Читать книгу Cybersecurity and Third-Party Risk - Gregory C. Rasner - Страница 35

While much of this book discusses firms large enough to have the size and complexity for cybersecurity teams and TPRM programs, there are ways to implement the recommendations for even one‐person firms. The book speaks often of a “risk‐based approach.” A risk‐based approach allows for any firm to customize the program based upon its needs and size. Whether you are a large, multinational, or a small business serving your local area, this Cybersecurity Third‐Party Risk program can be made to reduce your organization's risk.

To illustrate this is possible, we can consider an example of a small one‐person organization: a sole owner of a business. This type of business typically does not have access to the cybersecurity or risk management expertise natively. A small‐business owner can first start by making an inventory of all their vendors who have their customers' data or a connection to their network (i.e., their computers). Once it's known where the company's data is located, then the owner can ask some questions about how their vendors secure the data.

If the business has more than one vendor with customer data, sort them by the highest risk. The highest risk can be based upon their number of records. Without the cybersecurity expertise, the questions and answers can be intimidating; however, there are options. Search the internet for help and answers. Explore around for a local technology business that, as a small‐business owner, you can barter support with for the more technical questions. Another option is ask the vendor for help explaining some of the more complex items.

When performing the due diligence activities as a smaller entity, it is dealt with in a similar fashion: Design it to meet the risk. Vendors with your data, listed in risk order, allows you, a business owner, to engage and ask questions. Whether you perform just remote assessments (e.g., questionnaires sent to the vendor) or on‐site assessments (e.g., physical validation at the vendor site) or both can be determined by your risk appetite. If one or more of your vendors has a lot (or all) of your customers' data, at a minimum, ask very detailed questions on the intake (when you're first deciding if they are going to be a vendor). That is the time you have the most leverage. Once the contract is signed, you will lose much of your ability to effect any change.

Pick a cadence for review of their security. Quarterly, yearly, bi‐annually? In risk order (i.e., high to low), send them a questionnaire about their security to confirm nothing has changed. Knowing you don't have the staff or expertise to review 100 questions, ask questions that elicit the answers you require. For example, rather than ask a technical question about encryption, ask it like this, “How is my customers' data protected?” You might get back some technical answers: however, as described earlier, there are ways to cut through some of the technical jargon by reaching out when needed.

The principles and actions suggested in the book should be applicable regardless of the size of your firm. Tailoring it to the needs of the company depend on acceptable levels of risk and priorities.