I spoke yesterday at the Vanguard Security Conference (http://www.go2vanguard.com) Vanguard has been doing this conference for a number of years. The focus is on Mainframe security. Most security professionals these days have never worked on MF security. I am proud to say I have back in the mid-90’s. We perhaps I shouldnt be do happy, it was over a decade ago.
The point being, that there are so many areas of security out there that most of us will never touch yet there is a dire need for professionals. The conference was less attended, as are most conferences this year, but I found the folks here are REALLY interested in learning and excited about the classes.
My topic was on Supplier Risk Management processe. You are asking yourself, what is that? I asked myself that same question in coming up with some good processes to target Supplier security. We have to go way beyond a SAS70 if you want real security over the hundreds or thousands of vendors that a large company may work with.
The Problem:
- No framework for managing vendor risk
- Inconsistent processes for tracking vendors
- Lack of enforcement capabilities
The Opportunity:
- Provide practical steps to manage vendor access/management
- Provide cost effective solution for risk mitigation
- Provide numerical risk analysis of vendor/partner security issues
- Risk reduction or risk acceptance
- Documented exposure
- Iterative process for risk management
- Happy CIO
So a Supplier Security assessment follow 4 main steps:
- Analyze current vendor database, catageorize each
- determine risk of each supplier, determine threats posed by each supplier
- Perform assessment tests of each supplier, their processes of interaction, and data access
- develop risk mitigation plan, update processed, monitoring processes
Gary Bahadur
http://twitter.com/kraasecurity
*Managed Security Services
*Vulnerability Management
*Compliance & Policy Development
*PGP Security
*FREE Website Security Test
