如何利用 NIST 进行第三方风险管理

Amanda Fina: Hi everybody, welcome. Amanda Fina: Hello. Amanda Fina: Happy October. Amanda Fina: We had a record-breaking amount of registrance for this webinar today. Amanda Fina: So, we’re all really excited. Amanda Fina: And while we wait to get things up and running and get all of you guys in here, I’m going to launch a poll question. Amanda Fina: And I would love to know what prompted you guys to join the webinar today. Amanda Fina: And this is multiple choice. Amanda Fina: It does say it here. Amanda Fina: You can say as many questions and answers as you want. Amanda Fina: Education, project research. Amanda Fina: You have a third-party risk management project. Amanda Fina: You have um your organization uses NIST to develop your security framework. Amanda Fina: You don’t know where you are. Amanda Fina: Well, welcome to the show. Amanda Fina: This is prevalence squid game. Amanda Fina: Just kidding. Amanda Fina: I hope you guys have seen that before. Amanda Fina: It’s really good. Amanda Fina: Um and also, you’re also a customer, so that’s great. Amanda Fina: So, I’m going to let that roll for a little bit while we do some introductions. Amanda Fina: Again, welcome everyone to how to use Nest for thirdparty risk management. Amanda Fina: My name is Amanda Fina. Amanda Fina: I am your host here and I also work at Prevalent in Business Development. Amanda Fina: We have our one and only Thomas Humphre here, our content manager who’s going to be running this ship. Amanda Fina: And of course, Scott Lane, VP of product marketing, and he will be joining us towards the end, but he wanted to show his face. Amanda Fina: Um, a couple of things while we get up and running here. Amanda Fina: You guys are all muted. Amanda Fina: So, we’re not going to see you or hear you, but please utilize the Q&A. Amanda Fina: We’re going to have space at the end for that. Amanda Fina: So, we really want to keep this engaged. Amanda Fina: We’re curious as to what brought you here, obviously, for the first poll question. Amanda Fina: We’ll ask another one towards the end. Amanda Fina: So, please utilize that. Amanda Fina: And also, we will be recording this and you’ll get it in your inbox tomorrow. Amanda Fina: So, you can share it and rewatch it as many times as you please. Amanda Fina: So, that’s pretty much it. Amanda Fina: I think I covered everything. Amanda Fina: If you guys need anything else, I’ll be popping in. Amanda Fina: Let me know in Thomas, take it away. Thomas Humphre: Thank you very much, Amanda. Thomas Humphre: Well, hello um everyone. Thomas Humphre: Um very warm welcome to you all. Thomas Humphre: Um I am Thomas Humphre uh the content manager at Prevalent. Thomas Humphre: Um I help to ensure that uh assessments are created based on new and emerging uh standards and frameworks um and obviously updates to existing frameworks as well. Thomas Humphre: Prior to my time at Prevalent, I was an ISO auditor, an external auditor for the best part 10 years uh working across certification bodies in the United Kingdom and in Singapore as well. Thomas Humphre: Um and of course I’d expect for most ISO audits on a local and global scale as well. Thomas Humphre: Um I’ll just go ahead and share the slides. Thomas Humphre: Get a thumbs up. Thomas Humphre: We all Can we all see the slides? Thomas Humphre: Hopefully those of you can. Thomas Humphre: If anyone Let’s do a shout out. Thomas Humphre: The purpose of today is uh how to use NIST and more specifically the NIST SP 853 framework for third party risk management or helping you to to manage your third parties. Thomas Humphre: Um as part of this uh we’ll be going through an introduction um an introduction to uh the standard and what it’s all about uh before doing a exploration between old against new an older version of NIST and and new revision 5 uh that was released at the back end of 2020. Thomas Humphre: I’ll then explore a deeper dive into revision 5 and look at the key changes um expansions and enhancements that NIST have made um before uh rounding us all up and thinking around what can you do now. Thomas Humphre: So taking all this information back with you when you go into the office later today or tomorrow or from next week and you start to engage and discuss around third parties how can this benefit you and how how can you take some of these key areas forward. Thomas Humphre: So hopefully you find it engaging hopefully you find it uh interesting for those who are new to NIST new to third party management and and as say if generally those who are just wanting to explore uh this area more then um as you’re very welcome um and with that we will get started. Thomas Humphre: So what is NIST SP853? Thomas Humphre: So as you may have seen from the previous slide, NIST or the National Institute of Standards and Technology um is a a US-based uh organization. Thomas Humphre: Uh it was initially developed um with federal agencies, federal government in in mind and obviously their respective contractors. Thomas Humphre: It’s actually used by both continuing to use by federal agencies but also private organizations. Thomas Humphre: Um locally and actually globally as well. Thomas Humphre: Um it’s a key framework for information and cyber security uh uh topics controls and in in a not too dissimilar way to the likes of ISO 27,0001 and and other frameworks. Thomas Humphre: It provides quite a comprehensive list of core security and and and and privacy based controls. Thomas Humphre: So everything from access management to asset protection uh people security continuity, security, system development and of course uh supplier management or third party risk management as well. Thomas Humphre: So it provides a quite a comprehensive uh list of controls that are helping organizations to uh either enhance or or set up for the first time their management system. Thomas Humphre: So we talk about third party risk. Thomas Humphre: What exactly are we talking about? Thomas Humphre: There’s a lot of risk out there. Thomas Humphre: There’s a lot of different types of risks and of course risks are different for different sectors and industries and organizations. Thomas Humphre: Some risks may be mission critical to the business. Thomas Humphre: Some may be very very low down the agenda. Thomas Humphre: But here are six samples of different types of risk that could affect third parties and supply chain. Thomas Humphre: So number one, supply chain disruption. Thomas Humphre: So interruptions to the flow of components from upstream. Thomas Humphre: Now Now, thinking back over the last 6 to 12 months or so, obviously there’s been many examples of this, perhaps one of the more notable has been the the case in the Suez Canal and and and the ship uh Evermore or Ever After uh that was stranded, this this massive cargo ship that was held up for for many many days. Thomas Humphre: And thinking about the the the the complexity of this and certainly the volume of of of goods and components and materials that the ship such as this had on board and you begin to realize just how disruptive uh such an event can be uh certainly to particularly um more so to those organizations and industries working to just in time requirements. Thomas Humphre: Cyber attacks obviously something that’s that’s ever increasing uh not least around uh ransomware again if you think back over the last 12 months or so uh some of the ransomware uh attacks that have hit the likes of so Bowins, Microsoft, um, and other major organizations. Thomas Humphre: And what’s been interesting in those circumstances is where the visibility of how many organizations and perhaps some you wouldn’t expect of have then been impacted by it. Thomas Humphre: So thinking about how the cyber attacks could affect not just yourself as a business, but where you’re reliant on a third party to deliver a critical product or service, and if that product itself is is suffering from such a cyber attack, uh, the level of um obviously harm and effect that can give to your business. Thomas Humphre: Data privacy of course um has one of the most famous laws in recent in recent times. Thomas Humphre: GDPR um has has been with us for many years now. Thomas Humphre: And of course there are many uh other countries that are are beefing up that are in increasing or improving their uh data privacy laws. Thomas Humphre: Um and obviously from from a United States perspective there there are obviously more states are focusing on privacy. Thomas Humphre: Um, California being perhaps one of the more um more widely known and and and prominent there. Thomas Humphre: But there’s geopolitical and governance based risks as well. Thomas Humphre: So trade and border disruptions through tariffs, taxes, uh additional administrative details. Thomas Humphre: Uh certainly for anyone who’s within the United Kingdom who’s with us today, um or within Europe will will have keenly felt this given what’s happened over the last um 18 months or so between the United Kingdom and and and Europe. Thomas Humphre: Um and again the level of disruption and delay uh uh uh such uh additional administration can cause has been keenly felt by many organization and industry. Thomas Humphre: Uh governance um a topic that’s becoming more uh of greater interest to many organizations now ESG um environmental social and governance. Thomas Humphre: And it’s an interesting area to talk about not only from your own industry and your own organization, but how it affects the supply chain, how it affects your third parties or how what those third parties are doing could affect you as a business, particularly from a brand and reputational perspective. Thomas Humphre: Thinking about um not following environmental best practice, not following social um um um governance best practices, some of the pressure groups and and and reputation impacts again can also be keely felt across across many organizations. Thomas Humphre: And then of course natural disasters is quite a common across a lot of different uh risk management frameworks. Thomas Humphre: Um quite unpredictable and in many ways um leading off of or leading into number one as well. Thomas Humphre: It’s obviously it’s always important to underline that obviously this is just some of of many uh types of risks and of course depending on the industry you are the type of organization the size of the organization some of them will be more pertinent than others. Thomas Humphre: So that being said, let’s take a look at uh revision 4 of NIST which is the which is the uh older version of the framework of SP853 to have a look at what was actually done and what was what was uh uh called out. Thomas Humphre: So what did revision of force say about managing third parties? Thomas Humphre: So supply chain protection was a control covered under a wider customer service acquisition control group. Thomas Humphre: So what do I mean by this? Thomas Humphre: So if you think of NIST framework like some filing cabinets and under one filing cabinet you have lots of individual drawers and if you imagine each drawer being a different group access control asset management uh HR security system and service acquisition supply chain protection was a file under that draw of system and service acquisition and the principal aim uh as outlined through through the framework was to employ security safeguards to protect against supply chain threats. Thomas Humphre: So this single control in a wider group focused on identifying vulnerabilities or the need to identify vulnerabilities um through a dedicated and clear-cut life cycle and also from a strategic aim and to derive and identify controls and practices to help mitigate and remediate or remove where practical. Thomas Humphre: those vulnerabilities. Thomas Humphre: There was emphasis on the acquisition and procurement of third parties. Thomas Humphre: You’re thinking around the onboarding of third parties and driving awareness of those vulnerabilities and those controls. Thomas Humphre: So when thinking about the the procurement of a third party, terms and conditions and contracts, are there qu are there clearcut security controls, privacy controls that need to be embedded in those contracts? Thomas Humphre: Um so that there’s there’s there’s visibility from the third party. Thomas Humphre: There’s agreement between both companies that the right uh actions are being taken to secure the product or service that’s being supplied. Thomas Humphre: Requirement to review and s assess suppliers and their products particularly prior to engagement to thinking about due diligence that you that you do or that you should be doing on third parties. Thomas Humphre: Um and there’s variously ways to do this and methods to do this and and also areas to determine do have controls and practices already in place that meet our business’s objectives as well. Thomas Humphre: Are we engaging with third parties who for example are certified across ISO 27,0001 for security or ISO 9,0001 for quality? Thomas Humphre: Um do they apply best practices um when they’re when they’re conducting system and software development and all these areas that need to be reviewed and assessed prior to engaging with with the supplier or the third party. Thomas Humphre: of course visibility of the wider supply chain as well. Thomas Humphre: Um particularly given nowadays we’re not looking at a single third party then maybe two or three or four or even multiple um parties all have a say in building that final product or service that’s going back out to yourselves and eventually to your own customers um and clients. Thomas Humphre: So having that that being mindful of that and being aware of how big and how small the supply chain is particularly if you’re thinking about what controls do we need to add in, what uh uh clauses do we need to state within these these contracts and agreements. Thomas Humphre: And then operational security and identification of critical system components. Thomas Humphre: And we’ll cover operational security uh in a little while. Thomas Humphre: That’s an area that is also covered um and and expanded slightly in revision five. Thomas Humphre: But again, thinking about the need for security requirements um not least if you’re engaging with a third party outside of the organization, but also where you’re bringing third parties in to help deliver a service, for example, maintenance of information systems. Thomas Humphre: Um, and so applying the right security controls to protect your own assets um um where practical. Thomas Humphre: So what does this mean when when in in relation to the revision five as well and what’s what’s the biggest changes and and and and steps that have been made from um from from this so I mentioned we’ve gone from single clause under a wider control group there’s a heavy focus on generating obviously security controls security safeguards and based on the the vulnerabilities that have been identified. Thomas Humphre: What’s interesting however is is what I call a lack of clear risk requirements um and and and you’ll see why um in in in a short while as well. Thomas Humphre: So What happened to revision five then? Thomas Humphre: Well, NIST have actually taken this single clause and created a standalone control group. Thomas Humphre: So, thinking about that analogy with the filing cabinets in individual files where the the uh supply uh supplier uh clause was under a wider security control group. Thomas Humphre: It’s now its own control group which has given a lot more visibility and coverage um and and greater emphasis on on on controls and control requirements. Thomas Humphre: Risk is now at the heart of the supply chain management or supply chain risk management control group. Thomas Humphre: Um and not just the need to identify risks but having a clear structured risk management framework and risk process and and and and policy framework as well. Thomas Humphre: There’s increased transparency of systems and products. Thomas Humphre: So from cradle to grade from start to finish across the life cycle or a development life cycle. Thomas Humphre: For example, having greater visibility of the individual components and where they are they are across the life cycle and increased visibility of supply changes as well and certainly not least issues and events. Thomas Humphre: So that level of engagement with the supplier with third party and and how you work with them um so that any changes um uh issues events scenarios the organiz ation is is keenly aware of them in a timely manner. Thomas Humphre: So what does this look like in practice? Thomas Humphre: So hopefully everyone can see that on the right hand side we have from SR1 through to SR12. Thomas Humphre: So there are now 12 controls under this controlled group supply chain risk management. Thomas Humphre: So going from the single control in 54 that captures everything under a single control to now 12 very clearly defined um controls and control requirements. Thomas Humphre: So we have policy and procedure or more specifically risk policy and procedure risk management planning supply chain control and process provenence acquisition strategies supplier assessments operational security notification agreements tamper resistance and detection, inspection of systems or components, component authenticity, and component disposal. Thomas Humphre: So, there’s a lot going on there. Thomas Humphre: There’s a lot of different areas as you can see. Thomas Humphre: What I’ll be doing uh in in short in a short while is taking each one of these in turn um but through these six these six he headings. Thomas Humphre: So, I want to start talking about what risk means as saying this have put risk at the heart of this framework. Thomas Humphre: Now, um um and and how that then leads or bleeds into uh control management and identifying appropriate controls through a dedicated risk plan. Thomas Humphre: What transparency means, how they’ve expanded assessments and reviews, operational security and and the expansion of agreements as well, particularly around this this concept of of notifications and and the requirement of notifications. Thomas Humphre: So I mentioned risk is now at the heart of the framework. Thomas Humphre: So formalizing the approach to identifying, managing, treating and monitoring supply chain risk. Thomas Humphre: So what does this mean? Thomas Humphre: It’s been broken down into two areas. Thomas Humphre: Developing, documenting, and disseminating a supply chain risk management policy. Thomas Humphre: and developing a plan for managing supply chain risk. Thomas Humphre: So this is perhaps the first and and most obvious change that NIST have in have have brought into their framework. Thomas Humphre: So we’re not just saying you need to identify vulnerabilities um and and and risks um in order to then applying appropriate um protection through through controls. Thomas Humphre: We need to develop a clear management policy um and for that matter policy and procedures as well. Thomas Humphre: to help you identify this this this risk. Thomas Humphre: So what are we talking about when we’re saying developing a risk policy? Thomas Humphre: Now many organizations um obviously already have different types of risk policies for managing business risk, financial risk, security risk, privacy risk um and of course third party um supply risk um is another part of that. Thomas Humphre: So if there are already existing policies in place of how a business manages its risk um as a business or financial perspective, having a similar structure or utilizing that same methodology um and expanding it to include supply chain could be a consideration instead of starting from scratch with a brand new policy. Thomas Humphre: So what does that look like however? Thomas Humphre: Well, the policy should set the scene like all good policies. Thomas Humphre: It should be clear. Thomas Humphre: It should describe that approach of how are we going about identifying and risk assessing um our third party. Thomas Humphre: ies tiering and profiling are two key aspects of this. Thomas Humphre: If you take a look and think about the different type of suppliers and third parties, do you have five? Thomas Humphre: Do you have 10? Thomas Humphre: Do you have a hundred? Thomas Humphre: Do you have two, three, 400? Thomas Humphre: In some cases, some organizations have a very have a multitude of third parties that they have to deal with. Thomas Humphre: So, the ability to tier and profile the third parties can become incredibly critical here. Thomas Humphre: The ability to say We have a 100 third parties, but we know that we can split them into what we’d like to call critical through to low or level one to level three. Thomas Humphre: Um, red, green, um, red, amber, and green, whatever is appropriate appropriate. Thomas Humphre: But anything to make it clear that when you’re thinking of delivery of missionritical product and service, these are the suppliers that we’re dealing with, suppliers that we may be dealing with on a daily, weekly, monthly basis that are are key to the business. Thomas Humphre: that don’t have a detrimental impact to the end product or service should um a risk occur. Thomas Humphre: And we’ve tiered them and and identified them as such. Thomas Humphre: So really starting off identifying that approach you’re taking how you’re you’re identifying risk and the use of different risk methodologies becomes quite key here as well. Thomas Humphre: There’s a lot of different methodologies around um some of the more uh I guess apparent and well-known thinking of ISO 31,000 for risk management uh 27,05 for information security risk management leaning on the 27,0001 standard and even NIST RMF or risk management framework is just just just three examples of different methodologies that companies can use and and and to help drive um um and and and and deliver clear risk management um and and and risk types. Thomas Humphre: And roles is very critical here as well. Thomas Humphre: So the roles defined for managing risks when you get to the stage where you want to identify risk and you’re sitting around the table having that discussion. Thomas Humphre: Well, who’s at the table? Thomas Humphre: Are you leaving risks to a single entity? Thomas Humphre: This is security. Thomas Humphre: So it should be security risks the security team or the IT team. Thomas Humphre: This is privacy. Thomas Humphre: So it should be just be the privacy team or this is a serious suppliers and third parties. Thomas Humphre: You sure is should be the supply team or the team engaged with third parties? Thomas Humphre: What we’re saying however is you want a diverse a group as possible to be engaged to identify what those risks are. Thomas Humphre: So having people from business, security, privacy, legal, um procurement, um supply, whoever it is, so you get the best possible group of individuals um um to identify the most appropriate risks um And of course it’s always important to note that um obviously not all organizations have five, six, seven, eight functions to be able to do that and some individuals fill multiple roles and of course that’s okay too. Thomas Humphre: The key thing to note with NIST as as with other other known frameworks is that it’s it’s not dedicated to one type of organization. Thomas Humphre: So whether you’re a company of 10,000 employees of a global scale, a large software house for example, or you’re a fivep person digital agency for example um these frameworks are built so that they should be able to be applicable and apply to you and to fit your business model and and your circumstance as well. Thomas Humphre: So defining those roles and engaging as many people as practical when identifying the risk. Thomas Humphre: So once we’ve identified the policy we can then move on to the actual plan it well itself planning for managing the supply chain risk and this is where the detail comes into it. Thomas Humphre: Then the use of those methodologies such as uh 31,000 or 27,05 from ISO or RMF from NIST uh come into play. Thomas Humphre: So the actual methodology of how you identify a threat and the vulnerability the calculation um so the risk impact over the risk likelihood does it give you a a clear risk score and then how do you categorize that? Thomas Humphre: The highs, the mediums, the lows, the reds, the ambers, the greens. Thomas Humphre: So developing that plan um that enables you to then create those risk registers based on the supply or the third party risks that we’ve discussed. Thomas Humphre: Um and of course it’s also then worth considering how how do is this built practically as well? Thomas Humphre: So do you use the most common approach um and although albe it quite a quite an aged approach of Excel sheets um do you use tools and platforms that enable you to do this? Thomas Humphre: Do you use a combination of both or do you use something else altogether? Thomas Humphre: But the focus here is being able to think about and develop a very clear risk strategy through policy process and and plans. Thomas Humphre: We then move on to the other core aspects. Thomas Humphre: So we’ve got to the stage where we’ve developed the risk framework, developed the risk methodology and the risk registers and we’ve even got to creating and identifying the controls, type of security controls, privacy controls or other controls that we need to try and mitigate or bring down those risks that we’ve established. Thomas Humphre: So transparency. Thomas Humphre: So what do we mean by transparency? Thomas Humphre: So provenence is one of the aspects covered under the new NIST framework. Thomas Humphre: So being aware of the origin of components and systems is critical particularly if we’re looking at an organization who uses multiple third parties deliver that end product or service. Thomas Humphre: Are you keenly aware of each individual component to that system and where it’s come from and particularly where there are changes? Thomas Humphre: So changes to third parties uh change to their business processes changes that actually impact delivery um of those original components. Thomas Humphre: Obviously these all need to be assessed, risk assessed and document. Thomas Humphre: mented as well. Thomas Humphre: So you can then make informed decisions about do we need to react to this? Thomas Humphre: Do we need to change our approach of of of how we manage these risks or are there new risks that have come up as a result of this that we also need to capture and and and obviously discuss as well as well as transparency of the origin of of of components and systems. Thomas Humphre: Um component authenticity is is is very key as well. Thomas Humphre: There’s a lot of of the organizations selling a lot of different products all over the world now and we need to be comforted by the fact that the products that you’re receiving are are are sound of course and that they can be validated that they are genuine products. Thomas Humphre: Um how do you do this? Thomas Humphre: Well, one of the considerations could be through the use of methods to to to protect event against uh counterfeit goods. Thomas Humphre: So the use of holograms um track and trace systems so based on location so from start to the end of a component being able to trace the location of that component until it reaches until it reaches the organization. Thomas Humphre: So there’s a lot more emphasis now on how uh when you’re looking at systems, infrastructure, uh system components, even software for that matter, being mindful of of where the pieces fit and where they are along their journey and and particularly uh the transparency of where changes have occurred. Thomas Humphre: Assessments and reviews. Thomas Humphre: So, we mentioned before that assessments are predominantly focused around um the need for preassessments. Thomas Humphre: So, when you’re looking at the on boarding of suppliers um and third parties and some of the due diligence checks that are that are required um um as part of this process, well, that still remains the same within NIST uh 853 um and the need to assess suppliers based on um identifying risks um but also looking at the long-term assessments. Thomas Humphre: So once you’ve got to the stage where you’ve on boarded your third parties, you’ve tiered them, they’ve gone through um due diligence checks, you’ve verified if they’ve had um ISO certifications, for example, ongoing performance management, ongoing assessments and reviews, which of course can come in many shapes and sizes, whether it’s physical on-site assessments and audits, virtual audits, again something that’s becoming more common now, um or reviewing performance through other means and through and through reports um and certainly based on any contractual um or or terms and conditions as well. Thomas Humphre: But the key point is this should all link back to risk as well. Thomas Humphre: So something you’ll notice and and something I may I may I may repeat across uh the the discussion today um is that it’s a continual improvement and the cyclical process. Thomas Humphre: So all each of these pieces from transparency to assessments and reviews um operational security and agreements, it should all come back to let’s review our risks, let’s review based on where we started, based on the process and the journey we’ve gone through with our um with our third parties. Thomas Humphre: Has this changed our approach? Thomas Humphre: Has this changed um our view of the controls we’re deploying? Thomas Humphre: Um and and and and whether they are fit for purpose based on the risks um that we’ve identified. Thomas Humphre: On the top of that, we’re then looking at testing and inspection. Thomas Humphre: So, it’s part of just assessing the reviews, assessing the performance, the SLAs’s, the targets, and the ability for the organization, the third party to deliver uh the product or service back to the back to the business. Thomas Humphre: Um is there the ability to test or analyze any of the processes or end products either prior to on boarding or throughout? Thomas Humphre: Is this something that you want to build into the contractual agreement that based on um the delivery of of software if you’re outsourcing the software development process for example to a third party? Thomas Humphre: Um is there anything in the agreement that allows you to conduct your own testing or at least to view um um um some of the security testing for example that occurs and inspection systems and components as well? Thomas Humphre: Um, and any any processes to to um limit uh the ability to to tamper uh with with systems and components. Thomas Humphre: It’s also is important to note that when you’re looking at the NIS framework and the wider framework um as well as these controls that are in the supply chain risk management section, not all of them are going to be obviously applicable to every organization. Thomas Humphre: So, it’s just trying to look through and understand does this work for us as a business? Thomas Humphre: Does this fit in with what we’re doing and the product and service that we’re supplying? Thomas Humphre: Um, some of them are going to be all all-encompassing such as the risk management, developing risk frameworks. Thomas Humphre: Um, some of them are going to be more specific around uh the type of say product and service that you’re engaging a third party to uh to help deliver to yourself. Thomas Humphre: Then move on to operational security and the agreements. Thomas Humphre: So what do you mean by operational security? Thomas Humphre: Well, it’s talking about identification of supply chain information relating to sensitive operations and systems, identifying security controls to counter measure risks identified and then implementing those security controls particularly to help protect the confidentiality of any of this information. Thomas Humphre: So what do we mean by supply chain information looking at system components uh security and privacy uh testing um uh testing requirements as well. Thomas Humphre: When we’re looking at identifying controls, um if you think about the scenario where a third party may be brought in to conduct maintenance on on some in-house equipment or providing a service inhouse to some of your your your systems or infrastructure, there are obviously immediate risks that come to mind when you think about data privacy, the type of data that a third party may be uh accessing or or or viewing as part of their service or even outside of their service. Thomas Humphre: So the controls and counter measures that you may need to protect or limit that visibility of that type of information or data for example um what steps that need to be taken to maintain the integrity of those systems and the confident confidentiality of any of that information. Thomas Humphre: And again when we’re looking at the agreements um which we’ll be coming on to um capturing those type of requirements in some circumstances um um with uh with with the suppliers with third parties to move on to the agreements themselves and third party agreements or contracts should clearly underline security and privacy related controls uh that should be adhered to um particularly you’re looking at development and supply of systems and services. Thomas Humphre: So going through that process of identifying those risks and knowing that for example um uh we know that data privacy is very important to us uh based on the nature of what we do the type of data or the sensitivity of data um to use some some GDPR terminology PII SPI so personal or sensitive personal information. Thomas Humphre: So are there key controls that we need to enforce on the third party or at least we need to be asking of the third party if Think of the sino particularly where a third party may be engaged but maybe out of jurisdiction of a frame a regulation such a GDPR are there additional steps that you need to satisfy yourselves that they are adhering to um whether it’s both best practice and your own internal policies and processes? Thomas Humphre: So making sure that these areas are captured within contracts and terms of agreement. Thomas Humphre: So the way they um um capture and hold that data for example um the requirements to um not provide them with real data um if they’re developing a piece of software um so the obfuscation of data or only through the use of test or dummy data for example. Thomas Humphre: So it’s thinking about all of these controls and how they can be applied or perhaps how they should be applied to third parties through these formal agreements. Thomas Humphre: And again as we discussed earlier um when conducting those assessments and those regular assessments so those monthly quarterly annual uh performance reviews is taking a look at what the contract says as well and whether these are being met um and and and achieved. Thomas Humphre: Mentioned notification agreements as well has also been captured um um within within the new NIST framework and and this is where starting to look at the communication and how communication is planned and managed with a third party. Thomas Humphre: Um obviously if if if it changed to a third party occurs, we’d like to know about it. Thomas Humphre: Certainly, if incidents, events, data breaches, continuity scenarios, anything of that nature occurs, you would need to know and you’d need to be involved. Thomas Humphre: So, making sure there’s a clear agreement or clear clear structure in place in terms of how third parties respond to you, points of contact, communication flows for any of these uh scenarios. Thomas Humphre: Um, it’s it’s important to incorp that and to think about that when developing these contracts in terms of agreement with the suppliers. Thomas Humphre: And again, thinking about um thinking about the nature of of of tiering your third parties as well, you may need a slightly different agreement or or or or volume of information in a say a tier one or or critical um third party versus a tier four or low um low critical uh third party. Thomas Humphre: for example. Thomas Humphre: So, it’s making sure there’s a balance between getting the right controls and the requirements in place for the agreement to satisfy yourself that the third parties are doing the right thing, they’re adhering to these best practices or to business operational practices. Thomas Humphre: Um, so that when they deliver that product or service back to your organization, it’s at the level you expect whether it’s at the level of security, quality and and and and privacy um that you would expect. Thomas Humphre: So what does this all mean in practice then? Thomas Humphre: Excuse me. Thomas Humphre: So I mentioned the key changes that NIST SP853 has has indicated in revision five and it’s now one of a larger group of of of a larger controlled group. Thomas Humphre: um which has enabled this expansion and and and greater level of depth across the framework and around supply chain risk management. Thomas Humphre: There’s been enhancement to the need for formal risk planning, risk policy as well. Thomas Humphre: Um and and then enhancements over the transparency, the visibility of controls that third parties are using and utilizing and the level of involvement you you should be having um um with third parties as well. Thomas Humphre: So what can you do now when you go back to your office or you start the day today or you next discuss uh your your your your supply base your third party base um with your colleagues? Thomas Humphre: Well number one is identify your third parties. Thomas Humphre: Tearing and profiling is so valuable here. Thomas Humphre: Um thinking about the criticality that each of the third parties are bringing to the table and that you’re requiring them for. Thomas Humphre: adopting a rating for third parties um based on that criticality criticality to the organization or criticality to the product and services they’re providing. Thomas Humphre: Can you categorize them based on the high, medium, low, one, two, three, red, amber, green status? Thomas Humphre: And something to complement that and obviously to help with that is the profiling of the tip third parties. Thomas Humphre: Particular if you have quite a large uh group of third parties that you’re engaged with or that you need to engage with. Thomas Humphre: Um being able to profile for them to understand the type of service are provided, the type of data they handle, where they’re operating from, the complexity of their operations, their reliance on uh their own third parties can all help to bring together um that that that rating and that tiering of of of each each party. Thomas Humphre: So once you’ve identified your third parties, you then need to start to develop this risk assessment process. Thomas Humphre: And as I said, where you already have existing risk plans and risk assessment methodologies in place through business financial risk, security risk and and and and so on and so forth. Thomas Humphre: If there’s the ability to adapt that to include supply risk, then all the better. Thomas Humphre: Um obly the worst thing is is trying to create something that you already have. Thomas Humphre: Um if you can expand on it to cover supply risk or third party risk, then all the better. Thomas Humphre: Obviously, as part of that, consider those known methodologies, the ISO 31,000s, the NIST RMFS the ISO 27,05s um because they have very clearcut methods to defining and calculating those risks as well. Thomas Humphre: Impact over likelihood gives you the risk score for example identify roles and responsibilities. Thomas Humphre: So the importance as say for that team-based approach involve as many people as possible from as many functions as practical um so you can get the best result and the most balanced view of how risky is this? Thomas Humphre: As far as we’re concerned, security, cyber, and data privacy risk is the topmost concern for the business or the supply chain um and and and natural disaster is the topmost risk for the business. Thomas Humphre: But obviously, one way to do that is to have a broader team as possible to obviously engage and and to discuss those type of risks. Thomas Humphre: Once you’ve got that process in place, that plan in place, um um to identify how you’re going to calculate risk, how you’re going to identify risk and and who’s going to be involved. Thomas Humphre: Um um also deciding what methodology you’re using. Thomas Humphre: Are the platforms that you can use? Thomas Humphre: Are the spreadsheets that would be a better fit for you? Thomas Humphre: What can you do a balance? Thomas Humphre: Particularly if you’re trying to consolidate this all into a a a a clear system and a clear structure. Thomas Humphre: So once you’ve got the risk assessment process, there’s obviously conducting the risk assessments themselves. Thomas Humphre: So identifying your assets and critical business services and products that you supply and that you need. Thomas Humphre: Identify any threats and vulnerabilities to the organization and to those assets. Thomas Humphre: Assess the likelihood of occurrence. Thomas Humphre: What’s the likelihood of those threats actually occurring and and are there business assets that would be harder hit than others? Thomas Humphre: And then identifying selecting controls based on risk treatment decisions. Thomas Humphre: Uh Are there actual controls that need to be in place? Thomas Humphre: Are there policies that need to be established? Thomas Humphre: So, thinking about those key assets and and and and systems, threats and vulnerabilities, how likely they are to occur, and where these third parties will be involved in delivering that critical asset or business service or supporting that asset and or business service or products. Thomas Humphre: And so, once you’ve got to the stage where you’ve built the risk plan, you’ve identified your third parties, you’ve conducted the risk assessment, you’ve got a clear picture of your key risks which again as I mentioned should always be continually uh reviewed um for for improvement not least for obviously new and emerging risks but also change to suppliers and supply chain. Thomas Humphre: You can then start to create and execute a plan to address those risks. Thomas Humphre: So start to consider those mitigation controls and how they should feed into your third parties the third party contracts and terms of agreement. Thomas Humphre: How do you now need to engage with third parties um and assess them based on the type of controls that they should have in place? Thomas Humphre: Um so you’re linking uh the risks you’ve identified, the controls you’ve established, and then how those controls can be um um used to measure your third parties. Thomas Humphre: And then lastly, of course, once you’ve got third parties um um working with you, you’ve engaged with them and you’ve established these controls, and you’ve established um formal contracts and terms of agreement, starting to build in um um that that ongoing visibility and engagement with them so that there is notification so that you are staying top of changes um so that if a risk does occur and one of those risks does materialize based on an incident, an event, a data breach for example in a third party or a disruption to the supply chain your contracts, your your your your level of communication with the with the third parties as well as that risk framework will put you in far greater state to be able to handle those type of risks and and have a clear plan of attack um um to manage them going forward. Thomas Humphre: So, moving towards the end of my presentation now. Thomas Humphre: Um, I hope you found it very engaging. Thomas Humphre: I hope you’ve managed to learn the key changes that NIST have made from revision 4 to revision five. Thomas Humphre: Identification of type of risks that need to be considered when looking at existing or future third parties and what action plan NIST advises as well in terms of creating risk frameworks and seeing that through to the level of engagement control um um um control processes and and and um give me peace of mind when engaging with the third parties. Thomas Humphre: Um I’d now like to hand this back to Amanda um who I believe may run through um any question and answers we have. Amanda Fina: Hey everybody, can you hear me and see me? Amanda Fina: I don’t see myself. Amanda Fina: So, I’m just assuming anyh who I I’m actually gonna throw it back to Scott Lang who uh was joining us in the beginning as well. Amanda Fina: So, we’d like to just share a really good resource from you guys and have him break it down a bit more that I think would benefit all of you especially with your interest in NIST and attending this webinar. Amanda Fina: So, I will let Scott take it away and Thomas you can actually go to the next slide. Thomas Humphre: Sure. Scott Lane: For that one. Scott Lane: There we go. Scott Lane: Awesome. Scott Lane: Uh, we got a ton of questions and I’m going to go super fast through this one slide so that we can get back to the questions. Scott Lane: This is a hot topic today, folks. Scott Lane: Uh, and really thank you for your engagement on that. Scott Lane: Uh, just two seconds for me and then, you know, back to the more important stuff of getting questions answered. Scott Lane: Um, we have gone through a a very detailed exercise of waiting through um 853, 800 161, uh the CSF and then a couple of other related um uh uh uh you know NIST uh frameworks as well as tons of other compliance frameworks and regulations um and mapped chapter and verse from uh those regulations and frameworks into capabilities that the prevalent platform helps to address. Scott Lane: So what you know you’ll see if you download the the the handbook the complete thirdparty risk management uh hand compliance handbook is a chapter on each one of the regulations and frameworks and um you know it breaks down chapter in verse what the requirement is and then what and how prevalent can help from a feature from a process perspective uh from a services perspective uh you know for more so as you’re looking to mature and grow and expand maybe your individual NIST framework adoption and and footprint in your organization um I I definitely recommend you know downloading that paper uh you know Thomas had a hand in writing it uh we had some other folks uh some outside consultants and auditors help help to build it out as well so it’s legit. Scott Lane: Um, again, uh, that’s all I wanted to share with you. Scott Lane: Please, uh, you know, download that paper, follow up with us if you want a copy of it. Scott Lane: Uh, and I’m going to turn it right back over to, uh, to Amanda to kind of facilitate our Q&A session. Amanda Fina: Absolutely. Amanda Fina: Thanks, Scott. Amanda Fina: And just something else to add, I know that you obviously can’t click that link, but we will send that to you if you’re interested. Amanda Fina: Feel free to go in the chat and say you want a copy, or we we’ll also put in the slides in the recording email uh, later. Amanda Fina: But for now, let me while we get started on the Q&A, I’m I’m going to just put up another poll question. Amanda Fina: We might have missed some of you in the beginning. Amanda Fina: We’re curious, are you looking to augment or establish a third-party risk management program in this coming months before we get ready for the new year? Amanda Fina: So, we’re just curious about that and I will leave that up. Amanda Fina: Okay. Amanda Fina: So, I have to apologize in advance. Amanda Fina: We probably won’t get to all the questions, but we’re really excited about these. Amanda Fina: So, I’m going to just pick at random here. Amanda Fina: And the first one is, so when risks identified and prevalent, do you recommend the organization to cover some of the risks via a contractual agreement? Amanda Fina: identified. Amanda Fina: Do you recommend the organization to cover some of the risks via a contractual agreement? Thomas Humphre: That’s yeah, it’s a very interesting question. Thomas Humphre: Now, um so I mentioned obviously earlier the the you know the importance of of of contracts and and and terms and terms of agreement. Thomas Humphre: Um when you say risks uh are identified Um there’s certainly the ability to you know through the use of of controls and and remediating actions. Thomas Humphre: Um if you’ve identified a risk and you know there’s a clear um plan of what needs to be done um to to to manage that risk. Thomas Humphre: Um then yes from a contractual perspective making sure that the text written in the contract or terms of agreement covers uh the the the remediation obviously stated in such a way to say that we are um um I’m trying to think of a good example now. Thomas Humphre: Um uh so let’s let’s say we’re talking about data privacy and there’s there’s obviously a risk here for for the handling of of of data and also the removal of data. Thomas Humphre: We obviously know that there’s there’s clear requirement from GDPR for example on how data should be um removed, handled and destroyed. Thomas Humphre: So having clear aspects in the contract that that the require organiz the third party to state to you and to provide evidence of their destruction process and evidence that they meet GDPR requirement um cannot even be any critical here and give you that confidence that um from a risk perspective they’re doing enough for you to lower the risk um um on them. Amanda Fina: Perfect answer. Amanda Fina: Okay, next random question. Amanda Fina: What is N’s approach in managing risk from an extended third party? Amanda Fina: Say company A outsources a system from third party B and that system has one or two components which are supplied by B’s third party say third party C. Amanda Fina: How do we manage risk in those two components? Amanda Fina: You can read it right Thomas? Amanda Fina: I know it’s hard for me to. Thomas Humphre: Can you repeat that Amanda? Thomas Humphre: I’m joking. Thomas Humphre: Um that’s that’s a very good question. Thomas Humphre: That’s actually interesting because this this idea of of the extended uh supply chain and extended third parties again as I say it’s becoming ever more critical um and and if there’s visibility of um um multiple third parties supplying individual components that make up that bigger picture that bigger product let’s say um so the fact that NIST have expanded the the um uh firstly the risk identification piece and and and also the uh the approach to carrying out um uh transparency as well. Thomas Humphre: And this is where I guess this would be most benefit. Thomas Humphre: So if you know that you have a third party and you’re aware that they have other parties down the chain that are that are actively um supplying a component, let’s say to an end piece of of of infrastructure, an end piece of kit for example. Thomas Humphre: Um having that trans to engage with the third party to be aware of where each component comes from and also through the assessments of that third party um as as well as the contract to say what due diligence are they doing on their third parties. Thomas Humphre: So where third party A outsources to B, B outsources to C and potentially so on and so forth. Thomas Humphre: Um there’s lots of due diligence and obviously uh aspects that you can push onto a third party to give you that information. Thomas Humphre: You know, we need to be clear that if we’re giving you this responsibility to develop this for us, we expect you to have put the nuts and bolts, you know, put put the eyes crossed the tees. Thomas Humphre: to make sure that the same type of processes are being followed in your suppliers as well. Thomas Humphre: I hope that makes sense. Amanda Fina: Yeah, I think it does. Amanda Fina: I even understand it. Amanda Fina: So, that’s helpful. Amanda Fina: Um, another question Here is any advice on prior audits and the value to divi to define future risks? Thomas Humphre: Advice on prior audits um. Amanda Fina: like past audits um and the value to define future risk. Amanda Fina: I mean that was a question if if it if you’re stumped on how to. Thomas Humphre: Oh, I’m understood the question. Thomas Humphre: I’m not sure if you’re referring to the the audits that I’ve conducted. Amanda Fina: Um I wish I could say well we can we can sidebar the person that asked that and don’t worry because we only have limited amount of time we have five minutes so. Thomas Humphre: um so um yeah so in terms of future risk um so I mentioned and and this is something certainly from my from my days as an ISO auditor particularly around 9 and 27,000 is this you know one of the benefits that ISO bringing about NIST is continual improvement and and This is why it’s very important to have um multiple roles managing risk in the business um and and having visibility of not just um your own industry and sector but on a more um um wider view as well because this concept of obviously new and emerging risk. Thomas Humphre: Um um I guess a good example is at the start I was talking about uh some of the uh data breach risks that we saw with Solar Winds with Microsoft and other organizations even if the or even if your company isn’t impacted by solar winds given the advent and ever increasing or prevalence of of of such risks taking that step back and saying well how does this impact us? Thomas Humphre: Have we done enough steps to make sure that we’re covered and we’re protected against um uh uh such such breaches such rans ransomware sorry not reach uh to protect against ransomware threats and again are these areas that we can ask of our third parties particular if we’re auditing them as well to say that this is a hot topic for us? Thomas Humphre: We’re more concerned about this. Thomas Humphre: We know the type of data and systems that you’re using. Thomas Humphre: Can you please describe and show us the controls that you have to mitigate and limit um uh against ransomware threats? Amanda Fina: Right. Amanda Fina: I have another question here. Amanda Fina: What Do you suggest for continuously monitoring of your third party supplier third part? Amanda Fina: Well, what do you how do you what is your suggestion? Thomas Humphre: Absolutely. Thomas Humphre: And this no, this is a fantastic point. Thomas Humphre: It’s it’s it’s how often and how regular do you sit down with with with the third party? Thomas Humphre: Many companies obviously nowadays do have and obviously put the right to audit into contracts. Thomas Humphre: It’s not always followed through, but it is something that is obviously put into contracts. Thomas Humphre: Um, Um again particularly nowadays where it’s it’s perhaps more virtual than face to face. Thomas Humphre: Um I I I would say it it it it depends on the I guess on the criticality of the vendor uh of the third party. Thomas Humphre: If you’re looking at those tier ones that are absolutely missionritical, there may be a need for you to have um monthly quarterly or even monthly engagements with them. Thomas Humphre: Um whether that’s through performance review reporting uh whether it’s through those face-to-face meetings, when it comes to audits and the ability to audit them either based on a framework like NIST or ISO um or or through based on your own practices um and and and what the contract say um typically you’re looking at once a year um unless there’s a pressing need to to to increase that frequency every nine or six months say um but certainly those performance reviews um um monthly uh to quarterly um um would be more than sufficient. Thomas Humphre: Sometimes you can go to six monthly um if you know the performance of the third parties is very strong and obviously there’s a very strong relationship and there’s certainly been evidence that um you know the security and privacy based controls and practices they’re they’re putting in are working are delivering um what you expect as well. Amanda Fina: Okay, it looks like I have time for probably one One more question and this is is this mandatory for a supplier to get attested with ISO or sock um attestions? Amanda Fina: Oh okay. Amanda Fina: Small and medium-sized companies may not leverage such attestions. Amanda Fina: What is the best practice in such situations? Amanda Fina: Wow that is right. Thomas Humphre: So yes when it comes to mandating uh standards such as uh any of the ISO frameworks um sock sock 2 for example um um and and other frameworks. Thomas Humphre: Uh I I would say it’s not mandatory unless unless it either forms part of contractual agreements, which is something I’ve seen before during my auditing days where companies have said um we have uh critical suppliers or what we call tier one suppliers um and we require them all to be certified to ISO 901 and it’s become a mandatory requirement. Thomas Humphre: to do business with that organization. Thomas Humphre: Um the other time that it it could be mandatory is is if by regulation. Thomas Humphre: So if you have regulatory bodies that are enforcing particular standards and saying if you want to become part of this industry or supply to this industry then we require you to have um sock for example or or ISO or other formworks. Thomas Humphre: So I say it’s not it’s not always mandatory um case by case can’t um can’t um um manage it given the size of the companies um um it could still be used as a best practice. Thomas Humphre: So to ask them to complete it from a best practice perspective may not need you to be compliant with ISO 27,01 for example or NIST 853 but there are best practices we expect you to leverage or there are minimums you know mandatory requirements that we’d expect any business no matter how long large or small to be able to. Amanda Fina: Well, it looks like we have still a lot of people on and I’m getting more questions coming in. Amanda Fina: So, I’m going to just roll out for two more questions and then we’re obviously recording it so we will send it to you directly you guys. Amanda Fina: Um, another question is any references on how to draft a third party risk um management policy? Thomas Humphre: Um, I would probably refer you to um so. Amanda Fina: in the chat yes please I guess a lot of people want to know this that’s funny sorry continue. Thomas Humphre: so when when okay so when drafting a a riskmanagement policy so I think I mentioned at the start um there there are many frameworks um one of my personal favorite is um despite being uh heavily uh ISO 27,000 um u minded kind of person an auditor um in my past life is 31,000 which is actually a more wider more of a holistic framework um um which covers wider business risk um but it can be used actually to help drive a supply risk management policy and help to form it. Thomas Humphre: Interestingly when you mention supply management um the ISO I I appreciate we’re diverting slightly off NIST Um but the ISO committee themselves are developing more uh supply chainbased standards. Thomas Humphre: Um so it is an area that’s interesting you can see from groups such as NIST and ISO themselves um that that that is uh increasing. Thomas Humphre: So you can expect to find more uh guidance and frameworks out there um um around um supply chain management. Amanda Fina: Perfect. Amanda Fina: And then one last one is what is the best checklist to assess third party completed SIGs? Amanda Fina: Is that kind of the same question? Amanda Fina: Now that I’m saying it out loud or no? Thomas Humphre: best checklist to assess third party. Amanda Fina: Oh, yeah. Amanda Fina: You see it. Thomas Humphre: sig. Thomas Humphre: So I’m assuming we’re looking at the shared information gathering SIG framework here. Thomas Humphre: Uh which I am familiar with. Thomas Humphre: Um so best checklist to assess third party risks. Thomas Humphre: So um Um, you’ve almost stumped me here, I have to say, because there are I mean. Amanda Fina: question. Thomas Humphre: Say it again. Amanda Fina: I said, is this a trick question? Amanda Fina: Of course, it’s anonymous. Amanda Fina: If anyone wants to show theirelves of who asked this question. Thomas Humphre: absolutely fine. Thomas Humphre: Um, uh, there are, yeah, there are methods to to do validation checks on on um against SIG um I see actually someone’s already mentioned the concept of SCA for those of you who don’t know that is correct um shared assessments uh has a tool that can be used to validate um controls um um based on the SIG um which again is is is annually updated um so that’s probably the most appropriate if you want to directly target um a ZIG assessment um so these are validation checks checks that can be performed in a similar manner to actually to a virtual audit. Amanda Fina: It’s funny, someone just wrote the SIG is the checklist. Amanda Fina: Then um added documentation is what counts most. Amanda Fina: which probably I would agree on. Amanda Fina: Okay, you guys. Amanda Fina: Well, I think that that’s it for all the questions. Amanda Fina: Looks like we had so much feedback and activities. Amanda Fina: It was hard to keep up, but it was really exciting. Amanda Fina: Thank you so much to Thomas, to Scott if you’re still on. Amanda Fina: Thanks for giving us that little tidbit on the resources. Amanda Fina: I put my email in the chat. Amanda Fina: If you guys need anything else, please let me know. Amanda Fina: It’s a firina like the cream of wheat at prevalent.net. Amanda Fina: Um, and also you can utilize the info at prevalent.net as well. Amanda Fina: If you guys have any other questions, comments, concerns, please reach out. Amanda Fina: We hope to see you at the next one. Amanda Fina: Stay tuned for an invite from us if you’re interested. Amanda Fina: And that’ll be it from all of us. Amanda Fina: Thank you. Amanda Fina: Bye. Amanda Fina: Thomas. Thomas Humphre: Thank.