《UpGuard:2023网络安全供应商风险评估终极指南白皮书(英文版)(18页).pdf》由会员分享,可在线阅读,更多相关《UpGuard:2023网络安全供应商风险评估终极指南白皮书(英文版)(18页).pdf(18页珍藏版)》请在三个皮匠报告上搜索。
1、Trusted by hundreds of companies worldwideThe Ultimate Guide to Cybersecurity Vendor Risk AiiTable of ContentsIntroduction 1What is Vendor Risk Management?3How to Assess Third-Party Vendors 4What are the common challenges of third-party risk assessments?6Why You Should Combine Security Ratings with
2、Questionnaires 8UpGuard supports the Complete Scope of Vendor Risk Assessments 9 Conclusion 1IntroductionThe third-party landscape is a critical cyber-attack vector that cannot be ignored.There are 3 reasons for this.1.Third-party Vendor dont have a great reputation for cybersecurity.According to a
3、Gartner survey,52%of surveyed businesses said theyre concerned about third-party cybersecurity.2.Third-party vendors have access to a significant amount of your personal data.A study by the Wiz research team revealed that 82%of companies give third parties access to all of their cloud data.3.Third-p
4、arty vendors have access to a significant amount of your personal data.In recognizing the above two trends,cybercriminals have discovered a more convenient pathway to a business private data.Instead of challenging the often resilient security controls at a victims IT boundary,its much easier to comp
5、romise their data by breaching one of their vendors.Because businesses share such a considerable portion of their customer data with their vendors,and each vendor partners with multiple businesses,a single third-party breach could potentially result in the compromise of multiple businesses and their
6、 customers.Two famous examples of such a cyberattack are the SolarWind breach and the Accellion 2As youd expect,cybercriminals are rushing to exploit the considerable benefits of targeting the third-party landscape.51%of organizations experienced a data breach caused by a third party.83%of organizat
7、ions experienced a third-party incident in the past three years.Almost half of all firms have suffered a significant data breach caused by a vendor.Organizations have a 27.7%chance of suffering a data breach)and 58%of these breaches are linked to third parties.31%of third-party vendors could cause s
8、ignificant damage to organizations if breached.To address the criticality of the third-party attack surface,organizations must understand each vendors security posture and the gaps in their cybersecurity efforts.Vendor Risk Assessments provide a means of effectively gathering this 3What is Vendor Ri
9、sk Management?Vendor risk management(VRM)deals with the management and monitoring of risks resulting from third-party vendors and suppliers of information technology(IT)products and services.VRM programs are concerned with ensuring third-party products,IT vendors,and service providers do not result
10、in business disruption or financial and reputational damage.While outsourcing has great benefits,your organization is exposed to operational,regulatory,financial,and reputational risk if vendors lack strong security controls.Vendor Risk Management is focused on identifying and mitigating those risks
11、.An effective strategy for reducing security risks is to limit each vendors sensitive data access to the minimal level required to get their job done.But this strategy alone is insufficient.To universally reduce third-party risks across the entire IT ecosystem,organizations need an overarching risk
12、management strategy where vendor risks are consistently evaluated and addressed.Its not enough to have risk experts that manage a portfolio of vendors.The vendor attack surface is complex and ever-expanding,a data breach attack could originate from any point in the third-party 4How to Assess Third-P
13、arty VendorsDiscovering third-party risks is complicated.Each vendors processes and data handling practices are enclosed within its IT infrastructure.Short of peering over shoulders to observe daily cybersecurity habits,it is difficult to accurately determine the level of risk each vendor poses to y
14、our organization.The goal of Vendor Risk Management is to achieve a level of risk monitoring thats equivalent to sitting inside a vendors IT environment without the same degree of invasiveness.There are five common methods for discovering third-party risks:1.Security RatingsSecurity ratings are an i
15、ncreasingly popular part of third-party risk management.They can help with:Understanding third-party and fourth-party security risks within your supply chain in real-time.Cyber insurance underwriting,pricing,and risk management by allowing insurers to gain visibility into the security program of tho
16、se they insure to better assess and price their insurance policies.Investment in or acquisition of a company by providing organizations with an independent assessment of an investment or M&A targets information security controls.Enabling governments to better understand and manage their vendors cybe
17、rsecurity performance.According to Gartner,cybersecurity ratings will become as important as credit ratings when assessing the security risks of existing and new business 52.Security QuestionnaireSecurity questionnaires(or vendor risk assessments)are designed to help you identify potential security
18、risks that could result in a data breach,data leak,or any other type of cyberattack.3.Assessing Available Security DocumentationResearching potential third-party vendors isnt easy when you have little to no third-party risk data to work with.By referencing SOC 2 Type 2 audit reports and previously c
19、ompleted assessments,you can get a window into a prospective vendors security posture.Asking for these reports during the research process also allows you to shortlist candidates focused on improving their cybersecurity.4.Penetration TestingPenetration testing(also known as pen testing and ethical h
20、acking)is the practice of testing a computer system,network,or web applications cybersecurity by looking for exploitable security vulnerabilities.Penetration testing can be done manually by penetration testers or automated with penetration testing tools.5.Virtual and Onsite EvaluationsVirtual and on
21、site evaluations are typically performed by an outside entity and can include policy and procedure reviews,as well as a physical review of physical security 6What are the Common Challenges of Third-Party Risk Assessments?There are a number of common difficulties most organizations face when implemen
22、ting and running a third-party risk management program.Lack of SpeedEnsuring each vendor completes their security questionnaires and then processing all of the results is a tiresome effort.Frustrations and delays are further exacerbated when questionnaires are in the form of lengthy spreadsheets.Not
23、 only does this strain third-party relationships,but it also creates a vendor risk management foundation based on unscalable and inefficient processes.Lack of DepthSecurity risks dont stop at the third-party boundary.Your security posture can even be impacted by vulnerabilities associated with your
24、fourth-party vendors(the vendors of your vendors).There is rarely a direct line of communication with the fourth-party network,so its difficult to monitor this attack surface with conventional vendor risk assessment methods.Lack of VisibilityEven if a questionnaire submission confirms the effectiven
25、ess of a given vendors security controls,it only does so for that point in time.The complexity of the digital landscape means IT infrastructures are in a constant state of flux,so the risk assessment results could change at any time.It can also be difficult to verify the claims a vendor makes about
26、their information security controls based on their questionnaire responses 7Lack of ConsistencyAd-hoc third-party risk management processes mean that not all vendors are monitored,and when they are,they are not held to the same standard as other vendors.While its fine,even recommended,to assess crit
27、ical vendors more heavily than non-critical vendors,its still important to assess all vendors against the same standardized checks to prevent security risks from hiding beyond the scope of your assessment efforts.Lack of ContextContextualizing risk assessments is important because each vendor poses
28、a different degree of risk to your organization.For example,a supplier that provides blogs posts is less of a security risk than one that processes your customers sensitive data.The latter would require a higher degree of security attention since their operations would have a larger potential impact
29、 on your security posture.Lack of TrackabilityYour organization likely employs hundreds or even thousands of third parties,and keeping track of them can be a challenge.Its important to closely monitor who your vendors are and who have been sent security questionnaires,how much they have answered,and
30、 when they were completed.Lack of EngagementIt is challenging to communicate the importance of cybersecurity,particularly to time-poor vendors who may have different perspectives and goals than your organization.Its not uncommon to have to follow up for weeks or even months to get a vendor to answer
31、 a questionnaire.This is why its so important to have a centralized place where you can send and review security questionnaires without having to keep track of different files and 8Why You Should Combine Security Ratings with QuestionnairesSecurity ratings complement questionnaires by verifying the
32、accuracy of submissions and the efficacy of all remediation efforts.Security ratings also track changes in each vendors security posture in real-time,helping you rapidly identify and address potential third-party risks before cyber attackers exploit them.UpGuard combines questionnaire risks with sec
33、urity ratings to provide the most comprehensive and accurate evaluation of each third-party vendors security posture.Gartner defines this process as Cyber Vendor Risk M9UpGuard supports the Complete Scope of Vendor Risk AssessmentsInstead of bundling multiple solutions to address the different categ
34、ories of Vendor Risk Assessments,UpGuard offers a complete Vendor Risk Assessment framework neatly packaged in a single platform.UpGuards in-app risk assessment workflow consists of three stages:Stage 1:Gather and Select Evidence UpGuard employs a multi-dimensional third-party risk discovery approac
35、h to offer the most comprehensive analysis of your vendors attack surface.This evidence profile is generated from three sources:Security ratings Security questionnaires Additional evidence Security ratingsUpGuard assigns a security rating to each vendor based on the types of security risks detected
36、on their attack surface.Security ratings range from 0 to 950 and are comprised of a weighted average of the risk rating across all externally facing assets,such as web applications,IP addresses,and marketing 10UpGuards security ratings are based on an analysis of 70+vectors,including:Susceptibility
37、to man-in-the-middle attacks Insecure SSL/TLS certificates SPF,DKIM,and DMARC settings HTTP Strict Transport Security(HSTS)Email spoofing and phishing risk Vulnerabilities Malware susceptibility Network security Unnecessarily open administration,database,app,email,and file sharing ports Exposure to
38、known data breaches and data leaks Vulnerable software HTTP accessibility Secure cookie configuration Results of intelligent security 11Security QuestionnairesThe UpGuard platform offers a library of more than 20 different risk questionnaires mapping to popular cybersecurity frameworks.UpGuard also
39、offers a custom questionnaire builder for targeted risk inquiries based on your unique risk appetite.Custom questionaries can be constructed from a blank canvas,or by editing an existing questionnaire.NIST Cybersecurity Framework Questionnaire:Assesses an organizations security posture against the N
40、IST Cybersecurity Framework.PCI DSS Questionnaire:Assess an organizations adherence to the twelve requirements of PCI DSS.California Consumer Privacy Act(CCPA)Questionnaire:Assesses whether a vendor is compliant with the personal information disclosure requirements outlined in CCPA.COBIT 5 Security
41、Standard Questionnaire:Assesses compliance against the Control Objectives for Information and Related Technologies Framework created by ISACA.ISA 62443-2-1:2009 Security Standard Questionnaire:Assesses compliance against the ISA 62443-2-1:2009 standard for industrial automation and control systems.G
42、DPR Security Standard Questionnaire:Assesses compliance against the personal information disclosure requirements outlined in the European Unions General Data Protection Regulation(GDPR)12CIS Controls 7.1 Security Standard Questionnaire:Assesses compliance against the best practice guidelines for cyb
43、ersecurity outlined in 20 CIS Controls.NIST SP 800-53 Rev.4 Security Standard Questionnaire:Assesses compliance against the security and privacy controls required for all U.S.federal information systems except those related to national security.Modern Slavery Questionnaire:Designed to identify moder
44、n slavery risks,address identified risks,and highlight areas requiring further due diligence.Pandemic Questionnaire:Designed to help you assess the impact of any current or future pandemics.Security and Privacy Program Questionnaire:Focuses solely on an organizations security and privacy program.Web
45、 Application Security Questionnaire:Focuses solely on an organizations web application security controls.Infrastructure Security Questionnaire:Focuses solely on an organizations infrastructure security controls.Physical and Data Centre Security Questionnaire:Focuses solely on an organizations physic
46、al and data centre security controls.SolarWinds Questionnaire:Designed to help you assess your vendors that may use solarW13Kaseya Questionnaire:To help you determine if you or your vendors were exposed to the sophisticated supply chain ransomware attack.Higher Education Community Vendor Assessment
47、Tool(HECVAT)QuestionnaireAssesses the third-party risks of higher education institutions.Health Insurance Portability and Accountability Act(HIPAA)QuestionnaireAssesses the security standards of organizations with access to protected health information(PHI).UpGuard combines the results of automated
48、web scanning and questionnaire responses.This not only simplifies the remediation process for your security team but also produces a more accurate evaluation of your third-party risk profile.Continuously monitor the security postures of all third,and even fourth-party vendors in real-time Create cus
49、tom risk assessments based on your unique security requirements Choose from a library of pre-designed questionnaires based on popular cybersecurity frameworks.Additional EvidenceThe additional evidence section gives you the option of appending any supplementary information impacting a vendors securi
50、ty posture.This could include:SOC 2 Type 2 audit reports Any other regulatory audit reports Previous security 14Stage 2:Review RisksThe UpGuard platform then automatically identifies all of the security risks from the above-mentioned sources and presents them in a simple,consolidated view.You can ed
51、it this list by selecting the risks that should be addressed and those youre willing to accept.Add commentaryThe final step is capturing any notes(or writing a more comprehensive report),and setting a date for when the vendor should be reassessed.If at any point in this process you need to message t
52、he vendor,this can be done within the platform to prevent important information from getting lost in a sea of emails.You also get an auditable record of every assessment,including a snapshot of the evidence and risk profile at the precise point in time the assessment was 15ConclusionUpGuards Vendor
53、Risk Assessment workflow is flexible enough to support the complete scope of the risk assessments process;from a quick review of automated scanning results to detailed security questionnaire design,and executive report creation.“UpGuards Vendor Risk Assessment workflow creates a focal point for an e
54、ffective vendor risk management program.”Questions?We have answersKnow your vendors.Secure yourself.Were here to help,shoot us an email at Looking for a better,smarter way to protect your data and prevent breaches?UpGuard offers a full suite of products for security,risk and vendor management teams.
55、Trusted by hundreds of companies +1 888- Castro Street,Suite 120-387,Mountain View CA 94041 United States 2022 UpGuard,Inc.All rights reserved.UpGuard and the UpGuard logo are registered trademarks of UpGuard,Inc.All other products or services mentioned herein are trademarks of their respective companies.Information subject to change without notice.