• Home
  • Resources
    • Find Resources by Topic Tags
    • Cybersecurity Policy Chart
    • CSIAC Reports
    • Webinars
    • Podcasts
    • Cybersecurity Digest
    • Standards & Reference Docs
    • Journals
    • Certifications
    • Acronym DB
    • Cybersecurity Related Websites
  • Services
    • Free Technical Inquiry
    • Core Analysis Task (CAT) Program
    • Subject Matter Expert (SME) Network
    • Training
    • Contact Us
  • Community
    • Upcoming Events
    • Cybersecurity
    • Modeling & Simulation
    • Knowledge Management
    • Software Engineering
  • About
    • About the CSIAC
    • The CSIAC Team
    • Subject Matter Expert (SME) Support
    • DTIC’s IAC Program
    • DTIC’s R&E Gateway
    • DTIC STI Program
    • FAQs
  • Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
Login / Register

CSIAC

Cyber Security and Information Systems Information Analysis Center

  • Resources
    • Find Resources by Topic Tags
    • Cybersecurity Policy Chart
    • CSIAC Reports
    • Webinars
    • Podcasts
    • Cybersecurity Digest
    • Standards & Reference Docs
    • Journals
    • Certifications
    • Acronym DB
    • Cybersecurity Websites
  • Services
    • Free Technical Inquiry
    • Core Analysis Task (CAT) Program
    • Subject Matter Expert (SME) Network
    • Training
    • Contact
  • Community
    • Upcoming Events
    • Cybersecurity
    • Modeling & Simulation
    • Knowledge Management
    • Software Engineering
  • About
    • About the CSIAC
    • The CSIAC Team
    • Subject Matter Expert (SME) Support
    • DTIC’s IAC Program
    • DTIC’s R&E Gateway
    • DTIC STI Program
    • FAQs
  • Cybersecurity
  • Modeling & Simulation
  • Knowledge Management
  • Software Engineering

Cybersecurity

Group logo of Cybersecurity
Public Group active 1 hour, 9 minutes ago

Enhance cybersecurity awareness and survivability for DoD, industry partners, and academia in the face of the ever-increasing threat of cyber attacks. Cybersecurity (CS) includes managing risks related to the use, processing, storage, and transmission of information and the systems and processes used for those purposes, including analog and physical form. CS includes information availability, identification and authentication, confidentiality, integrity, and non-repudiation as well as the economic considerations with respect to selection of CS techniques, CS processes, and industry trends.

  • Home
  • Forum

How far should we drill down when Assessing Third party Suppliers ?

  • This topic has 4 replies, 1 voice, and was last updated 1 year, 2 months ago by Mimy.
  • Creator
    Topic
  • 2019-12-09 at 21:03 #62974
    Hugh2
    Participant

    In a world were industries are more and more integrated, and in a landscape were Saas, IaaS and Paas are becoming the norm, how deep should a company go to protect its assets and the PII of its customers?
    When it comes to Risk based Third Party Management should we limit ourselves to the first level Vendor for our Due diligence or should we try to dig deeper and get info on the Subcontractors of the third party vendor we have a contract with?
    Thoughts on the subject ?

  • Creator
    Topic
Viewing 3 reply threads
  • Author
    Replies
    • 2019-12-10 at 01:53 #62977
      Rvnth
      Participant

      Basically, I think compliance is very important, and every collaboration and contract must always depend on the different aspects related to the compliance of the business in general. For example, we can see legal and legal compliance at the basic level, or even ethics. Regarding security, in a landscape where SaaS, IaaS and PaaS become the norm, it is very important to first know the different security standards and procedures that providers rely on to ensure data and Information security (like Personally identifiable information). It is important to remember that beyond Cybercriminals and Insiders, the various threats could come from even external providers, and that cybercriminal organizations and nation-states could prepare their attack from afar and for a long time; A supplier can be reliable, but collaborate with less reliable subcontractors. It is therefore very important for the IT Security Department (or Service) to have a compliance manual that suppliers must follow to be chosen as a supplier.

    • 2019-12-10 at 09:15 #62982
      BP123Har
      Participant

      In my opinion, third party risk programs should be designed to assess the risk of any third party that meets your company’s thresholds. In other words, dig into third, fourth and further as long as there is a risk you are attempting to log, track and ensure coverage. I would profile a particular third party by putting them through a risk assessment. To the extent they are providing services that you consider high risk (example: servicing your customers), you should assess and apply the appropriate controls. Part of the assessment will be looking into their IT, Cyber controls. If they use a vendor to provide cyber related protection, you will want to either have your vendor assess (you will monitor and review results) or get approval to do it yourself. I would follow the risk until you’re satisfied.

    • 2019-12-10 at 14:29 #63000
      Thomas7219
      Participant

      Very interesting question, as I am not aware so far of any organization that is not depending on any third-parties to do their business or provide their services.
      I think that a good way to execute due diligence over a third party supplier is to run evaluations, and identify in what extent it complies with sector’s best practices such as The National Institute of Standards and Technology or the Supplier’s Evaluation from ISO 9001:2015 Standard requirements.
      Then the level of drill down will be driven by sensitive data exposure, business-continuity risk exposure and probably level of trust and confidence in the audited supplier.
      This assessment should be run through a continuous improvement process provided on timely manner.

    • 2019-12-11 at 09:33 #63001
      Mimy
      Participant

      Third party assessment is one of the main issue in the industry today. This assessment should be done every day has more than 60% of hacks are initiated by hackers via Third parties.
      Every one that wants to do this properly should not rely just on questionnaires by use platform like SecurityScorecard : https://securityscorecard.com/
      The Platform instantly identifies vulnerabilities, active exploits, and advanced cyber threats to help you rigorously protect your business and strengthen your security posture – from an outside-in perspective, enabling you to see what a hacker sees.

  • Author
    Replies
Viewing 3 reply threads

You must be logged in to reply to this topic.

sidebar

Community Sidebar

Featured Content

The DoD Cybersecurity Policy Chart

The DoD Cybersecurity Policy Chart

This chart captures the tremendous breadth of applicable policies, some of which many cybersecurity professionals may not even be aware, in a helpful organizational scheme.

View the Policy Chart

Featured Subject Matter Expert (SME): Daksha Bhasker

A dynamic CSIAC SME, Senior Principal Cybersecurity Architect, Daksha Bhasker has 20 years of experience in the telecommunications services provider industry. She has worked in systems security design and architecture in production environments of carriers, often leading multidisciplinary teams for cybersecurity integration, from conception to delivery of complex technical solutions. As a CSIAC SME, Daksha's contributions include several published CSIAC Journal articles and a webinar presentation on the sophiscated architectures that phone carriers use to stop robocalls.

View SME's Contributed Content

CSIAC Report - Smart Cities, Smart Bases and Secure Cloud Architecture for Resiliency by Design

Integration of Smart City Technologies to create Smart Bases for DoD will require due diligence with respect to the security of the data produced by Internet of Things (IOT) and Industrial Internet of Things (IIOT). This will increase more so with the rollout of 5G and increased automation "at the edge". Commercially, data will be moving to the cloud first, and then stored for process improvement analysis by end-users. As such, implementation of Secure Cloud Architectures is a must. This report provides some use cases and a description of a risk based approach to cloud data security. Clear understanding, adaptation, and implementation of a secure cloud framework will provide the military the means to make progress in becoming a smart military.

Read the Report

CSIAC Journal - Data-Centric Environment: Rise of Internet-Based Modern Warfare “iWar”

CSIAC Journal Cover Volume 7 Number 4

This journal addresses a collection of modern security concerns that range from social media attacks and internet-connected devices to a hypothetical defense strategy for private sector entities.

Read the Journal

CSIAC Journal M&S Special Edition - M&S Applied Across Broad Spectrum Defense and Federal Endeavors

CSIAC Journal Cover Volume 7 Number 3

This Special Edition of the CSIAC Journal highlights a broad array of modeling and simulation contributions – whether in training, testing, experimentation, research, engineering, or other endeavors.

Read the Journal

CSIAC Journal - Resilient Industrial Control Systems (ICS) & Cyber Physical Systems (CPS)

CSIAC Journal Cover Volume 7 Number 2

This edition of the CSIAC Journal focuses on the topic of cybersecurity of Cyber-Physical Systems (CPS), particularly those that make up Critical Infrastructure (CI).

Read the Journal

Recent Video Podcasts

  • A Brief Side-by-Side Comparison Between C++ and Rust – Part 3 Series: Programming Language Comparisons
  • A Brief Side-by-Side Comparison Between C++ and Rust – Part 2 Series: Programming Language Comparisons
  • A Brief Side-by-Side Comparison Between C++ and Rust – Part 1 Series: Programming Language Comparisons
  • Digital Engineering Implementation Progress and Plans Series: CSIAC Webinars
  • Assessing the Operational Risk Imposed by the Infrastructure Deployment Pipeline Series: The CSIAC Podcast
View all Podcasts

Upcoming Events

Jan 28

Data Privacy Day

January 28, 2022
Jan 28

Data Privacy Day

January 28, 2023
View all Events

Footer

CSIAC Products & Services

  • Free Technical Inquiry
  • Core Analysis Tasks (CATs)
  • Resources
  • Events Calendar
  • Frequently Asked Questions
  • Product Feedback Form

About CSIAC

The CSIAC is a DoD-sponsored Center of Excellence in the fields of Cybersecurity, Software Engineering, Modeling & Simulation, and Knowledge Management & Information Sharing.Learn More

Contact Us

Phone:800-214-7921
Email:info@csiac.org
Address:   266 Genesee St.
Utica, NY 13502
Send us a Message
US Department of Defense Logo USD(R&E) Logo DTIC Logo DoD IACs Logo

Copyright 2012-2021, Quanterion Solutions Incorporated

Sitemap | Privacy Policy | Terms of Use | Accessibility Information
Accessibility / Section 508 | FOIA | Link Disclaimer | No Fear Act | Policy Memoranda | Privacy, Security & Copyright | Recovery Act | USA.Gov

This website uses cookies to provide our services and to improve your experience. By using this site, you consent to the use of our cookies. To read more about the use of our site, please click "Read More". Otherwise, click "Dismiss" to hide this notice. Dismiss Read More
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Non-necessary

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.

SAVE & ACCEPT