Security Programme management and oversight 5.3 Flashcards
Third Party Risk analysis
Important to conduct risk assessments on third party companies who through their work have access to important company data.
Perform risk assessments. Categorise risk by vendor and manage the risk.
Penetration testing.
Rules of engagement - important document defines rules of engagement during a pen test. Make sure everyone is aware of the parameters.
Right to audit clause
Right to audit clause ensures that any companies working with the organisation are aware that the organisation has a right to perform a security audit at any time.
Normally integrated into the contract itself.
Evidence of internal audits
Evaluate the effectiveness of security controls. May be required for compliance. Check for security controls and processes.
Access management, off boarding, password security. VPN controls
Supply chain analysis
How we get a product from a vender to the customer.
Good opportunity to see where security vulnerabilities may exist in the supply chain.
Vendor selection process - Due diligence
Investigate and verify information. Financial status, pending or past legal issues. background checks and personal interviews.
Vendor monitoring
On going management with the vendor, reviews should occur on a regular basis.Different vendors may be checked for different indicators. Financial health check, IT security reviews, news articles.
Vendor selection process - conflict of interest.
A personal interest could compromise judgement
A potential partner also does business with your largest competition.
How to perform vendor monitoring
Send questionnaires to third parties.
Agreement types SLA
Service level agreement - Allows minimum terms for service provided. Uptime, Response time agreement, etc
Both companies are aware of the service level agreements and expectations between
Agreement types - MOU
Memorandum of Understanding
Both sides agree in general to the contents of the memorandum. Usually states common goals, but not much more. Is informal and not a signed contract.
Agreement types - MOA
Both sides conditionally agree to the objectives. Can also be a legal document even without legal language.
Not a contract - does not provide legal enforcement.
Agreement types - MSA
Master Service Agreements. Legal Contract and agreement of terms. Many detailed negotiations happen here. Future projects will be based on this agreement.
Agreement types - WO or SOW
Work Order / Statement of Work
Specific list of items to be completed
Used in conjunction with the MSA
Details the scope of the job, location, deliverables, schedule, acceptance criteria.
Agreement types - NDA
Non disclosure agreement. Confidentiality agreement between parties. Information in the agreement should not be disclosed. Protects confidential information, trade secrets, business activities.
Unilateral (One-way) Bilateral (Mutual NDA)
Multilateral