Continuous Monitoring: Process Flashcards
Continuous Monitoring allows…
Continuous Monitoring allows you to continually assess and mitigate residual risk.
-It also ensures third parties are operating securely and effectively, as well as complying with regulatory requirements and industry standards.
Results of the inherent risk questionnaire (IRQ)…
Results of the inherent risk questionnaire (IRQ) will drive initial due diligence efforts.
-Residual risk should not be assessed once per year, but instead, assessed throughout the year using a variety of risk-based mechanisms.
Residual risk is assessed…
Residual risk is assessed using a variety of risk-based mechanisms.
-It all depends on what products/services the third party is providing, what you are providing to the third party, and how critical the third party is to you.
-You should also review past assessments performed, as well as any outstanding findings that remain open.
The evaluation of residual risk…
The evaluation of residual risk should take into account your program’s maturity, resources, organization’s risk appetite, and the third party and/or engagement’s current inherent and residual risk ratings.
-Cycle times may change as maturity increases.
Continuous Monitoring:
Risk-Based Approach
Risk-based approach is REQUIRED.
Types of Interactions:
-Low Risk : Automate the email, goodbye
-Medium Risk : Mix of email and conversation
-High Risk : Conversation
-Systemically Critical
How much do you want to interact with these vendors? -Systemically critical more interaction where low and medium is more automated.
Continuous Monitoring
-Continuous monitoring requires the organization to assess third party cyber risk on a continual basis to ensure contract terms, business obligations, legal and regulatory requirements, and performance expectations are met.
-Due diligence process is not a “one and done” process. It isn’t even an assessment once per year activity. It is an ongoing, continuous monitoring activity to ensure changes are made to the people, processes, and controls within your third party’s organization are not going to impact your business in a negative way.
-This occurs by continuously validating the security controls your third party has in place to ensure they are sufficient and operating as intended.
Issues with “The Morning After”
-Cyber risk not identified until after contract signature.
-When
-How much
-Re-Assess
-Inform on Cyber Risk
-Re-Level in Cyber Risk System of Record
Inform the appropriate stakeholders that the risk has now changed.
-Update the risk in the system of record. E.g. Venminder
Walk through CM Process for sample third party with data:
Cyber CM Process:
1. Get the alert
2. Investigate the threat/alert
3. Determine risk of third party - is it worth the effort?
4. Review previous due diligence, open findings and risk acceptances
5. Determine if any connection to threat/alert and existing due diligence - is it worth the effort?
6. Reach out to third party with specific information about the threat/alert, determine their importance to your organization, and identify any other risk information to assist. Set a deadline for response.
7. Based upon responses, determine next steps based upon your process for escalation or closure via remediation
Cyber Continuous Monitoring:
Process
- Alerts and Vulnerabilities
- Internal Data
- Specific Threat…Specific Actions
- Specific Actions
Get alerts and vulnerabilities from your tools, you take that and see where it sits high risk or low risk then review the internal data for the vendor then here’s my due diligence for this that relates to the alters.
-Now I have a specific threat that I can have a conversation with the vendor regarding the specific threat.
Continuous Monitoring:
Reporting and Esclation
-Reporting for Visibility and Action
-Escalation Steps
-Reported to the right level within the organization.
-Even though the Business Owner owns the risk,
they should not be able to accept high risk on
behalf of the organization without additional
transparency and review.
Define your escalation steps very crisply.
You don’t want to escalate everything.
Varys upon how many vendors you have, if you leave ad hoc then you’ll get ad hoc results.
Clearly identify when you do what, who you go to what depending on the risks.
***Cyber CM Process Workshop!!!!
-Get the alert
-Investigate the threat/alert
-Determine risk of third party – is it worth the effort?
-Review previous due diligence, open findings and risk acceptances
-Determine if any connection to threat/alert and existing due diligence – is it worth
the effort?
-Reach out to third party with specific information about the threat/alert, determine their importance to your organization, and identify any other risk information to assist. Set a deadline for response.
-Based upon responses, determine next steps based upon your process for escalation or closure via remediation.
Continuous Monitoring Wrap Up
Continuous Monitoring provides a risk view into third parties in between the point-intime assessments. A lot can happen in between onsite visits and/or questionnaires.
Continuously monitoring your third party via reports and alerts should reduce the risk
your third parties pose to your organization.
