5_3_2 Section 5 – Governance, Risk, and Compliance - 5.3 – Organizational Security Policies - Third-party Risk Management

Questions and Answers

What type of vendors may a company work with?

Payroll, email marketing, travel, or raw materials vendors

Why is it important to understand the risk associated with providing data to a third party?

To ensure security and protect against breaches

What is a recommended practice when working with third-party vendors?

Categorizing the risk associated with each vendor and having security policies in place

What can be a useful practice when contracting with a third-party vendor?

Including a list of specific security requirements in the contract

What happened to Target in 2013?

They suffered an enormous breach to their network due to a third-party vendor

What is a common scenario when working with cloud services?

You need to put your data into the cloud service

What was the primary source of the malware infection that affected Target's network?

An email attachment sent to an HVAC vendor

What was the main consequence of the malware infection on Target's network?

Over 110 million credit card numbers were stolen

What is the primary concern related to third-party vendors in the supply chain?

The security risks involved in the supply chain process

What is the benefit of performing an assessment of the supply chain?

It helps to understand the security risks involved

What was the result of the software update provided by SolarWinds in 2020?

It installed malware onto the customers' systems

How many companies were infected as a result of the SolarWinds breach?

At least 18,000 companies

What is the primary concern when working with a business partner that has a direct network connection?

The security of the data being transferred

What is the recommended way to transfer data between business partners?

Through an encrypted IPsec tunnel

What is the purpose of having policies in place for handling risks with business partners?

To understand the best practices for handling data and intellectual property

What is the benefit of understanding how intellectual property should be handled between business partners?

It helps to prevent unauthorized access or use of intellectual property

What is the purpose of a service level agreement (SLA)?

To establish a minimum set of service terms for a product or service

What is the purpose of a Memorandum Of Understanding (MOU)?

To outline expectations for a business process

What is the purpose of a Measurement System Analysis (MSA)?

To evaluate the quality of a measurement system

What is the purpose of a Business Partnership Agreement (BPA)?

To outline the terms of a business partnership

What is the purpose of a nondisclosure agreement (NDA)?

To maintain confidentiality between parties

What is the difference between a unilateral and a bilateral nondisclosure agreement?

A unilateral agreement involves only one party, while a bilateral agreement involves two parties

What happens when a manufacturer announces the end of life (EOL) for a product?

The manufacturer stops selling the product, but continues to support it

What is the difference between the end of life (EOL) and end of service life (EOSL) for a product?

EOL refers to the end of sales, while EOSL refers to the end of support

Why is it important to understand the end of life (EOL) for a product?

Because it affects the security patches provided by the vendor

What is the purpose of including a firewall or filter between two networks?

To manage the type of traffic transferred between networks

Study Notes

Third-Party Vendors and Security Concerns

• When working with third-party vendors, data sharing is inevitable, and it's essential to understand the risk associated with providing data to a third party.
• Categorize the risk for each vendor and have security policies and procedures in place to protect against the highest-risk vendors.
• Include security requirements in the initial contract to ensure everyone understands the requirements.

Third-Party Vendor Risks: Target Corporation Example

• In 2013, Target Corporation suffered a massive breach due to a third-party HVAC vendor's lack of security measures.
• The vendor's malware-infected email attachment led to the infection of Target's point-of-sale terminals, resulting in the theft of over 110 million credit card numbers.
• This incident highlights the importance of evaluating the security measures of third-party vendors.

Supply Chain Security Concerns

• The supply chain involves multiple organizations, people, and resources, making it challenging to understand the security methods in place.
• Assess the supply chain to identify security risks and improve the process.
• Evaluate the IT systems supporting the supply chain and document changes as needed.

Supply Chain Breach Example: SolarWinds

• In 2020, a software update from a network management provider installed malware onto customers' systems, affecting at least 18,000 companies.
• The malware was digitally signed with the provider's certificate, making it trusted by customers.
• This breach emphasizes the importance of evaluating the security measures in the supply chain.

Business Partners and Security Concerns

• When working with business partners, there may be direct network connections between organizations, creating significant security concerns.
• Implement policies to handle risks, such as building an IPsec connection and monitoring for malicious activity.
• Configure firewalls or filters to manage traffic between networks.

Agreements with Third-Parties

• Service Level Agreements (SLAs) set minimum service terms for specific services or products.
• Memorandums of Understanding (MOUs) outline expectations and requirements between organizations.
• Measurement System Analysis (MSA) evaluates and assesses the quality of measurement systems.
• Business Partnership Agreements (BPAs) detail ownership stakes, financial agreements, and decision-making processes.
• Nondisclosure Agreements (NDAs) ensure confidentiality between parties sharing sensitive information.

End of Life and End of Service Life

• Understand when a product's end of life and end of service life might be, as manufacturers may stop selling and supporting products.
• Plan for security patches and updates when a product reaches its end of life and end of service life.