Recomendados
Recomendados
Mais conteúdo relacionado
Mais procurados
Mais procurados (20)
Semelhante a Supply Chain and Third-Party Risks During COVID-19
Semelhante a Supply Chain and Third-Party Risks During COVID-19 (20)
Último
Último (20)
Supply Chain and Third-Party Risks During COVID-19
- 1. 1 A Podcast by Carrie Whysall CynergisTek, Inc. Supply Chain and Third-Party Risks During COVID-19
- 2. 2 © Carrie Whysall, 2020 Hello! I’m Carrie Whysall, Director of Managed Security Services at CynergisTek, Inc. I’m here to introduce, and explain the importance of supply chain, and third-party risks during the time of COVID-19.
- 3. 3 What is vendor risk management? © Carrie Whysall, 2020 It’s really the process of building relationships with your vendors. This includes creating both formal and informal processes that protect and enhance the organizational strategies for both parties in the relationship. The goal here being having a transparent relationship that allows for a better understanding of the services provided and the risks that are inherit in that relationship.
- 4. 4 Health Alliance Plan on March 6, 2019. This breach of 120,000 records was caused by ransomware that their third-party vendor Wolverine Solutions Group became infected with. The same third-party vendor was also the cause of a breach at Spectrum Health Lakeland. This one is very concerning because not only did they get patient data, they got detailed provider info as well. Federal Emergency Management Agency (FEMA) on March 22, 2019. This breach of 2.5 million records is wrong in so many ways. After these victims were traumatized by hurricanes, they were victimized a second time when a contractor being used by FEMA didn’t protect the information that was provided to them. Quest Diagnostics on June 3, 2019. This breach exposed almost 17 million records. The breach occurred because a hacker took control of a payments page that was being hosted by AMCA, a third-party billing vendor used by Quest. Essentia Health on July 10, 2019. This breach was due to their third-party vendor California Reimbursement Enterprise being the victim of a phishing attack. It has been nice months and they are still unclear as to how many records were exposed. © Carrie Whysall, 2020 Why is VRM so important?
- 5. 5 © Carrie Whysall, 2020 An effective VRM program starts by comprehensively determining potential third- party risks including process risks, political risks, unwanted functions, contract risks, legal as well as regulatory issues for non-compliance, and information system failures. This risk identification procedure should be followed by an evaluation of the precise drivers that increase third-party risk. VRM programs… where do I start?
- 6. 6 © Carrie Whysall, 2020 4 tips for creating a VRM Program: #1 Compile #2 Classify #3 Assess #4 Decide
- 7. 7 © Carrie Whysall, 2020 #1 Compile Implementing the program starts by knowing all your vendors. Start with your finance or accounting contacts to see what they have.
- 8. 8 © Carrie Whysall, 2020 #2 Classify Vendors need to be classified by how much potential risk they pose to the organization. The potential risk is based on the potential impact that a breach involving the vendor would have on the organization annually. This step is critical to success and should not be decided by IT alone. If you have a current Mission Critical and/or business critical list of applications are great places to start.
- 9. 9 © Carrie Whysall, 2020 #3 Assess There are typically two types of assessments that correspond with the two classifications determined in the vendor classification form and each classification follows a different assessment process. For low risk vendors you may be able to complete the questionnaire with information known internally to your organization. Once completed the questionnaires should be saved with the vendor’s classification form and reviewed annually. For high or critical risk vendors, it will require a more formal process which should include documented responses from the vendors.
- 10. 10 © Carrie Whysall, 2020 #4 Decide For each of the high-risk vendors, a decision must be made of what to do with the risks discovered through the assessment process. Risk Accepted: Accept the risk “as-is” without any additional effort on the part of the organization or the vendor. Risk Accepted with remediation plan. Risk Unacceptable: There are two options for this finding. Work with the vendor on remediation/mitigation on their side. Decide to terminate the contract based on risk and follow the terms set forth in the contract regarding termination of services. Note: one of the biggest mistakes an entity can make in this phase is creating a remediation plan without follow through. Nothing stings more than having an exposed risk occur because you didn’t complete the remediation.
- 11. 11 © Carrie Whysall, 2020 What types of assessments are there ? Pre-Procurement Assessment: this is typically a shorter assessment that is based primarily on the organizations security policy with focus on technology, data storage, and connectivity requirements. The goal here being that a quick decision on whether or not to use this product from a particular vendor. HIPAA-Based Risk Assessments: these are typically much longer assessments that focus on a much broader range of HIPAA regulations. The questions are more in depth and typically require detailed responses from a vendor. These assessments are also typically where a risk level is assigned to a vendor.
- 12. 12 What Are Some of the Challenges?
- 13. 13 © Carrie Whysall, 2020 What issues arise throughout the process? Asking the right questions. Having access to the contract documents. Getting the correct documents back for the vendors. Getting responses in a timely manner. Ensuring that going forward you update new contracts with requirements for meeting your security requirements and retaining the ability to assess of audit them periodically. Adding automation where you can. Effective use of the data you have gathered. Where else would this data be helpful to the organization? SOC/SIEM feeds Cyber insurance validation Supply chain
- 14. 14 © Carrie Whysall, 2020 What about staffing? Vendor management can have a significant impact on staffing. Most entities do not have additional bodies to pull for these efforts. Especially right now while we are struggling to staff COVID-19 Units while having to institute furloughs in our elective procedure areas. At first the typical attempt is to assign portions of existing staff to this activity. These are usually either existing security or compliance staff. Early efforts may be via Excel spreadsheets and tracked manually.
- 15. 15 © Carrie Whysall, 2020 …And what about outsourcing? Allows an organization to leverage the experience and existing vendor relationships the outsourcer already has. Provides the benefit of access to subject matter experts (SME’s). No need to train existing staff on the process. The agreements should contractually set SLA’s and turnaround times for expedited requests. A higher number of assessments can be completed as the outsourced staff is working full time on them not as part of another role. Standardized risk valuations, typically through the use of templates, which include – critical, high, moderate, and low and clear definitions of each value. Assigning the assessment portions to a partner allows you to focus on remediation plans and tasks instead of time on the phone or in email tracking down answers.
- 16. 16 © Carrie Whysall, 2020 Thanks for tuning in! For more COVID-19 related podcast content, please visit www.cynergistek.com/podcasts.