I spoke at the Vanguard Security Conference (http://www.go2vanguard.com) Vanguard has been doing this conference for a number of years. The focus is on Mainframe security. Most security professionals these days have never worked on MF security. I am proud to say I have back in the mid-90’s. We perhaps I shouldnt be do happy, it was over a decade ago.
The point being, that there are so many areas of security out there that most of us will never touch yet there is a dire need for professionals. The conference was less attended, as are most conferences this year, but I found the folks here are REALLY interested in learning and excited about the classes.
My topic was on Supplier Risk Management processe. You are asking yourself, what is that? I asked myself that same question in coming up with some good processes to target Supplier security. We have to go way beyond a SAS70 if you want real security over the hundreds or thousands of vendors that a large company may work with.
-No framework for managing vendor risk
-Inconsistent processes for tracking vendors
-Lack of enforcement capabilitiesThe Problem:
-Provide practical steps to manage vendor access/management
-Provide cost effective solution for risk mitigation
-Provide numerical risk analysis of vendor/partner security issues
-Risk reduction or risk acceptance
-Iterative process for risk management
So a Supplier Security assessment follow 4 main steps:
1 Analyze current vendor database, catageorize each determine risk of each supplier,
2 Determine threats posed by each supplier
3 Perform assessment tests of each supplier, their processes of interaction, and data access
4 Develop risk mitigation plan, update processed, monitoring processes
*Managed Security Services
*Compliance & Policy Development
*FREE Website Security Test