then we can do an on-site assessment if necessary. Those are very few and far between. We try not to do that for obvious reasons just because, you know, the expense and and certainly with with CO this year, that’s not something you you can easily do. Amanda: Is there anyone else that you leverage for that kind of thing like you know one person doesn’t respond do you have multiple contacts for a vendor that you just kind of like go up and above or Jefferson: well uh if if we aren’t getting a good response from the vendor then we include the business unit because at the end of the day they’re the ones responsible for accepting the the risk. So if it’s just an issue of of no response we’ll go to the business unit first and tell them hey we need a better contact or we need you to get them to respond to us otherwise we have no choice but to not recommend the vendor. How does prevalent help you with this? Jefferson: Prevalent helps us with this by you know we we can track the nice thing is any questionnaire we send out we can track when we send it out we can track SLAs’s for you know when was it sent out when was it first answered was it totally answered was ever fully completed was it completed within the the time frame that we set for them and we can look at our our SLA for response or or failure to respond rates and we can track that. We can track for business units or for for you the enterprise as a whole. So we can kind of see that helps us to determine also if you know is our questionnaire too bulky and cumbersome where people just can’t answer it within a certain time frame because you know it’s so nasty and they look at it they don’t want to or yeah if we’re getting a good response rate then maybe it’s you know just like Goldilocks and three bears maybe it’s just right and we know that we’re we’re in good shape. Brenda: Perfect. All right one go ahead. perspective before just to add on to that. Lowe’s was one of the first companies who was brave enough to go and asked the vendors information gathering questionnaires for profiling. So during COVID, they had received a list of thousands and thousands of vendors that may or may not have had point of contacts. And so what they did was they sent out these questionnaires and from the bouncebacks, correct me if I’m wrong, Jefferson, but you received bouncebacks and those listings went back to your internal organizations to say, “Okay, the ones that we had, we have information on these. This is the bucket of vendors that We don’t have accurate point of contacts. So, we need either the business to give those to us or we’re going to have to use a new feature that you may not have started using yet, but we have what’s called a contact lookup feature. And it gives you information on who you could go ask just to get it to the next person that someone physically is working there and they can get it to the right area. So, if that’s accurate, Jefferson, um, correct me if I’m wrong, but that’s that’s one of the techniques that you fed into the feature being developed. Jefferson: Absolutely. Now, we’ve not done that that last piece that you’re referring to with that feature, but yes, we did basically take our entire vendor inventory who we knew we were already doing business with. We had possibly a contact email address and we sent them an inherent risk questionnaire really that the vendor information gathering questionnaire and asked them, you know, what are you doing for for us?. Who’s your contact at Lowe’s?. And what type of data are you working with?. And we really use that to scale the inherent risk with the vendor. And then uh we would automatically rank those into buckets, high, medium, or low. And the high-risisk vendors would automatically have risk assessments launched through the system, the more in-depth assessment as required. So, we actually got surprisingly got a a good turnaround from that, good response. We had, you know, a large number that did not respond that we could then turn over to procurement and the business units and say, “Hey, give us good information or we can’t do our jobs.”. But the ones that did answer, which were a surprising number of vendors that did respond, we could then automatically fire off assessments, which created less work for analysts because They don’t actually see the assessment until they have a completed questionnaire in front of them and then they can just jump straight into the analysis. Amanda: Perfect. All right. Well, are you guys ready to move on to the next question? Brenda: Okay, cool. Uh, so the next one is, do you risk rank your vendors as critical, high, medium, low, or use other buckets? Jefferson: We do. Uh, we we call them you we have different terms, but essentially yes. It’s critical, high, medium, low based on, you know, they have every vendor that comes on board. goes through an inherent risk screening first through our intake and our GRC platform and then if they rate a a critical high or medium then they’ll get that full assessment through the prevalent platform. If they’re low risk then basically it stops there but we we file them away in our GRC platform saying no further assessment required and you know manufacturers many times are are falling into that category unless they are vital supply chain vendors then we treat them as a critical vendor and uh and also we can do that from the other direction like Brena just mentioned with that vendor information gathering survey if we don’t know you know how they were screened in the beginning because there was no vendor onboarding assessment let’s say if you have a new program and you have thousands of vendors already in play that were never screened then you can do it the other way and actually ask them through that survey ask them what they do and then automatically rank them that way and we when we do that we have high medium low buckets as well. Amanda: perfect. Well, that is all we have for right now. I encourage anyone else, even any other customers that are on the line right now if you guys wanted to Oh, we got another one. I love pushing it. All right, thanks people. Okay. Oh, this is a hefty one. Now that privacy shield is invalidated and vendors who are transferring personal data from the EA to the US or personal data is being assessed or accessed sorry from US that is stored in the EA. How are you obtaining vendors response?. is on the safeguards used to allow the transfer and or access of the EU personal data. Jefferson: That’s a good question. Thankfully for us that that’s a very very limited uh set because all our business is done in the US. and so we don’t really have that to the same play but it’s another good reason to actually partner with your legal team as well because we do do privacy impact assessments automatically on on our side with legals involvement as well. which is an automated assessment on the in the GRC uh platform. So, we’re able to track the personal information that way. But as far as EU transfer information, that’s something we’re just just now taking a look at. Brenda: And some of the mature companies I’ve seen, um they just make sure that the information is stored in the appropriate areas with their software as a service if that’s the case. And then resources in those locations can do the assessments and make sure that it doesn’t cross the border as as it shouldn’t or viewable as it shouldn’t. There’s also some stipulations in the legal, like you said, Jefferson, that if there is the ability to cross, then those items are very well in tuned with the legal ramifications andor the protections. Amanda: That makes sense. All right, we have a couple more here. Thanks everyone for participating. How many vendors do you assess per year and how many team members are doing this work for you, Jefferson? Jefferson: Well, the actual number of vendors I’d say is in the thousands. So, we We do have a very large number of vendors. We do automate the process as much as possible. Uh we have a team of more than a dozen analysts that that do this work and ideally getting that ideal number of how many assessments should any one analyst have at any given time. You know, it it varies. The old school answer is about maybe about 15 uh a month is what analysts can can complete. The more you automate, the more you can bump that up. So, we’re we’re we’re trying to push the envelope and see how many we can do, but at the same time, time, not degrade the quality of the assessment. We don’t want to just, you know, punch a ticket and say that the assessment was done. So, there’s that that fine balance between doing as many as possible per analyst, but at the same time still creating value and actually having relevant findings that are remediated. So, we’ll also break it down in in different teams and and as we grow, you know, we have the the assessment team, but we have a remediation team and then the uh the event management team as well. Right now, everybody does all the work, but as we grow and mature, won’t have different little mini teams handle different pieces of the the the vendor life cycle. Brenda: A lot of companies will um identify in their policy that they’re only working on a certain volume of assessments based on their criticality. So they’ll they’ll work on the criticals and the highs first and then the following year they’ll continue to work on criticals and highs but they’ll add the mediums. So that’s that’s another approach that people will take based on how many resources they have. Amanda: Yeah. I mean probably important to even realize like if you were looking for a solution like this and you’re here and you don’t have anything, you don’t have to start massively, right? Brenda: Well, and it doesn’t mean don’t do anything for those. So, I know that Jefferson has like threat intelligence and other things in place or mini questionnaires or those kinds of things that are key control focused, but when you do the deep dives, you have to really make sure that you’re using your resources appropriately based on how many you have on one side. Amanda: Right. Well, to bounce off of uh this other question, they’re curious as So what GRC solution you have that’s integrated with your VRM tool or is it integrated with your VRM tool? Jefferson: It is not integrated yet but that’s one of our big efforts uh this year because uh again the more we can automate the better. So right now requests come into our GRC platform and then we manually transcribe that really into our VRN platform but there is a major initiative underway to automate that and build the connections and APIs so that once the request comes in for the GRC platform it will automatically flow through. If it needs a full risk assessment, it will automatically launch in the in the platform, send the assessment to the vendor. They will fill it out in the in the portal and then our analysts again won’t actually see the assessment. First time they see it as they have a completed set of questions in front of them. Amanda: Perfect. Well, that is it for now. I’m going to say going once, going twice. Anybody else on the line?. Any other questions you want to ask Jefferson or Brenda before we give you a couple of minutes back in your day? Brenda: Well, thank you, Jefferson. If anyone asks questions, I really number one came in. So, that’s either a thank you or great job. Amanda: It is two. It is two thank yous. Many thanks. And thank you guys for coming in and being a part of it. We really do appreciate it. I keep getting thank yous. You’re welcome, everyone. Oh, that’s so funny. Well, that’s awesome. We love your feedback. Uh we really appreciate everyone joining and if you guys have any more questions right on the screen you see here info prevalent.net. Uh we will for sure get back to you if you didn’t have a chance to ask right away if you wanted to discuss anything else with anyone else on the line here. We’re happy to do so. Um again we will reach out if you said certain answers to the poll questions. So be uh aware of that and we’re always here to help you guys from a third party risk management standpoint. But you guys all have eight minutes left in your day that is given back to you. Congratulations. I will let everyone know. Yeah, Jefferson, great to see you. Thanks for coming back and joining us. And Brenda, always a pleasure to see your beautiful face. Brenda: Thanks, Amanda. Amanda: Wait till next time. Bye, everyone. Thank you. Jefferson: Bye. Brenda: Bye. Bye.