General Q & A
What are the top 3 insights Customers and Third Parties gain from reviewing risk assessments?
General Q & A
Which provides more valuable insights to both the Customer and Third Party- inherent risk or residual risk?
Gary Phipps, Solutions Engineer to answer soon . . . . check this space!
1. Who are my vendors? Boards commonly will ask the question, "what percentage of our vendor master poses a high cyber risk." If you don't know who ALL of your vendors are, you can never answer this question with the level of accuracy the BOD is expecting.
2. Which vendors pose the most risk? You can't possibly (nor should you) assess every single vendor in your ecosystem.
Knowing which vendors are worth assessing and which vendors pose so little risk that you are willing to accept it is super important. Examiners want to know that you have a repeatable process for identifying who your vendors are and how you determine who to assess who to monitor.
3. How should I begin using the stable of assessment subscriptions I bought? For most companies, start with the highest risk industries (software, business support, IT Consulting, Internet Sevices, Employment Services, etc....) unless you have a specific need to address something tactical e.g. Panama Papers might scare you into wanting to assess all of your law firms first.
Let me know if you have any other questions. I'm always here.
Do you also evaluate risk from a vendor's method of authentication? For instance, if they are maintaining static databases and do business with European customers?
Thank you for the questions! Our assessment does include questions about the methods that third parties use for authentication (e.g. username and password, multi-factor authentication, etc.).
I'm not certain I understand the second part of your question so please let me know if I've missed the point.
Our assessment also asks third parties about the types of data that they process (e.g. PII, PHI, etc.) and how they protect that data within their environment (e.g. data tagging, data discovery, data encryption). We also include an entire section of controls and questions specifically related to GDPR.
I hope that is helpful!
Thanks Dave for your response. To clarify, how would you describe the risk a company has when they store customer credential databases? Today, most authentication methods require the host to store user identity information and then un-encrypt the password to match to the static database. The un-encryption process is the vulnerable moment hackers can pounce. With GDPR host organizations should not be un-encrypting and protecting credential static databases. It violates privacy, don't you think, never mind not being secure anymore?
Great points and great questions! You're focusing on a particularly challenging aspect of security, and to my knowledge there is no 100% effective solution. The first thing that comes to mind in the scenario you describe is that hashing passwords may be a partial solution. Of course, hashes are susceptible to rainbow attacks, so really what you want is a salted hash. I would consider username/password pairs to be "personal data" and therefore subject to GDPR regulations. Storing, processing, or transmitting personal data without the use of encryption would certainly be a no-no!
I'm happy to say that the CyberGRX assessment includes controls and questions that ask third parties how they protect stored credentials, including the use of standard encryption protocols (AES256), hashing algorithms (MD5 or SHA-2), and the use of salted hashes.
I hope this is helpful!