Third-party Risk Assessment - CompTIA Security+ SY0-701 - 5.3
Summary
TLDRThe video script emphasizes the importance of third-party risk analysis in organizational data sharing. It discusses the necessity of including risk assessment in contracts, conducting penetration tests, and setting clear rules of engagement. The script also highlights the value of regular audits, supply chain analysis, and independent assessments to ensure security. It warns of conflicts of interest and stresses the need for ongoing vendor monitoring and due diligence.
Takeaways
- 🤝 Organizations often share data with third-party vendors, necessitating risk analysis and data protection measures.
- 📋 Including risk assessment information in contracts with third parties ensures mutual understanding of expectations and consequences of breaches.
- 🛡 Penetration testing is a proactive approach to exploit and identify vulnerabilities in systems or applications, often required by internal policy or contract.
- 📝 Rules of engagement in penetration testing define the scope, parameters, and emergency procedures for the test to ensure controlled evaluation.
- 🔒 Regular audits of third-party vendors are crucial to verify the security measures in place and to ensure they meet the organization's standards.
- 📜 The 'right to audit' clause in contracts formalizes the expectation of regular security audits by the organization.
- 🔄 Supply chain analysis is vital for understanding and mitigating security risks throughout the entire process from raw materials to final product.
- 💡 Independent assessments by knowledgeable third parties can provide fresh insights and a broader perspective on an organization's security.
- 🕵️♂️ Due diligence is essential before engaging with a third party to verify their claims and investigate potential conflicts of interest.
- 🔄 Ongoing monitoring of third-party relationships is crucial for maintaining IT security and assessing the financial health and reputation of the vendor.
- ❓ Vendor questionnaires are a simple yet effective method for gathering information about a vendor's business practices and security measures.
Q & A
Why is it important for organizations to perform a risk analysis of third parties they work with?
-It is important because when sharing data with third parties, there is a risk of data exposure or misuse. A risk analysis helps understand how data is handled and protected by the third party, ensuring the security of the company's information.
What is the purpose of including risk assessment information in a contract with a third party?
-Including risk assessment in a contract ensures that both parties understand the expectations regarding data security, and it sets penalties for breaches of the agreement, thus providing a formal framework for managing risks associated with third-party relationships.
What is penetration testing, and how does it differ from a vulnerability scan?
-Penetration testing is an active process of exploiting vulnerabilities in an operating system or application, similar to a vulnerability scan but goes further by attempting to exploit the vulnerabilities. It helps in understanding the real-world impact of potential security weaknesses.
Can you explain the role of a third-party company in performing penetration tests?
-A third-party company specializing in penetration testing can provide an unbiased assessment of security by executing tests over a standard interval of time. They create reports showing the effectiveness of security measures, ensuring both the client and the vendor have a clear understanding of the security status.
What is the significance of a 'rules of engagement' document in penetration testing?
-The 'rules of engagement' document sets the parameters for the test, defining the scope, the devices to be tested, the conditions under which the test will occur, and how any sensitive information discovered during the test should be handled, ensuring all parties are clear on the test boundaries and expectations.
Why is it recommended to perform regular audits of third-party vendors?
-Regular audits ensure that the security measures of the third-party vendors are up to date and functioning as expected. They provide insights into the security controls protecting the company's information and help identify areas for improvement over time.
What is the 'right to audit' clause in a contract, and why is it important?
-The 'right to audit' clause formalizes the expectation of regular security audits within the contract. It ensures transparency and accountability, allowing the company to verify that the vendor's security controls meet the agreed-upon standards.
What is a supply chain analysis, and why is it crucial for understanding security concerns?
-A supply chain analysis examines the entire process from raw materials to the final product creation, identifying potential security risks at each step. It is crucial for understanding where vulnerabilities may exist and for implementing measures to mitigate those risks across the supply chain.
Can you provide an example of a real-world incident involving supply chain security concerns?
-The SolarWinds incident between March and June 2020 is an example where a third-party software update unknowingly installed malware into the networks of their customers, demonstrating the real-world implications of supply chain security vulnerabilities.
What are independent assessments, and how can they benefit an organization's security?
-Independent assessments are evaluations conducted by a knowledgeable third party outside the organization. They provide a different perspective and can reveal insights and best practices gathered from various organizations, potentially identifying security considerations that the organization may have overlooked.
What is due diligence, and how does it apply to third-party relationships?
-Due diligence is the process of investigating and verifying information about a company before entering into a business relationship. It may involve financial checks, background checks, and interviews to ensure the third party is trustworthy and reliable, reducing the risk of security breaches or other issues.
What are conflicts of interest, and why are they important to identify in third-party relationships?
-Conflicts of interest are situations that might compromise the judgment in a business relationship, such as a third party doing business with a competitor or offering gifts for contract signing. Identifying these conflicts is important to maintain the integrity and security of the business relationship.
How can organizations monitor their relationships with third-party vendors effectively?
-Organizations can monitor third-party relationships through regular financial health checks, IT security reviews, and by staying informed about news and social media related to the vendor. Additionally, sending questionnaires to gather information about the vendor's business practices and security measures can provide valuable insights for ongoing risk management.
Outlines
🔒 Third-Party Risk Analysis and Contractual Safeguards
The first paragraph emphasizes the importance of performing a risk analysis for third-party vendors with whom an organization shares sensitive data. It highlights the necessity of including risk assessment details in contracts to ensure mutual understanding of expectations and penalties for breaches. The paragraph introduces penetration testing as a common type of risk assessment, which involves actively exploiting vulnerabilities in systems or applications, and the importance of a 'rules of engagement' document to define the scope and parameters of such tests. It also touches on the role of third-party companies in conducting these tests and the need for regular audits to ensure ongoing security compliance.
🛠️ Strengthening Security Through Audits and Supply Chain Analysis
The second paragraph discusses the benefits of conducting regular audits to improve security controls and the process of supply chain analysis to identify potential security risks. It explains that audits should be integrated into contracts and may involve third-party auditors to provide an unbiased perspective. The paragraph also details the SolarWinds malware incident as a real-world example of supply chain security concerns, underscoring the importance of due diligence and independent assessments to enhance an organization's security posture.
🤝 Vendor Management and Ongoing Relationship Monitoring
The third paragraph focuses on the ongoing management of vendor relationships, including the monitoring of third-party companies to ensure the security and stability of the business partnership. It describes the use of questionnaires to gather information about a vendor's business practices, disaster recovery plans, data storage methods, and security protections. The answers from these questionnaires are used to update the risk analysis and are crucial for maintaining a secure and compliant relationship with third-party vendors.
Mindmap
Keywords
💡Vendor
💡Risk Analysis
💡Penetration Testing
💡Rules of Engagement
💡Audit
💡Supply Chain Analysis
💡Compliance
💡Conflict of Interest
💡Due Diligence
💡Vendor Monitoring
💡Security Controls
Highlights
Organizations often share data with third-party vendors, necessitating risk analysis to understand data protection measures.
Risk assessment information should be included in contracts with third parties to set expectations and penalties for breaches.
Penetration testing is a proactive approach to exploit and identify vulnerabilities in systems or applications.
The rules of engagement document outlines the scope and parameters of penetration tests, including physical breach attempts and internet-based simulations.
Regular audits are crucial for ensuring the security of third-party vendors, often mandated by compliance or conducted by external parties.
Access management, offboarding processes, and password security are key areas reviewed during audits of vendor relationships.
Supply chain analysis is essential for identifying security concerns throughout the process from raw materials to final product.
The SolarWinds incident in 2020 highlighted the real-world impact of supply chain vulnerabilities, affecting major global networks.
Independent assessments from knowledgeable third parties can provide fresh insights and enhance an organization's security posture.
Due diligence is critical before engaging with third parties, including verifying financials, conducting background checks, and assessing potential conflicts of interest.
Continuous monitoring of third-party relationships is vital for maintaining IT security and involves financial health checks and IT security reviews.
Vendor monitoring may include questionnaires to assess due diligence processes, disaster recovery plans, and data storage security methods.
Conflicts of interest, such as business with competitors or familial ties, can compromise business relationships and must be managed.
Quantitative and qualitative monitoring helps in assessing the overall risk associated with third-party vendors.
A dedicated team or individual within an organization is often responsible for managing and monitoring third-party vendor relationships.
The integration of questionnaire responses from third parties into risk analysis helps in dynamically updating the security assessment.
Transcripts
Every organization works with vendors of some kind.
These might be an organization that provides payroll services.
You might have a separate email marketing service that you use.
You might have a travel department that's
external to your company or maybe
you just purchase all of your raw materials
from a third party.
With all of these relationships, some part of the company's data
is shared with that third party.
Some of this data may be relatively unimportant.
But if you're sharing information
with a payroll company, you're giving
a lot of your company's information
into the hands of a third party.
For that reason, it's always a good idea
to perform a risk analysis of the third party
to know exactly what's happening with your data
and how they're protecting the information that you're
providing to them.
Because you're working with a party that
is external to your company, it's
always a good idea to put the risk assessment
information into the contract that you
have with that organization.
This ensures that everyone understands the expectations
for this risk assessment.
And it also sets penalties if any part of that agreement
breached.
One common type of risk assessment
is penetration testing.
This is very similar to performing a vulnerability
scan, except we're trying to actively exploit
the vulnerabilities that might exist in an operating
system or an application.
This might be a requirement you set internally to your company,
or it might be a mandate that is written
into the contract between you and a third party.
For example, this could require that yourself
and the third party execute penetration tests
over a standard interval of time.
And this might involve a third party company that specializes
in penetration testing.
That way, you and your vendor are both using this third party
to create reports showing what type of security is in place
and how well that security is working.
Most penetration tests also include a document
called the rules of engagement.
This sets the parameters so that everybody understands
the scope of the test and exactly what devices
will be tested.
For example, the rules of engagement
might say that this is an on-site physical breach test.
So someone will be attempting to gain access to your facility.
Or it might be a test that's handled internally
inside of your company.
Or it might be a test that's done across the internet
to simulate someone who's on the outside.
We can also set parameters around when
the test will occur.
This might be on a particular date and time.
Or you may specify that it's only
to take place during normal working hours or perhaps only
after working hours are over.
And most rules of engagement will
include information such as the IP address ranges
that will be tested, any emergency contacts, which
may be very important if something
goes wrong during the test.
You might also want to specify how the third party should
handle any sensitive information that they
might happen to come across during this penetration test.
And you may set specific parameters
around which devices are in scope during the test
and which devices are out of scope
and should not be touched during this process.
When you're working in partnership with a third party
vendor, you're commonly going to share some type of data
between the organizations.
This is especially true if you use a third party for payroll
or some other type of third party service
or if you're outsourcing part of your organization's functions
to a third party.
It may be that this third party is holding and managing all
of the data in their facility.
Or it may be something like an internet provider, where
all of your internet traffic traverses that company's links.
For those reasons, it might be a good idea
to perform regular audits to ensure
that all of their security is up to date and working
as expected.
Normally, we would integrate this requirement
into the contract itself into a clause called the right
to audit.
This means that everyone understands
that regular audits will occur.
And this might even set parameters for that audit
and how they can be handled.
This allows both sides to understand
what type of security controls are in place
and how those controls are used to protect the company's
information.
In many cases, neither yourself nor the vendors
you're working with are the ones performing the audit.
It's very common to have a third party come in
and perform the audit as someone who's
outside the scope of the contract.
Sometimes, these audits are required
based on the type of data that's stored.
And it may be part of your company's compliance
to make sure that an audit occurs.
But even if there isn't a specific compliance need,
it's always a good idea to perform regular audits.
From a security perspective, these audits
are focusing on all of the security controls
surrounding the relationship between yourself
and your vendors.
For example, you may want to look
into access management, any offboarding
processes and procedures, what type of security
is associated with passwords?
And how are those passwords stored?
And what type of controls are in place to allow or disallow
access to the VPN?
There are almost always opportunities
to improve the security controls that are in place.
And once you perform an audit, you'll
have documentation that shows exactly what security
controls might be improved to provide additional security.
And most vendor relationships are
going to be over an extended period of time.
So you want to not only perform a single audit,
but you'll want to have continued audits perhaps
occurring at regular intervals.
The supply chain describes the entire process
that occurs from the beginning with the raw materials
all the way until a final product is created.
And there are security concerns that
take place through every step of the supply chain process.
This is why it's often a good idea to perform a supply chain
analysis.
This will give you a chance to understand
the entire process and where security concerns may lie.
There are a number of different steps
that you can follow to understand how the security
might be for your supply chain.
You might want to start with understanding
how we get a product or service from the vendor
to the customer.
We could also evaluate how different groups are
coordinated between both of the organizations
and understand where there might be areas where you
can improve that communication.
At the technical level, you'll want
to understand how the security is handled between the two
teams at your organization and the third party vendor.
And you'll want to document any changes
to the business process that occur between yourself
and the vendor.
The security concerns for the supply chain are very real.
A good example of this occurred between March and June of 2020
when a software update from a third party
installed malware into all of their customers' networks.
This was announced in December, 2020 by the company SolarWinds.
An attacker was able to breach the SolarWinds network,
install malware into the code of the product,
and then SolarWinds deployed that malware update
with a valid SolarWinds digital signature.
This update was installed into some of the largest
networks in the world.
And it's estimated that out of the 300,000 customers that
could have been impacted by this, at least 18,000 of them
had this malware installed as part of this update.
It's now very possible that the 300,000 customers are now
reevaluating the process they use for supply chain analysis.
When you're working for an organization,
your scope tends to be very focused
on the processes and procedures for that single organization.
For that reason, it might be valuable to bring
in someone from the outside who has a different perspective.
These independent assessments might provide you
with a different perspective that you're not
able to get from inside of your own organization.
If you find a knowledgeable third party
to perform these assessments, they
can provide you with interesting insights
that they're able to gather across
many different organizations.
And that broad scope of understanding
may provide you with an increased level of security
for your organization.
And if you're bringing in a knowledgeable third party,
you may be able to receive insights into your security
that you simply weren't considering.
Before bringing a third party organization into your company,
you may hear other people mention that they're
performing due diligence.
This describes the process of investigating and getting
more information about a company before you decide
to do business with them.
This might involve investigating and verifying information
that the company has provided.
For example, they might say that they've
made a certain amount of money over the last few years,
and they have a certain number of customers.
This might also include background checks or interviews
with individuals in that third party organization.
It's very important when working with a third party
that you maintain a business relationship.
But there are times when there might
be a conflict of interest.
This means that there is something
that might compromise the judgment on either side
of the business relationship.
For example, you may find out that a potential third party
that you would like to work with is also doing business
with your largest competitor.
Or you might find out that this third party
company employs a relative of one of your executives.
And another conflict of interest might be that the third party
company is offering gifts if the contract between the two
organizations is signed.
All of these situations are clear conflicts of interest.
And it may prevent the two companies
from doing business with each other.
Once the contract is signed, the work is really just beginning.
Not only are you entering to a business relationship
with this third party, you'll also
want to have continued monitoring of the relationship
between the two companies, especially from the perspective
of IT security.
It's very common to have these monitoring processes occur
rather frequently so you can perform financial health
checks, perform IT security reviews,
and it might be a good idea to monitor the news
to see what type of articles or social media posts
might be associated with this partner.
A company will often have relationships
with many third parties.
And the monitoring that you perform
with each of those companies may be slightly different.
It might be useful to have both quantitative and qualitative
monitoring for all of your vendors.
This often means that there is an individual or group
of individuals within your organization
that are responsible for the relationship
between your company and the third party.
And this group within your company
would therefore be responsible for performing the vendor
monitoring.
One very common way to perform this vendor monitoring
is to send over a questionnaire to the third party.
This questionnaire is a relatively simple way
to find out more information about the way the vendor does
business.
For example, you may want to know
what the vendors due diligence process looks like
and what they do to prevent any type of conflicts.
Or perhaps you want to know what plans the vendor might
have for disaster recovery.
If something happens to the vendors facility,
how will they stay up and running
to be able to support you?
At a technical level, you might want
to know what type of storage method
is used to store your data and how is that data protected.
All of these questionnaires can help you understand more
about the security at that vendor site
and may allow you to recommend or change some of the ways
those processes and procedures are handled in the future.
The answers you receive from that third party
are integrated into the risk analysis for that vendor.
And they are constantly updated throughout the relationship
with that third party.
تصفح المزيد من مقاطع الفيديو ذات الصلة
CompTIA Security+ SY0-701 Course - 5.3 Explain the Processes Associated with Third-Prty Risk.
CompTIA Security+ SY0-701 Course - 5.5 Explain Types and Purposes of Audits and Assessments.
Internal Controls Explained
ISTQB FOUNDATION 4.0 | Tutorial 50 | Risk Identification | Risk Assessment | CTFL Tutorials
Logs and Monitoring - N10-008 CompTIA Network+ : 3.1
2.1 Overview of the Audit Process Introduction and Pre Engagement Activities
5.0 / 5 (0 votes)