Cybersecurity and Third-Party Risk. Gregory C. Rasner

Cybersecurity and Third-Party Risk - Gregory C. Rasner


Скачать книгу
audit trail must record and respond to security incidents and be maintained for five years.

      3 Limits on data retention must be set in place to ensure that data is disposed of properly when no longer needed.

      4 Access Privileges must be implemented and limited to protected data, and access records must be periodically reviewed.

      5 An Incident Response plan must be published to ensure that cybersecurity events are clearly communicated, roles and responsibilities are clear, and remediation takes place.

      6 Notices to the superintendent (the superintendent is the organization that oversees the regulation) must be provided within 72 hours after a “material” cybersecurity event is detected.

      NYDFS is similar to the General Data Protection Regulation (GDPR) and the California Privacy Protection, which have outsized power due to their economic size. Much of the world's finance flows through New York, and so many world finance companies are subjected to this framework. More importantly for this book, the NYDFS has a part that requires covered entities (i.e., those subject to the regulation) to perform due diligence on their third parties at regular intervals.

      The Federal Information Systems Management Act (FISMA) is a framework for federal agencies. This standard defines a set of security requirements that the agencies use to improve their cybersecurity. The benchmark requires that third parties to an agency conform to their information security requirements. It contains nine steps for securing government data, operations, and assets:

      1 Defining the information categories for security levels

      2 Understanding the minimum security controls for protecting data

      3 Refining controls through risk assessments

      4 Documenting controls and developing security plans

      5 Implementing the required security controls

      6 Evaluating the effectiveness of implemented controls

      7 Establishing security risks for federal resources and data

      8 Authorizing the use of secure information systems

      9 Continuously monitoring the implemented controls

      Several other frameworks are worth describing in high‐level detail. The Australian Signals Directorate (ASD) Essential 8 contains controls and strategies that are a part of the ASD Strategies to Mitigate Cyber Security Incidents. Based upon experience of the Australian government, these controls are considered by them to be the cybersecurity baseline in that country. If implemented correctly, the country reports it can mitigate up to 85 percent of most common cyberattacks.

      The Control Objectives for Information and Related Technology (COBIT) framework is a high‐level framework for identifying and mitigating risk. COBIT is primarily used in the finance space to adhere to Sarbanes‐Oxley (SOX). SOX is also known as the Public Company Accounting Reform and Investor Protection Act. Developed by information technology (IT) governance professionals to lower risk, it has evolved to align to business goals.

      The Ten Steps to Cybersecurity framework is an initiative of the United Kingdom's Department of Business to provide senior leaders with a cybersecurity overview. This framework acknowledges the urgency of giving executives knowledge about information security issues and risks that impact businesses, along with controls to mitigate them. It provides in business English (i.e., non‐technical, non‐jargon) an explanation in wider terms of the numerous cybersecurity risks, defenses, mitigations, and resolutions.

      These cybersecurity frameworks are important in third‐party risk due diligence work. When engaging with vendors about security due diligence, one of the first questions to ask is what cybersecurity framework they adhere to. Their answer will provide valuable information about how their organization performs its own security activities. Many of the frameworks or standards have similar themes and controls because cybersecurity does not vary industry to industry. However, what is often different is its focus or scope. Understanding which industry a vendor is in or the one you are subject to, can establish which framework is best used or a required fit.

      Internal Security Standards versus External Security Standards

      We delve into the policies and legal documentation pertaining to cybersecurity and third‐party risk in later chapters. However, it is worth noting a problem often misunderstood: Why are standards or policies for vendors often more strict than internal corporate standards? Many complain that it doesn't seem fair or is a case of “do as I say, not as I do,” or worse, that it is being hypocritical.

      The answer is explained in this analogy: Say you have a hard drive in your house that contains sensitive data, which is likely a 100‐percent accurate statement as nearly every reader of this book surely has a home computer containing sensitive data. This sensitive data, such as electronic bank statements or downloaded documents, is known as PII. Do you specifically lock that up when you leave your home? Not likely; you likely lock your door and turn on your security alarm, which is secure enough.

      As you drop off your laptop at your neighbors' house, you ask where he plans on storing it. Surprised, because he had not thought about it, your neighbor casually replies, “Over there on that shelf.” This idea makes you uncomfortable for two reasons: First, he does not seem to appreciate how much you value this data. Second, storing it on an open shelf, where people you do not know can walk by and view it, leads me back to the problem with the strangers (i.e., the contractors) in your home. You then bribe him with a promise to bring him back a nice bottle of rum from your trip, in exchange for him storing it in his safe.

      In your own home, you did not encrypt the data (not recommending this, just making a point) or have the best access rights administration. In addition, your data never was locked up when it was in your home. When you decided to move the data outside of your area of control, not only did you increase the security on it, but you required your neighbor to place it in a safe. He probably thinks you are ungrateful and demanding, but the thought


Скачать книгу