The point being, that there are so many areas of security out there that most of us will never touch yet there is a dire need for professionals. The conference was less attended, as are most conferences this year, but I found the folks here are REALLY interested in learning and excited about the classes.

My topic was on Supplier Risk Management processe. You are asking yourself, what is that? I asked myself that same question in coming up with some good processes to target Supplier security. We have to go way beyond a SAS70 if you want real security over the hundreds or thousands of vendors that a large company may work with.

The Problem:

1. No framework for managing vendor risk
2. Inconsistent processes for tracking vendors
3. Lack of enforcement capabilities

The Opportunity:

1. Provide practical steps to manage vendor access/management
2. Provide cost effective solution for risk mitigation
3. Provide numerical risk analysis of vendor/partner security issues
4. Risk reduction or risk acceptance
5. Documented exposure
6. Iterative process for risk management
7. Happy CIO

So a Supplier Security assessment follow 4 main steps:

1. Analyze current vendor database, catageorize each
2. determine risk of each supplier, determine threats posed by each supplier
3. Perform assessment tests of each supplier, their processes of interaction, and data access
4. develop risk mitigation plan, update processed, monitoring processes

Gary Bahadur

http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test