Continuous Monitoring: Program & Tools Flashcards
Continuous Monitoring Program
-Process Overview
-Tools
-Data
-Personnel
Continuous Monitoring:
Tools
Rating Tools
-Ignore the scores from the cyber standpoint
-They’re not great at telling you how they do security
-All of these tools will throw alerts and threats, bot net alerts, spam propergration, server open ports.
-Look at those alerts, NOT at the score.
-Look at the big hitter scores Amazon and
Microsoft and their score is not good.
-The scoring is done based on all public IP addresses that they own but their customers use and their customers don’t use the proper security.
-It’s not a valuable conversation to tell a vendor that their score stinks.
Continuous Monitoring:
Tools of the Trade
-Vendor Risk Rating Software
-Threat Intel Tools
-Third Party Cyber Risk as a Service
-SIEM - Security information event management
-Business Leaning and BI to product “red” alerts
Continuous Monitoring Summary
Continuous Monitoring provides a risk window to third parties in between the point in time assessments.
-A lot can happen in between onsite visits and/or questionnaires.
-Continuously monitoring your third party via reports and alerts should reduce the risk your third party post to your organization
-Always take a risk-based approach
-Leverage existing vendor information
-Focus on specific threats and vulnerabilities, not the
tool risk scores
Continuous Monitoring:
Getting the Data
-IRQ Drives Continuous Monitoring Efforts
-Cybersecurity Exhibit
-Due Diligence
-Risk Acceptance
-Open Issues/Findings
Continuous Monitoring:
Risk-Based Triage
-Low Risk
-Medium Risk
-High Risk
-Critical Risk
Continuous Monitoring:
Incident, Event, or Breach?
Event:
-Any occurrence in an information system or network that has, or may potentially result in, unauthorized access, processing, corruption, modification, transfer or disclosure of data and/or Confidential Information.
- there’s an occurrence, potential authorized access, you don’t know what’s happened. We potentially know something happened, but we don’t know what happened.
-Can say event if not breach
Incident:
-A cybersecurity event that has been determined to have an impact on the organization prompting the need for response and recovery
-Determined there has been some impact that needs response and recovery
-E.g. short interruption of service. Something that’s had an impact and had to do something about it
Breach:
-An incident wherein information is stolen or taken from a system without the knowledge or authorization of the system’s owner
- something has been stolen. Stealing of information.
*A breach is a type of incident, but not all incidents are breaches.
*Make sure incident management and TPRM have the same definitions for cuber incident, event, and breach.
Continuous Monitoring:
Types of Interactions
Low Risk
- Automate the email, goodbye
-Sometimes you may not hear from the vendor but the alert goes away so the risk is gone. They didn’t engage with us, but the alert went away. The vendor resolved the issue but didn’t communicate.
Medium Risk
-Mix of email and conversation
High Risk
-Conversation
CM: Incident, Event, or Breach?
First, investigate whether there is an active relationship with the vendor.
-If you had a relationship and is no longer active, then need to figure out if they had our data and if they still have our data. Where was our data during the breach?