Hello again and welcome to the H d A I s p p certification course with Sai Buri
third party remediation efforts. My name is Shalane Hutchins and on your instructor
today we're gonna talk about risk management activities,
risk treatment, identification,
corrective action plans
and compliance activities. Documentation.
When a primary entity conducts a risk assessment or audit,
it needs to determine the risk level. Associate it with any findings.
For example, if physical security safeguards are found to be lax at a third party vendors processing facility,
the primary entity may determine this to be a critical risk to the sensitive data.
When the security incident occurs that results in breach the primary entity in third party vendor must each contribute information that allows for an appropriate assessment of the risk level.
The third party vendor needs to ensure that it relates the facts surrounding what occurred as well as a residual risks that remain.
The primary entity must determine the harm to the impacted individuals to determine what appropriate notification must include, as well as the overall financial and reputational harm.
If the incident is believed to have been caused by an illegal activities such as hacking
the primary entity, and the third party must bring in law enforcement.
Each finding door during a third party vendor assessment should be assigned a risk rating, such as critical, high, medium or low.
The primary entity needs to establish requirements at each of those levels.
it may be that a critical finding needs to be resolved in 14 days.
The third party vendor needs to understand that primary entity stance on risk acceptance,
perhaps Onley at certain lower risk rating levels.
How risk acceptance be agreed upon and documented
if the primary entity is not comfortable that a proposed remediation will mitigate the identified, A risk and risk acceptance is not appropriate. But primary entity needs to have an escalation process in place to determine whether or not it makes sense to continue doing business with the vendor.
Follow up time creams could also buried by risk. Rainy.
The primary entity may weren't weekly status updates for critical risks,
but will only need to follow up quarterly on medium risk findings
when issues have been identified and assigned a risk level. It's important for in information Security representative
to meet with the internal business owner and the vendors representative to discuss the issues and help of inter planes to address them.
The corrective action plan should indicate what the vendor plans to implement, for example, new technology or enhanced policies and procedures, or additional training
and the time frame in which the activity will be carried out.
In those instances where the vendor determines it cannot correct an issue,
it will be the decision of the primary entity. Whether it can accept that risk arena.
The decision will need to be made about the impact to the primary entity and if it makes sense to continue doing business, what the no risk
depending on the type of risk. This situation, which should be somewhat rare, will need to be escalated to senior management for a decision.
That is where the security professional can provide valuable information about the risk and what it poses for the organization. This should be communicated in business language that can be understood by all parties involved in the decision making process.
As noted earlier, it is a responsibility of the primary entity to assess the risk associated with engaging in a relationship with vendor.
The role of the security professional is to serve as the subject matter expert for assessing security risks,
which in turn equips the business owner with information to make informed decisions.
if the security professional has invested in equipping the internal business owner with knowledge tracking compliance activities can be incorporated into whatever process the business owner is using to track other metrics associated with the vendor. For example, operational S. L. A's
the internal business owner, could periodically validate that the vendor has informed the primary entity of those individuals who have been terminated by the by the vendor.
It's a good practice for the internal business owner to embed ongoing compliance questions into the operational monitoring, reporting what the primary entity, senior management and the third party vendor.
Tracking of issues not only shows progress on individual risks, but it also provides a repository of information that could be used to keep senior management informed and monitor trends.
So in summary, we talked about risk management activities, risk treatment, identification,
corrective action plans and compliance activities. Documentation.
Stay tuned for the next video