VIDEO
HIGHLIGHT
Log InSign up
Third-party Risk Assessment - CompTIA Security+ SY0-701 - 5.3
SummaryTranscriptChat

Third-party Risk Assessment - CompTIA Security+ SY0-701 - 5.3

Understanding Vendor Relationships and Risk Management

Importance of Vendor Relationships

  • Every organization collaborates with vendors, which can include payroll services, email marketing providers, or suppliers of raw materials.
  • Sharing data with third parties is common; however, the sensitivity of this data varies. For instance, payroll companies handle critical company information.

Conducting Risk Assessments

  • Performing a risk analysis on third-party vendors is essential to understand how they protect shared data.
  • Including risk assessment requirements in contracts ensures clarity on expectations and penalties for breaches.

Penetration Testing as a Risk Assessment Tool

  • Penetration testing actively seeks to exploit vulnerabilities in systems and applications, often mandated by internal policies or vendor contracts.
  • The process typically involves creating reports with a specialized third-party penetration testing company to evaluate security measures.

Rules of Engagement in Testing

  • Most penetration tests include "rules of engagement," outlining the scope and parameters such as test locations (on-site vs. remote).
  • These rules specify timing for tests and emergency contacts for incidents during testing.

Data Sharing and Security Audits

  • Organizations frequently share sensitive data with vendors; thus, regular audits are crucial to ensure ongoing security compliance.
  • Contracts should include clauses like "right to audit" to establish mutual understanding regarding audit frequency and procedures.

The Role of Third Parties in Auditing

Importance of External Audits

  • Often, external parties conduct audits rather than the organizations themselves to maintain objectivity.
  • Regular audits help identify areas for improvement in security controls related to vendor relationships.

Focus Areas During Audits

  • Key aspects evaluated during audits may include access management processes, password security practices, and VPN access controls.

Supply Chain Security Considerations

Overview of Supply Chain Security Risks

  • The supply chain encompasses all steps from raw material acquisition to final product delivery.

Understanding Supply Chain Security

Analyzing the Supply Chain Process

  • Understanding the entire supply chain process is crucial for identifying security concerns. This involves tracing how products or services move from vendors to customers.
  • Evaluating communication between organizations can reveal areas for improvement, particularly regarding technical security measures between teams and third-party vendors.

Real-World Example of Security Breach

  • A significant security incident occurred with SolarWinds between March and June 2020, where a software update introduced malware into customer networks.
  • The malware was deployed under a valid digital signature, affecting an estimated 18,000 out of 300,000 customers globally. This incident has prompted many organizations to reassess their supply chain analysis processes.

Importance of External Assessments

  • Organizations often have a narrow focus on internal processes; thus, bringing in external experts can provide valuable insights that may not be visible from within.
  • Knowledgeable third parties can offer broader perspectives on security issues across various organizations, enhancing overall security posture.

Due Diligence Before Partnerships

  • Conducting due diligence is essential before engaging with third-party vendors. This includes verifying claims about financial health and customer base through background checks and interviews.
  • Conflicts of interest must be identified early; examples include shared business relationships with competitors or personal connections to executives.

Ongoing Monitoring Post-Contract Signing

  • After signing contracts with third parties, continuous monitoring is necessary to ensure IT security remains robust throughout the partnership.
  • Regular assessments should include financial health checks and reviews of any news related to the vendor's operations.

Vendor Monitoring Strategies

  • Both quantitative and qualitative methods should be employed for effective vendor monitoring. Designated individuals or teams within the organization are typically responsible for these relationships.
Playlists: Page 5
Video description

Security+ Training Course Index: https://professormesser.link/701videos Professor Messer’s Course Notes: https://professormesser.link/701notes - - - - - It's often necessary to work with third-parties to mitigate risk. In this video, you'll learn about right-to-audit clauses, supply chain analysis, vendor monitoring, and more. - - - - Subscribe to get the latest videos: https://professormesser.link/yt Calendar of live events: https://www.professormesser.com/calendar/ FOLLOW PROFESSOR MESSER: Professor Messer official website: https://www.professormesser.com/ Twitter: https://www.professormesser.com/twitter Facebook: https://www.professormesser.com/facebook Instagram: https://www.professormesser.com/instagram LinkedIn: https://www.professormesser.com/linkedin