risk – often legal, financial, reputational, cyber • More mature assessing financial risk, least mature assessing cyber-risk • Ramping programs/where to start – product, asset or organization centric • Moving from audit related to active risk management Legal Business Risk Security
D A S S E S S M E N T, 2 0 1 5 , V E N D O R R I S K M A N A G E M E N T S T U D Y Category C - Level VP/Director Level Manager Level Program Governance 2.9 2.8 3.2 Policies, Standards, Procedures 2.8 2.8 3.0 Contracts 2.7 2.8 2.8 Vendor Risk ID and Analysis 2.4 2.7 2.5 Skills and Expertise 1.9 2.1 2.7 Communication and Info Sharing 2.2 2.3 2.6 Tools, Measurements and Analysis 2.0 2.3 2.9 Monitoring and Review 2.6 2.7 2.8
view o Map controls to business operational impact o Consider hybrid – ex. NIST CSF + HIPAA o Threat provides focus for controls o Which controls are most important Business / Compliance Impact Security Posture Threat
and threat analysis) o Business impact – examine outsourced process o Threat o Identify top threats, map to processes then vendors o Now evaluate security posture o Identify key controls o Identify metrics + sensitivity o Identify remediation opportunities Business / Compliance Impact Security Posture Threat
level of program o Measurable – ensure control activities can be collected and expressed in metrics o Understand the impact of controls on the business o Measure over time Simple Metric Intermediate Value Add Yearly policy review # of security technical standards Demonstrates sustainable governance program # High risk items remediated <30 days % of control gaps remediated Shows a process for addressing security gaps Participation % in awareness training Social engineering ploys foil by employee security awareness Demonstrates successful operationalization of security
the entire risk, security, and compliance management life- cycle o Automated prioritization allows organizations to efficiently remediate what matters most o Real-time reporting presented in a business context enables communication amongst IT stakeholders up to senior management
of the box surveys and/or customizable survey generation o Rapid turnaround with accelerated response times o Alleviate manual efforts with automated workflows and notifications o Comprehensive reporting with real- time status updates
frameworks o Centralized repository for all information and security policies o Author, review, and publish policies to your organization’s user community o Library with over 2,000 policies o View past, present, and draft versions of policies in the same location o Easily identify version differences through versioning and archiving capabilities
based on the probability of adverse events, and prioritize remediation tasks based on evaluated risks o Security risk scenario modeling provides organizations with insight into how decisions impact risk o Heat-map bubble charts display associated risks of business units, networks, asset type and asset groups o Risk communicated in a business relevant context
o Organizational threat modeling o Vendor risk assessment as a service o Automation support in Allgress o Extend finding into Allgress risk register and other modules