supplier risk assessment
DESCRIPTION
A supply chain has many vendors that need to be assessed for the risk they pose to the organization. A vendor risk analysis process should be in place to determine where weaknesses are from a technology point of view in the supply chain.TRANSCRIPT
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
Supplier Risk Assessment
Gary BahadurCEO KRAA KRAA [email protected]
October 7th, 2009
OWASP
The Problem
The Opportunity
The Results
• No framework for managing Supplier risk
• Inconsistent processes for tracking Suppliers
• Lack of enforcement capabilities
• Provide practical steps to manage Supplier access/management
• Provide cost effective solution for risk mitigation
• Provide numerical risk analysis of Supplier/partner security issues
• Risk reduction or risk acceptance• Documented exposure• Iterative process for risk
management• Happy CIO
Supplier Risk - Overview
2KRAA Security - www.kraasecurity.com
OWASP
What is Supplier Risk? Risk Considerations Risk Criteria Business Security Goals Supplier Access Profile Risk Classification Model Supplier Risk Process for Data Lifecycle Supplier Risk Assessment Process Supplier Review Process Conclusions
What We’ll Cover Today
3KRAA Security - www.kraasecurity.com
OWASP
Suppliers pose a challenge to any organization People – contractors in and out of the company, reliance of
Supplier background checks (if any) Process – each department can manage the Supplier
relationship different, IT may not be fully informed Technology – Supplier connectivity based on convenience and IT
processes rather than security requirements
What have we focused our security dollars on? Firewall, antivirus, vulnerability management, IDS, policies Little if any allocation for testing, reviewing, monitoring Supplier No follow-up as relationships change or Suppliers internal
structures change (i.e. acquisition) Doing a SAS70 II in some cases (expensive!) Website Penetration testing
What is Supplier/Partner Risk?
4KRAA Security - www.kraasecurity.com
OWASP
1. Asset management systems are frequently inaccurate, no owners
2. Manual processes used (emails, word documents, phone calls)
3. Inconsistent cataloging of data across different Suppliers
4. Large companies have a challenge with Business Units, time zones, regulations
5. No ownership of the security relationship6. No consistant application testing methods
What is Supplier/Partner Risk?
5KRAA Security - www.kraasecurity.com
OWASP
Almost no accountability by the Supplier or the company for Data Lifecycle Management Creation – who creates/manages Usage – what limitations are on the
SupplierStorage – what controls are in place for
storage Transportation – how is data transmittedDestruction – what is the validation and
verification process
What is Supplier Risk?
6KRAA Security - www.kraasecurity.com
OWASP
What is Supplier/Partner Risk?
Risk Considerations Risk Criteria Business Security Goals Supplier Access Profile Risk Classification Model Supplier Risk Process for Data Lifecycle Supplier Risk Assessment Process Supplier Review Process Conclusions
What We’ll Cover Today
7KRAA Security - www.kraasecurity.com
OWASP
1. Risk assessment should be thought of as an ongoing process
2. Need model for risk assessment follow Secure Development Life Cycle
3. Conduct Supplier detailed information risk assessment, strong commitment from upper management
4. Technology and Business process risks considered
5. Define process for all Supplier access and data exchanges
Risk Considerations
8KRAA Security - www.kraasecurity.com
OWASP
6. Development of awareness of inherent risks
7. Prioritize risk considerations over time and for all future projects
8. Prepare Risk Profile of each Supplier9. Define reporting and update process10.Provide assessments based on your
regulatory requirements (PCI, CoBIT, COSO, HIPAA, SOX, FFIEC, NIST, SAS70, etc)
Risk Considerations
9KRAA Security - www.kraasecurity.com
OWASP
Analyze Current
Supplier DB, Categorize
Define Risk Categories / Threats to Business
Perform Tests of Supplier Processes/
Connectivity
Develop Mitigation
Plan / Perform Consistent Updates
Supplier Risk Process
10KRAA Security - www.kraasecurity.com
OWASP
What is Supplier/Partner Risk? Risk Considerations
Risk Criteria Business Security Goals Supplier Access Profile Risk Classification Model Supplier Risk Process for Data Lifecycle Supplier Risk Assessment Process Supplier Review Process Conclusions
What We’ll Cover Today
11KRAA Security - www.kraasecurity.com
OWASP
1. Identify Assets at risk from Suppliers, network, file, storage, business processes, locations
2. Define value of assets3. Define criticality of assets4. Prioritize security requirements of assets used
by Suppliers5. Identify current security requirements and
perform Gap Analysis6. Identify Vulnerabilities from Suppliers and from
External environment7. Complete data classification model
implementation
Define Risk Criteria
12KRAA Security - www.kraasecurity.com
OWASP
What is Supplier/Partner Risk? Risk Considerations Risk Criteria
Business Security Goals Supplier Access Profile Risk Classification Model Supplier Risk Process for Data Lifecycle Supplier Risk Assessment Process Supplier Review Process Conclusions
What We’ll Cover Today
13KRAA Security - www.kraasecurity.com
OWASP
1. Identify Business goals affected by Suppliers
2. Define baseline security standards for Supplier access
3. Define regulatory requirements of Supplier access to resources
4. Acceptable risk of Business management5. What are financial impacts?
DEFINE BUSINESS SECURITY GOALS
14KRAA Security - www.kraasecurity.com
OWASP
DEFINE BUSINESS SECURITY GOALSExample
Risk Considerations
Impact Acceptable Level
Criticality to Business Process
• Financial• Strategic • Brand• Reputation • Operational • Legal/regulatory/compliance financial
penalties
• Define measurement per impact
Likelihood Of Sustained Interruption
• Probability of threat actualization • Length of disruption & business criticality• Risk mitigation response• Repeatability
Risk Mitigation Strategies
• Avoid Risk • Accept Risk • Transfer Risk to third party • Implementing Risk Mitigation Controls • Business process changes
15KRAA Security - www.kraasecurity.com
OWASP
What is Supplier/Partner Risk? Risk Considerations Risk Criteria Business Security Goals
Supplier Access Profile Risk Classification Model Supplier Risk Process for Data Lifecycle Supplier Risk Assessment Process Supplier Review Process Conclusions
What We’ll Cover Today
16KRAA Security - www.kraasecurity.com
OWASP
1. Develop complete profile through interview and documentation service contracts analysis of supplier industry risks business risk of supplier access controls currently in place over supplier access reports generated on supplier access, activities
2. Prioritize operational supplier tasks3. What operational parameters are impacted?4. What is potential risk to operations?5. Define threats, impact and probability
DEFINE OPERATIONAL RISK OF Supplier ACCESS - PROFILE
17KRAA Security - www.kraasecurity.com
OWASP
6. Define audit trails7. Define mission critical staff that interact
with suppliers8. Define mitigation strategy for operational
weaknesses9. Define acceptance criteria for risk10.Define action plans for Suppliers and
responsibility matrix
DEFINE OPERATIONAL RISK OF Supplier ACCESS - PROFILE
18KRAA Security - www.kraasecurity.com
OWASP
What is Supplier/Partner Risk? Risk Considerations Risk Criteria Business Security Goals Supplier Access Profile
Risk Classification Model Supplier Risk Process for Data Lifecycle Supplier Risk Assessment Process Supplier Review Process Conclusions
What We’ll Cover Today
19KRAA Security - www.kraasecurity.com
OWASP
RISK CLASSIFICATION MODELExampleThreat Exposure (High
Medium Low)Mitigation Status (Complete, In
progress, Monitoring, Modify, Accept)
Data Center Power Outage
Hardware Failure
Data Center Fire/Water
Data Network Failure
Voice Network Failure
Natural Disaster Service Interruption
Criminal Activity/Theft/Vandalism
Software errors affecting availability & integrity
Human Errors
Business System Change Control
Unauthorized Intrusions
ETC ETC ETC
20KRAA Security - www.kraasecurity.com
OWASP
What is Supplier/Partner Risk? Risk Considerations Risk Criteria Business Security Goals Supplier Access Profile Risk Classification Model
Supplier Risk Process for Data Lifecycle
Supplier Risk Assessment Process Supplier Review Process Conclusions
What We’ll Cover Today
21KRAA Security - www.kraasecurity.com
OWASP
Supplier RISK PROCESSES FOR DATA LIFECYCLE
DATA Movement Stage Threat Category List Processes at Risk
Business Impact Category
Creation – customer Surveys
Usage – At MC office, analyzes survey results
Storage – Keeps customer data on their internal servers
Transportation – Emails customer surveys in the clear
Destruction – keeps surveys indefinitely, even backs up to tape
Supplier: Marketing Company LLC (MC), provides marketing information, customer data surveys, reports about competitors, is linked to corporate Email, received customer lists
22KRAA Security - www.kraasecurity.com
OWASP
Risk Process Event Review
Track all Supplier related security events and operational risk events
Detected: Resolved:
Risk Threat Category: i.e. Unauthorized Intrusion
Event Description (what happened)
Problem Recovery (how was the problem fixed)
Problem Analysis (what was the root cause)
Problem Resolution (how will the root cause fixed)
Future Mitigation (why will the root cause be avoided in the future)
23KRAA Security - www.kraasecurity.com
OWASP
What is Supplier/Partner Risk? Risk Considerations Risk Criteria Business Security Goals Supplier Access Profile Risk Classification Model Supplier Risk Process for Data Lifecycle Project Risk
Supplier Assessment Process
Supplier Review Process Conclusions
What We’ll Cover Today
24KRAA Security - www.kraasecurity.com
OWASP
Supplier ASSESSMENT PROCESSAssessment Categories
Key Components Assessment Steps
Test Method – Automated Procedural
Results Risk Mitigation Strategy
Pass / Fail Criticality Level (to your business)
Organizational Policies
Security Management Infrastructure
Legal and Regulatory
List Specific Assessment Steps
Security Awareness
Human Resource Education
Personnel Security
Employee Education
Remote Employee security
Physical Security Physical Security Controls (of where your data is stored)
25KRAA Security - www.kraasecurity.com
OWASP
Key Component – Polices & Procedures Assessment Steps Test Method
Developed Policies Collect policy documents from Supplier and review
Procedural
Data / Information Ownership and Classification Procedural Password Maintenance (expiration, minimum standards, etc) Procedural Account Creation and Removal Procedural Third Party Connections Procedural VPN Procedural Internet Usage Procedural Encryption/Data Protection Procedural Data Confidentiality Procedural Do Suppliers staff with access to COMPANY assets review Policies?
Review sign off documents of acknowledgement
Procedural
Are Supplier Staff under confidentially agreements? Review sample signed confidentiality agreements
Procedural
Do Supplier staff get trained in Information Security policy requirements?
Review training material Procedural
How is compliance to policy measured Review compliance statistics Procedural
26KRAA Security - www.kraasecurity.com
Supplier ASSESSMENT PROCESS – Policies and Procedures Example
OWASP
What is Supplier/Partner Risk? Risk Considerations Risk Criteria Business Security Goals Supplier Access Profile Risk Classification Model Supplier Risk Process for Data Lifecycle Supplier Assessment Process
Supplier Review Process Conclusions
What We’ll Cover Today
27KRAA Security - www.kraasecurity.com
OWASP
Quarterly Meeting CIO and Direct Reports Regulatory Impact Review IT Risk Considerations Update IT Risk Summary and New
Mitigation Strategies Review Significant Events During the
Quarter Define Action Items for Next Quarter
Supplier REVIEW PROCESSES
28KRAA Security - www.kraasecurity.com
OWASP
Analyze Current
Supplier DB, Categorize
Define Risk Categories / Threats to Business
Perform Tests of Supplier Processes/
Connectivity
Develop Mitigation
Plan / Perform Consistent Updates
Supplier Risk Process-recap
29KRAA Security - www.kraasecurity.com
OWASP
1. Identification of Key relevant risk2. Consistent process for planning and mitigating
Supplier risk3. Focus on identifiable risk and utilization of
budget efficiently4. Methodical approach for examining the risk in a
Supplier5. Common framework for all categories of
Suppliers6. Baseline acceptable risk7. Improved planning for future risk mitigation
projects
CONCLUSIONS
30KRAA Security - www.kraasecurity.com
OWASP
Questions and Answers
Gary BahadurCEO KRAA Securityinfo@kraasecurity.com888-KRAA-911www.kraasecurity.comBlog.kraasecurity.comTwitter.com/kraasecurity*Managed Security Services*Vulnerability Management*Compliance & Policy Development*PGP Security
31KRAA Security - www.kraasecurity.com