Third Party Remediation Efforts

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Course
Time
5 hours 25 minutes
Difficulty
Intermediate
CEU/CPE
6
Video Transcription
00:00
>> Hello again and welcome to
00:00
the HCISPP certification course with
00:00
Cybrary: Third Party Remediation Efforts.
00:00
My name is Schlaine Hutchins and I'm your instructor.
00:00
Today, we're going to talk
00:00
about risk management activities,
00:00
risk treatment identification,
00:00
corrective action plans,
00:00
and compliance activities documentation.
00:00
When a primary entity conducts
00:00
the risk assessment or audit,
00:00
it needs to determine
00:00
the risk level associated with any findings.
00:00
For example, if physical security safeguards are found to
00:00
be lacks at a third-party vendors processing facility,
00:00
the primary entity may determine this to be
00:00
a critical risk to the sensitive data.
00:00
When the security incident
00:00
occurs that results in a breach,
00:00
the primary entity and
00:00
third-party vendor must each contribute
00:00
information that allows for
00:00
an appropriate assessment of the risk level.
00:00
The third-party vendor needs to
00:00
ensure that it relays the facts
00:00
surrounding what occurred as well as
00:00
any residual risks that remain.
00:00
The primary entity must determine the harm to
00:00
the impacted individuals to determine what
00:00
appropriate notification must include as
00:00
well as the overall financial and reputational harm.
00:00
If the incident is believed to have been
00:00
caused by an illegal activities such as hacking,
00:00
the primary entity and
00:00
the third-party must bring in law enforcement.
00:00
Each finding during a third-party vendor assessment
00:00
should be assigned a risk rating such as,
00:00
critical, high, medium, or low.
00:00
The primary entity needs to
00:00
establish requirements at each of those levels.
00:00
For example, it may be that
00:00
a critical finding needs to be resolved in 14 days.
00:00
The third-party vendor needs to understand
00:00
that primary entity stance on risk acceptance,
00:00
perhaps only at certain lower risk rating levels.
00:00
How will risk acceptance be agreed upon and documented?
00:00
If the primary entity is not
00:00
comfortable that are proposed remediation
00:00
will mitigate the identified risks
00:00
and risk acceptance is not appropriate,
00:00
the primary entity needs to have an
00:00
escalation process in place to
00:00
determine whether or not it makes
00:00
sense to continue doing business with the vendor.
00:00
Follow-up time frames could also vary by risk rating.
00:00
The primary entity may want
00:00
weekly status updates for critical risks,
00:00
but we'll only need to follow up
00:00
quarterly on medium-risk findings.
00:00
When issues have been identified
00:00
and assigned a risk level,
00:00
it's important for an information security representative
00:00
to meet with the internal business owner
00:00
and the vendor's representative to discuss
00:00
the issues and how the vendor plans to address them.
00:00
The corrective action plan should
00:00
indicate what the vendor plans to implement.
00:00
For example, new technology
00:00
or enhanced policies and procedures,
00:00
or additional training and
00:00
the time frame in which the activity will be carried out.
00:00
In those instances where the vendor
00:00
determines it cannot correct an issue,
00:00
it will be the decision of
00:00
the primary entity whether
00:00
it can accept that risk or not.
00:00
The decision will need to be made about
00:00
the impact to the primary entity,
00:00
and if it makes sense to continue
00:00
doing business with the known risk.
00:00
Depending on the type of
00:00
risk this situation which should be
00:00
somewhat rare will need to be
00:00
escalated to senior management for a decision.
00:00
That is where the security professional can provide
00:00
a valuable information about
00:00
the risk and what it poses for the organization.
00:00
This should be communicated in
00:00
business language that can be understood
00:00
by all parties involved in the decision-making process.
00:00
As noted earlier, it is the responsibility of
00:00
the primary entity to assess the risk
00:00
associated with engaging in
00:00
a relationship with the vendor.
00:00
The role of the security professional is to
00:00
serve as the subject matter expert for assessing
00:00
security risks which in turn equips
00:00
the business owner with
00:00
information to make informed decisions.
00:00
Again, if the security professional has
00:00
invested in equipping
00:00
the internal business owner with knowledge,
00:00
tracking compliance activities can be incorporated into
00:00
whatever process the business owner is using to
00:00
track other metrics associated with the vendor.
00:00
For example, operational SLAs.
00:00
The internal business owner could
00:00
periodically validate that the vendor has
00:00
informed the primary entity of those individuals
00:00
who have been terminated by the vendor.
00:00
It's a good practice for the internal business owner to
00:00
embed ongoing compliance questions into
00:00
the operational monitoring and reporting with
00:00
the primary entity senior management
00:00
and the third-party vendor.
00:00
Tracking of issues not only shows
00:00
progress on individual risks,
00:00
but it also provides
00:00
a repository of information that can be
00:00
used to keep senior management
00:00
informed and monitor trends.
00:00
In summary, we talked about risk management activities,
00:00
risk treatment identification, corrective action plans,
00:00
and compliance activities documentation.
00:00
Stay tuned for the next video.
Up Next