ASSESSING VENDORS USING THE NIST CYBERSECURITY FRAMEWORK

Transcription

1 ASSESSING VENDORS USING THE NIST CYBERSECURITY FRAMEWORK Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager Dan Banning Director of Marketing Quantivate linkedin.com/in/danbanning Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager Randy Lindberg Managing Partner Rivial Security (Quantivate Partner) linkedin.com/in/randyslindberg 1

2 Agenda Vendor Due Diligence NIST Cybersecurity Framework Integrate with IT Risk Assessment Vendor Security Controls Assess Vendor Security Questions & Resources Due Diligence Requirements 2

3 IT Service Providers Contract Language Data Ownership Cloud Services Cyber Resilience You must know the vendor s cybersecurity Posture. SSAE 16 Reports Report Formats o SOC 1: Internal Controls over Financial Reporting (ICFR). o SOC 2: Controls relevant to security, availability, processing integrity, confidentiality, or privacy. Type 1: Management s description of system and the suitability of the design of controls. Type 2: Management s description of system and the suitability of the design AND operating effectiveness of controls. 3

4 Vendor Security Controls SSAE 16 SOC 2 Type 2 IT Security Assessment SSAE 16 o SOC 1 Type 2* o SOC 1/2 Type 1 o SOC 3 Self Assessment Vendor Questionnaire Information Security Policy Interview Higher Quality Lower Quality Executive Order Improving Critical Infrastructure Cybersecurity o Directed NIST to work with stakeholders to develop a voluntary framework based on existing standards, guidelines, and practices for reducing cyber risks to critical infrastructure. 4

5 Parts Core o Functions o Categories o Subcategories o Informative References Implementation Tiers o Maturity of risk management program Profile o Selection of the right subcategories Framework Core 5

6 Basic SSAE 16 Review Pinpoint findings without adequate management responses Provide complementary user entity controls to system owner and/or IT Advanced SSAE 16 Review To be a Jedi, use the Framework you must Review description of system Search for subservice Use function, category, or sub category to ensure control objectives are covered o Amount of rigor will vary 6

7 Subservice Organizations Controls DE.CM 4: Malicious code is detected Search for malicious code. malware anti virus. anti. mal. Doh!!!! It s a SOC 1 7

8 Controls DE.CM 4: Malicious code is detected Search for malicious code. Scoring the Report 8

9 Integration with IT Risk System Controls o Organizational o System specific o Vendor Complimentary User Entity Controls Integration with IT Risk Sub Category Effectiveness Organizational Controls System Controls Vendor Controls DE.CM 4: Malicious code is detected Fully Effective Perimeter web and anti virus in place; user workstations have antivirus, updated every 24 hours Users are trained on anti phishing tactics SSAE 16 Servers have antivirus, updated every 24 hours DE.CM 8: Vulnerability scans are performed 9

10 Recap Vendor Due Diligence Vendor Security Controls NIST Cybersecurity Framework Perform an SSAE 16 Review Integrate with IT Risk Assessment Resources FFIEC Handbooks o NCUA Guidance o 09ENC.pdf FDIC Guidance o SSAE 16 Details o NIST Cybersecurity Framework o Future Considerations o Technology Service Provider Strategy The FFIEC s members will expand their focus on technology service providers ability to respond to growing cyber threats and vulnerabilities. 10

11 Next Steps Learn about Quantivate GRC Software: Download a Free Vendor Assessment Template cybersecurity template Questions? Q & A 11

12 Thank you! Dan Banning, Director of Marketing Randy Lindberg, Managing Partner, Rivial Security (Quantivate Partner) Quantivate is the NAFCU Services Preferred Partner for Vendor and Contract Management. Learn more at 12