|
This Month's Focus:
Third Party Software Security
|
Accessing a Third Party's Software Security
|
|
During the Shared Assessments July Member Forum call, Shared Assessments Vice Chair, Jonathan Dambrot, CEO and Co-Founder, Prevalent Networks; and, Mike Falk, Vice President Vendor Relations, The Clearing House Payments Company, provided an in-depth look into the process used by the Shared Assessments Program to develop new risk areas to be covered by the Shared Assessments Program Tools. In doing so, they also provided an overview of the importance of assessing the security of the environment used by your vendors to develop and maintain software. This month's feature article discusses how Shared Assessments approached the need to address the growing issue of assessing a third party's software security.
Click here to read the feature article.
|
Key Findings*
- 91% increase in targeted attack campaigns in 2013
- 62% increase in the number of breaches in 2013
- Over 552M identities were exposed via breaches in 2013
- 23 zero-day vulnerabilities discovered
- 38% of mobile users have experienced mobile cybercrime in past 12 months
- Spam volume dropped to 66% of all email traffic
- 1 in 392 emails contain a phishing attacks
- Web-based attacks are up 23%
- 1 in 8 legitimate websites have a critical vulnerability
|
SHARED ASSESSMENTS PROGRAM
& MEMBER SPOTLIGHT
|
Hear from Shared Assessments Members at these upcoming events:
|
|
Shared Assessments Steering Committee Member, Rocco Grillo, Managing Director, Protiviti:
MIS Audit Leadership Institute - August 18-22, 2014
PCI Community Meeting - September 9-11, 2014
|
Members Only
To promote your upcoming speaking events here, please send details to Kelly Wagner, Project Manager, The Santa Fe Group.
|
ASK THE EXPERTS
Commonly asked questions asked and answeredQuestion:I have created a SIG specifically for third party vendors who provide my company with data center services. However, even after vendor consolidation efforts I still have over 20 vendors who receive this specific SIG. Being able to use one questionnaire for 20+ vendors is a definite plus, but the manual effort to evaluate all of the response is very time consuming. This situation is repeated with other SIG responses. Is there any way I can automate this effort? Answer:Absolutely. The SIG Management Tool (SMT) along with certain SIG functionality was specifically designed to address this issue. Whenever a SIG has been scoped for a specific set of third party services it is always advisable to create a Master SIG. This is done by navigating to the "Formula Notes" tab of the SIG and selecting "Master" in the drop down box. Doing this converts the SIG into a Master SIG. The purpose of a Master SIG is to use it as a template for assessing SIG responses. Once you have created the Master SIG by clicking the drop down selection, you complete the process by answering all of the SIG questions relevant to the type of services provided in the manner you want them answered based on the services provided and the level of security you require for those services. This gives you a completed Master SIG which contains answers to the questions to evaluate the responses received by your vendors. Here's where the SMT becomes so valuable. By using the "Compare" function in the SMT you are able to automatically compare all of the answers in the SIG received from a vendor to the "correct" answers you have already defined in the Master SIG. By using the SMT to perform this comparison a report will be generated by the SMT showing every instance where your answer and the answer provided by your vendor differ. There are additional ways to filter and create comparison reports, but they go beyond the scope of this column. However, a full detailed description of how to use the SMT to conduct automated comparisons of SIG responses to Master SIG's is detailed in the SIG Issuers Guide provided with every SIG. In addition to explaining the comparison functionality of the SMT, the SIG Issuers Guide includes many other useful tips on how to use the SMT and scope the SIG. If you're not already familiar with the SMT, I strongly suggest that you review the SIG Issuers Guide.
|
|
|
During discussions in 2013 to determine the next risk areas that should be addressed by the Shared Assessments Program Tools, the focus rapidly turned to software security. As we polled our members we found that many of them were concerned with the security of the software being provided by their vendors, and more importantly what could they do to determine if the software was developed and maintained in a secure environment.
...Read more
|
Interested in Becoming a Shared Assessments Member?
Contact Julie Lebo, VP Member Relations, at (703) 533-7256 or by Email
Shared Assessments would like to welcome our newest Members and Partners: |
|
Federal Reserve Guidance on Managing Outsourcing Risk
| |
|
|
NIST: Framework for Improving Critical Infrastructure Cybersecurity
| |
|
|
Future Topic Suggestions
| |
Do you have a topic you'd like to see covered in an upcoming newsletter or presented on a future monthly Member Forum call?
Send your ideas to Kelly Wagner, Project Manager for Shared Assessments.
|
|
Guest Bloggers
|
Interested in serving as a guest blogger on the Shared Assessments Authorities on Risk Assurance blog? Contact Kelly Wagner, Project Manager for Shared Assessments.
|
|
 |
|
