Saturday, June 6, 2009

Vanguard Security Conference - Supplier Security

I spoke at the Vanguard Security Conference (http://www.go2vanguard.com) Vanguard has been doing this conference for a number of years. The focus is on Mainframe security. Most security professionals these days have never worked on MF security. I am proud to say I have back in the mid-90’s. We perhaps I shouldnt be do happy, it was over a decade ago.

The point being, that there are so many areas of security out there that most of us will never touch yet there is a dire need for professionals. The conference was less attended, as are most conferences this year, but I found the folks here are REALLY interested in learning and excited about the classes.

My topic was on Supplier Risk Management processe. You are asking yourself, what is that? I asked myself that same question in coming up with some good processes to target Supplier security. We have to go way beyond a SAS70 if you want real security over the hundreds or thousands of vendors that a large company may work with.

The Problem:

-No framework for managing vendor risk
-Inconsistent processes for tracking vendors
-Lack of enforcement capabilitiesThe Problem:

The Opportunity:

-Provide practical steps to manage vendor access/management
-Provide cost effective solution for risk mitigation
-Provide numerical risk analysis of vendor/partner security issues
-Risk reduction or risk acceptance
-Documented exposure
-Iterative process for risk management
-Happy CIO

So a Supplier Security assessment follow 4 main steps:

1 Analyze current vendor database, catageorize each determine risk of each supplier,

2 Determine threats posed by each supplier
3 Perform assessment tests of each supplier, their processes of interaction, and data access
4 Develop risk mitigation plan, update processed, monitoring processes

Gary Bahadur

baha@kraasecurity.com

http://www.kraasecurity.com

http://blog.kraasecurity.com

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test

No comments:

Post a Comment