lightework design

Category: data analytics

  • What is Vendor Risk Management?

    Vendor risk management describes the combined processes of third-party vendor management and cybersecurity risk monitoring (Tunggal, 2023).

    Third-party vendorsinclude cloud solution providers, information technology companies, or other vendors of other outsourced services. Healthy connections between a company and a vendor require the utilization of high-level assessments for security controls in relationship management. A vendor risk management plan is a service level agreement that details the arrangement between the company and the vendor and details how they plan to maintain compliance and ensure vendor performance overtime. Risk scoring methods and algorithms are used to generate quantifiable data that can help organizations conduct better risk management practices with the many third-party vendors also in consideration.

    A company that uses any sort of outsourcing or otherwise obtains a product or service should understand and document the risks involved with third-party vendors and have an organization-wide plan to minimize the specific risks associated with each third-party vendor that the company is involved with. Currently, it is not uncommon for the operations of organizations to utilize the products and services of over 1000 third-party vendors. It is imperative that the security risks involved with third-party relationships are managed throughout the entirety of their lifecycle so that the attack surface and risk to the organization can be minimized.

    Third-party and Fourth-party Vendors

    While a third-party vendor includes any outside provider of a product or service to the organization, a fourth-party vendor describes a supplier of a third-party vendor which can indirectly influence the organization as a supplier to the third-party vendor (Chipeta, 2023). Fourth-party risk basically aims to measure the risk that is inherited through the supply chain. To an information security team, the risks associated with third-party vendors and fourth-party vendors pose equal levels of threat and both contribute to the same overall attack surface which must be integrated into the vendor risk management plan. The existence of fourth-party vendors creates an environment that makes it important for each organization to have their own individual vendor risk management programs. It is also important for organizations to try to gain as much information about their vendors and supply chain as possible so that they can receive relevant information in a timely fashion which might warrant a response or change within the organization in the case of a security incident. If a fourth-party vendor is the victim of a data breach, the security of the third-party vendor cannot be assumed to protect the organization from harm. Regardless of where the breach occurred, the organization is responsible for its complete attack surface which includes all third-party and fourth-party vendors. Fourth-party vendors can be challenging to obtain information about or their presence might even be unknown to the organization.

    Vendor Security-focused Assessments

    Most of the cybersecurity breaches that are reported are caused through one of many third-party vendors which provide products or services to the organization (Evans, 2019). Because only 40% of current applications are stored on-site, most involve a third-party service vendor such as a cloud service provider. It is important that an organization’s data is accessible only to approved vendors and only while they require access to complete their tasks. Communication and transparency should be exercised and maintained between an organization and their third-party vendors throughout the life of their agreements; the documentation and information surrounding these relationships and agreements are part of the focus of vendor security-focused assessments. Other common areas of focus that are included in the vendor security-focused assessments are applicable governmental regulations, geographical data restrictions, privacy policies, encryption, offboarding security procedures, and disaster recovery planning.

    Industry Standard Questionnaires

    There are several industry standard questionnaires that companies can utilize in tandem with a vendor risk program to benefit the security posture of their organization such as Panorays (Goldman, 2023). Along with vendor attack surface assessment, vendor risk assessments, and continuous monitoring, industry standard questionnaires compose the four key steps that Panorays recommends for a comprehensive third-party risk management process.

    Another example of an industry standard questionnaire service is UpGuard; their software service offerings include continuous attack surface monitoring and protection from third-party data leaks in addition to their questionnaires (Tunggal, 2023).

    Opinion: How to Ensure Vendors Meet Security Requirements

    In my opinion, the best way to ensure that vendors meet an organization’s security requirements is to adhere to an industry-standard framework and set of standards as an organization and work with third-party vendors that also use standard frameworks and standards. Companies do not have to make scrambling attempts at meeting security requirements because frameworks created by the hard work of standards organizations will provide organizational structure and a set of procedures that can ensure compliance when completed properly. Secondly, I think that to a lesser extent accountability through transparent and logged communication including industry standard questionnaires can help quantify the levels of risk involved with third-party vendors. Certifications can attest to security compatibility in organization-vendor relationships.

    References

    Chipeta, C. (2023). What is Fourth-Party Risk? UpGuard.https://www.upguard.com/blog/what-is-fourth-party-risk

    Evans, A. (2019). Managing Cyber Risk. Taylor & Francis. https://online.vitalsource.com/books/9780429614262

    Goldman, Dov. (2023). How Vendor Risk Management Reduces Third-Party Risk. Panorays. https://panorays.com/blog/what-is-vendor-risk-management/

    Tunggal, Abi T. (2023). What is Vendor Risk Management (VRM)? 2023 Edition. UpGuard. https://www.upguard.com/blog/vendor-risk-management

  • What is Cyber Risk?

    Cyber risk is the exposure to the possibility of incurring a loss of any kind through an information technology infrastructure.

    Losses can include financial resources, operations capabilities, or the receiving of various fees or lawsuits; maybe after some sensitive customer data is affected. Cyber risk can be measured quantitatively by using traditional risk analysis with the added consideration of the additional factors of cyber threats. Cyber security operates at all four of the reputational, operational, legal, and financial levels of a business, and the management of all these levels must be considered in a cyber risk analysis process.

    Social Engineering taking place over the phone.


    One common real-world cyber risk is social engineering which exploits a company’s weakest vulnerability, its people. Social engineering can best be combatted through employee training programs that create awareness about the dangers of social engineering and teach employees how to recognize signs of an attack.

    Another real-world cyber risk is poor cyber-hygiene which describes the unhealthy habits that some users practice when interacting with information technology. Passwords are a part of cyber security that a lot of users practice bad habits with such as writing passwords down on sticky notes. One of the best ways to improve cyber-hygiene is to create awareness around the issues with training and possibly reminders.

    The difference between quantitative and qualitative measurement in cyber risk is in the type of result that is generated from the analysis. Qualitative analysis uses logical speculation to evaluate specific scenarios, their potential for vulnerability, and possible solutions. Quantitative analysis assigns numeric values to components of the risk analysis model for mathematical comparison.

    Showcasing different types of risk analysis as it applies to cyber risk.


    Inherent cyber risk is the amount of risk that exists without security controls. It is quantified by calculating the cost of business interruption, data exfiltration, regulatory fees, insurance needs, etc.

    Residual cyber risk is the amount of risk with cyber security controls in place. Residual risk considers the effectiveness of cyber security controls and assesses their correlations to vulnerabilities, security assessments, research, and security tools.

    Cybersecurity frameworks can outline the effectiveness of tools through a set of tests to find how well the tools are positioned so that they will positively affect the overall security posture.

    Examples of cyber security risk management frameworks in use today include the NIST framework and the ISO 27001 framework.

    The NIST framework takes an approach of combining all the management activities required for acceptability under regulations, laws, and polices; as well as conducting proper security and privacy practices and integrates them into the organization’s development life cycle. The NIST framework is developed by the Joint Task Force (JTF) and can be applied to any organization type, technology type, or even to organizations with legacy systems. 

    References

    Evans, A. (2019). Managing Cyber Risk. Taylor & Francis. https://online.vitalsource.com/books/9780429614262