Sixth Deadly Sin: Trusting, but not verifying

Posted by RiskRecon on Oct 30, 2018 3:43:03 PM

 

We’re running a blog post series on the “Seven Deadly Sins of Third-Party Cyber Risk Management,” here’s the sixth deadly sin, which is trusting but not verifying.

Read More

Topics: Vendor Security, Security Ratings, Vendor Risk Management

Fifth Deadly Sin: Not knowing your vendors

Posted by RiskRecon on Oct 24, 2018 4:13:07 PM

 

We’re running a blog post series on the “Seven Deadly Sins of Third-Party Cyber Risk Management;” here’s the fifth deadly sin, which is not knowing your vendors.

Read More

Topics: Vendor Security, Security Ratings, Vendor Risk Management

Fourth Deadly Sin: Failure to address information security in third-party contracts

Posted by RiskRecon on Oct 22, 2018 7:00:00 AM

 

We’re running a blog post series on the “Seven Deadly Sins of Third-Party Cyber Risk Management;” here’s the fourth deadly sin, which is the failure to address information security in third-party contracts.

Read More

Topics: Security Ratings, Vendor Security, Vendor Risk Management

RiskRecon Announces the Invention of Ground-Breaking Asset Risk Valuation Algorithms, Transforming How Enterprises Manage Third-Party Cyber Risk

Posted by RiskRecon on Oct 15, 2018 8:01:00 AM

 

Today RiskRecon announced its ground-breaking asset valuation algorithms that automatically determine the inherent risk value of any Internet-facing system. These new algorithms solve the cyber risk equation by automatically determining the risk value of computer systems, enabling precise cyber risk assessment and action

Read More

Topics: Security Ratings, Vendor Risk Management, Continuous Monitoring

Security Vulnerabilities Don’t Equal Security Risk – So How Do You Prioritize?

Posted by Kelly White on May 31, 2018 1:53:50 PM

 

By Kelly White | May 31, 2018 

While security vulnerabilities are found in many technologies, their presence doesn’t necessarily equal risk. Borrowing the FAIR Institute’s definition, risk is the probable frequency and magnitude of loss. Knowing what security vulnerabilities are present in your infrastructure can help you understand the probable frequency, but it offers no indication of loss magnitude. Rather, solving risk requires two foundational data points: what security vulnerabilities your technology has, and the value of the assets in which those vulnerabilities exist. Without that context, a given vulnerability is the same as any other.

Read More

Topics: Third Party Risk, Vendor Security, Security Ratings, Vendor Risk Management, Scalability

Why Third-Party Security Risk Matters

Posted by RiskRecon on Mar 8, 2018 3:10:08 PM

Big Impact
Enterprises entrust the protection of their crown jewels—their customer data, their reputation, their finances, and their business availability—with third parties. Are they trustworthy? Why? Why not? What should be done about it? These questions are yours to answer and execute on. A breach of your third-party is a breach of your enterprise.

Big Challenges
Third-party risk management is hard. It requires deep transparency, strong accountability, and effective collaboration. Third-party risk has to achieve this position with hundreds and even thousands of organizations while being an outsider to every organization. Additionally, third-party risk has to solve this with limited personnel and resources. This need—to achieve really good risk outcomes from the outside with limited resources —will result in dramatic risk management innovation, key of which will be development of machine learning and artificial intelligence-based risk assessment capabilities. These inventions will occur within the context of third-party risk management and be adopted by enterprises for internal risk management. Necessity is the mother of invention, and the necessity is pressing in a big way.

The Greater Good
Third-party risk management is a process of holding enterprises accountable to good security practices. As you improve the security of your third parties you improve the security of the Internet. It decreases the likelihood of data being breached. It decreases the likelihood of systems being turned into DDOS drones or malware servers. It increases the likelihood that systems are going to be consistently available to fulfill their intended purposes. The work of third-party risk management is work for the greater good.

Read More

Topics: Continuous Monitoring, 3rd party risk management, Security Ratings, Vendor Security, 3PRM, Third Party Risk

Managing Third-Party Meltdown & Spectre Risk Exposure Strategic Recommendations Beyond Patching

Posted by RiskRecon on Jan 17, 2018 6:49:26 PM

Summary

The Meltdown and Spectre vulnerabilities represent an entirely new class of security flaws that are deeply rooted in long-standing CPU architecture. As such, Meltdown and Spectre are likely the first of many issues that will have to be dealt with quickly as research in CPU security flaws intensifies. Tactically, it is important that you ensure your third-parties implement the necessary patches. Strategically, it is essential that you reassess your standards governing third-party use of cloud-hosting providers and implement measures to bring your third-parties into compliance with the updated standards. 

In this document, we provide a brief explanation of the Meltdown and Spectre vulnerabilities and why they are so impactful, particularly to cloud computing. We also suggest a tactical plan for addressing the issue with your third-parties, and recommend strategic considerations for your larger third-party risk-governance program.

 

Read More

Topics: Continuous Monitoring, 3rd party risk management, Security Ratings, Vendor Security, 3PRM, Third Party Risk

Principles for Fair and Accurate Security Ratings

Posted by RiskRecon on Jun 20, 2017 12:01:00 PM

The U.S. Chamber of Commerce just issued “Principles for Fair and Accurate Security Ratings.”  These ratings are the first-of-its-kind guidelines for an emerging class of solutions that provide objective assessments of third-party security practices. These solutions complement traditional third-party risk management data gathering processes of vendor security questionnaires, attestation document reviews, and on-site assessments.

Read More

Topics: Continuous Monitoring, 3rd party risk management, Security Ratings, Vendor Security, 3PRM, Third Party Risk