Maturing 3rd Party Vendor Risk Programs GORDON SHEVLIN, CEO, ALLGRESS TONY UCEDA VELEZ, CEO, VERSPRITE SCOTT TAKAOKA, VP BUS. DEV. , VERSPRITE MARCH 1, 2016

Agenda Programs That We See Today • Program definition of risk – often legal, financial, reputational, cyber • More mature assessing financial risk, least mature assessing cyber-risk • Ramping programs/where to start – product, asset or organization centric • Moving from audit related to active risk management Legal Business Risk Security

VRA Program Maturity Study * S H A R E D A S S E S S M E N T, 2 0 1 5 , V E N D O R R I S K M A N A G E M E N T S T U D Y Category C - Level VP/Director Level Manager Level Program Governance 2.9 2.8 3.2 Policies, Standards, Procedures 2.8 2.8 3.0 Contracts 2.7 2.8 2.8 Vendor Risk ID and Analysis 2.4 2.7 2.5 Skills and Expertise 1.9 2.1 2.7 Communication and Info Sharing 2.2 2.3 2.6 Tools, Measurements and Analysis 2.0 2.3 2.9 Monitoring and Review 2.6 2.7 2.8

Takeaways – Discomfort at C-level Challenges o Understanding risk of cyber-attack o Communicating risk o Resourcing/improving VRA process

Understanding Risk o Single framework based approaches focused on security are common o “Check box”, considered in its own silo o Often lacks granularity and context for accurate measurement of vendor risk Security Posture

Expanding Context for VRA o Business/compliance context – more comprehensive view o Map controls to business operational impact o Consider hybrid – ex. NIST CSF + HIPAA Business / Compliance Impact Security Posture

Expanding Context for VRA o Business/compliance context – more comprehensive view o Map controls to business operational impact o Consider hybrid – ex. NIST CSF + HIPAA o Threat provides focus for controls o Which controls are most important Business / Compliance Impact Security Posture Threat

How? Organizational Threat Model o PASTA (process for attack simulation and threat analysis) o Business impact – examine outsourced process o Threat o Identify top threats, map to processes then vendors o Now evaluate security posture o Identify key controls o Identify metrics + sensitivity o Identify remediation opportunities Business / Compliance Impact Security Posture Threat

Path to Automation o Ensure controls are commensurate with maturity level of program o Measurable – ensure control activities can be collected and expressed in metrics o Understand the impact of controls on the business o Measure over time Simple Metric Intermediate Value Add Yearly policy review # of security technical standards Demonstrates sustainable governance program # High risk items remediated <30 days % of control gaps remediated Shows a process for addressing security gaps Participation % in awareness training Social engineering ploys foil by employee security awareness Demonstrates successful operationalization of security

Communicate Risk

Modular Solution Vulnerability Analysis Security & Compliance Assessment Risk Analysis Incident Management Policy & Procedures Third Party Vendor Management Risk Register Insight Risk Management Suite

The Allgress Solution o Centralized data facilitates seamless oversight of the entire risk, security, and compliance management life- cycle o Automated prioritization allows organizations to efficiently remediate what matters most o Real-time reporting presented in a business context enables communication amongst IT stakeholders up to senior management

Vendor Risk Management o Automatically identify high-risk vendors o Out of the box surveys and/or customizable survey generation o Rapid turnaround with accelerated response times o Alleviate manual efforts with automated workflows and notifications o Comprehensive reporting with real- time status updates

Vendor Risk Management

Policy Module o Map policy to both regulatory standards and frameworks o Centralized repository for all information and security policies o Author, review, and publish policies to your organization’s user community o Library with over 2,000 policies o View past, present, and draft versions of policies in the same location o Easily identify version differences through versioning and archiving capabilities

Risk Module o Enable prioritization of security budgets and expenses based on the probability of adverse events, and prioritize remediation tasks based on evaluated risks o Security risk scenario modeling provides organizations with insight into how decisions impact risk o Heat-map bubble charts display associated risks of business units, networks, asset type and asset groups o Risk communicated in a business relevant context

Partnership to Improve VRA Process o Controls and metrics development o Organizational threat modeling o Vendor risk assessment as a service o Automation support in Allgress o Extend finding into Allgress risk register and other modules

Maturing 3rd Party Vendor Risk Programs GORDON SHEVLIN, CEO, ALLGRESS TONY UCEDA VELEZ, CEO, VERSPRITE SCOTT TAKAOKA, VP BUS. DEV. , VERSPRITE MARCH 1, 2016