Тёмный

6 important steps to perform for vendor risk assessment - ISO 27001:2022 Implementation 

Luv Johar Free IT Training Videos
Подписаться 17 тыс.
Просмотров 12 тыс.
50% 1

Опубликовано:

 

29 окт 2024

Поделиться:

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист
Посмотреть позже
Комментарии : 61   
@balajigis7262
@balajigis7262 2 года назад
thankyou very much Luv bro
@LearnITSecuritywithLuvJohar
thanks for watching!
@satishr7288
@satishr7288 9 месяцев назад
Hello Sir, got a clear picture on TPRM request could you provide supplier controls information that will be appreciated.
@LearnITSecuritywithLuvJohar
@LearnITSecuritywithLuvJohar 9 месяцев назад
Certainly! Third-Party Risk Management (TPRM) involves assessing and managing the risks associated with third-party suppliers, vendors, and service providers. Supplier controls play a crucial role in ensuring that these third parties meet the security and compliance standards required by your organization. Here are some key supplier controls to consider: Vendor Assessment and Due Diligence: Conduct thorough assessments and due diligence on potential vendors before onboarding them. Evaluate their financial stability, reputation, and overall business practices. Contractual Agreements: Establish clear and comprehensive contractual agreements with vendors that outline security and compliance requirements. Define roles and responsibilities, data protection measures, and incident response procedures. Security Policies and Procedures: Ensure that vendors have documented and implemented robust information security policies and procedures. Verify that these policies align with your organization's security standards. Data Handling and Protection: Define how sensitive data will be handled by the vendor. Implement measures such as encryption, access controls, and data segregation to protect data integrity and confidentiality. Access Controls: Enforce strong access controls to limit access to systems and data only to authorized personnel. Regularly review and update access permissions based on the principle of least privilege. Incident Response and Reporting: Clearly define the vendor's responsibilities in the event of a security incident. Establish reporting mechanisms and timeframes for notifying your organization of any security incidents. Security Audits and Assessments: Conduct regular security audits and assessments of the vendor's systems and processes. Ensure that the vendor provides evidence of compliance with security standards through third-party certifications or audit reports. Business Continuity and Disaster Recovery: Confirm that the vendor has a robust business continuity and disaster recovery plan in place. Ensure that the plan aligns with your organization's requirements and includes regular testing. Subcontractor Management: If the vendor engages subcontractors, ensure they adhere to the same security and compliance standards. Include clauses in contracts requiring vendors to inform you of any subcontractors involved. Monitoring and Reporting: Implement ongoing monitoring of the vendor's performance and security posture. Establish reporting mechanisms to track and receive updates on the vendor's compliance with agreed-upon controls. Regulatory Compliance: Ensure that the vendor complies with relevant regulatory requirements and industry standards applicable to your organization. Remember that effective TPRM is an ongoing process, and regular reviews and updates to controls may be necessary to adapt to evolving risks and business needs. Regular communication and collaboration with vendors are essential components of successful TPRM programs.
@ahmedwinux
@ahmedwinux 4 года назад
Very informative session about vendor/third party/ outsourcing partner risk assessment and conclusion as well... keep sharing such videos and there are people like me who will very most benefits out of information
@djshivkant
@djshivkant 4 года назад
Nice explaination, what things we need to take onboard vendor for Implementation for any security application like SEIM / DLP from third party vendor ?
@LearnITSecuritywithLuvJohar
@LearnITSecuritywithLuvJohar 4 года назад
Good question, Here is the DLP VENDOR EVALUATION CRITERIA The first step in vendor evaluation is the most important. Security teams should conduct in-depth research on all vendors that they are considering in order to identify the best fit. In the end, your environment determines which of the four DLP variants (endpoint, network, discovery, or cloud DLP) you should deploy. Here are ten questions you should ask while doing your evaluation: 1 - Breadth of Offerings: Are network, endpoint, cloud, and discovery all offered from the potential vendor? 2- Platform Support: Are Windows, Linux, and OS X all supported with feature parity? 3 - Deployment Options: Are on-premises or managed options offered? 4 - Internal and External Threats: Do you need to defend against one or both? 5 - Content vs. Context: How do you intend to perform data inspection and classification? 6 - Structured vs. Unstructured: What types of data are you most concerned with protecting? 7 - Policy Based vs. Event Based: How do you plan to see and enforce data movement? 8 - Technology Alliance Partners: What parts of your ecosystem do you wish to integrate with your DLP? 9 - Timeline: How quickly do you need to be operational? Hope this helps you brother..
@LearnITSecuritywithLuvJohar
@LearnITSecuritywithLuvJohar 4 года назад
But the approach that is outlined in this video, should be applicable to all your vendors in general, irrespective of your deployment/project aspect.
@djshivkant
@djshivkant 4 года назад
Thank you, please also for SEIM implimentor vendor
@LearnITSecuritywithLuvJohar
@LearnITSecuritywithLuvJohar 4 года назад
Checklist for SIEM Solution Evaluation 1. Log Collection EPS (events per second) rate at which your IT infrastructure sends events should match with your SIEM tool Should be able to collect logs from heterogeneous sources (Windows, Unix/Linux, Applications, Database, Network Devices ,Firewalls, IPS, IDS) Capability of agent-less and agent based log collection method 2. Real Time Event Correlations Proactively dealing with threats based on log search, rules and alerts. Correlation boosts network security by processing millions of events simultaneously to detect anomalous events on the networks 3. Log Retention Capability to easily retrieve and analyze log data Should automatically archive all log data from systems, devices and applications to a centralized repository. 4. IT Compliance Reports Out of box regulatory compliance of PCI DSS, ISO 27001, SOX, HIPAA etc 5. User Activity Monitoring Out of box user activity monitoring, privileged user monitoring, audit reporting, Know which user performed the action, what was the result of the action. Source & destination address of the systems /devices used. 6. File Integrity Monitoring Capability to monitor business critical files & folders. Capture details of when files were created, accessed, viewed, deleted, modified, renamed etc., 7. Log Forensics Capability to track down a intruder or event activity using log search capability 8. Dashboards Capability to take timely actions & right decisions during network / system anomalies 9. Global Threat Intelligence Feeds Capability to get latest global threat intelligence feeds & carrier grade threat intelligence so as to proactively manage threats. Collaboration among organizations to enhance security Precise solutions for compromised systems and networks 10. Big Data Analytics Capability to forecast threats using big data, Accurate analysis of structured as well as unstructured data Constant intelligence gathering to strengthen security hope you got it now bro :)
@manojbiswas4087
@manojbiswas4087 2 года назад
Dear sir, Could you give an example for supplier qualification and vendor qualification and what are the difference between both.what type of document required for supplier qualification what is the procedure for supplier qualification.
@oladapoakinlotan8037
@oladapoakinlotan8037 Год назад
Also what are the GRC tools used to in the assessing risk. I want you to mention it. Which is the best to work with
@LearnITSecuritywithLuvJohar
There are several GRC (Governance, Risk, and Compliance) tools available in the market that can be used to assess risk, depending on the specific needs of the organization. Some of the popular GRC tools used for risk assessment include: RSA Archer: A comprehensive GRC platform that enables organizations to assess, manage, and report on risks across the enterprise. MetricStream: A cloud-based GRC platform that offers a wide range of solutions, including risk management, compliance management, and audit management. SAP GRC: A suite of GRC solutions that includes risk management, compliance management, and fraud management. ServiceNow GRC: A cloud-based GRC platform that offers solutions for risk management, compliance management, and policy management. IBM OpenPages: A GRC platform that offers solutions for risk management, compliance management, and audit management. LogicGate: A cloud-based GRC platform that offers solutions for risk management, compliance management, and policy management. The best GRC tool to work with depends on the specific needs and requirements of the organization. It's important to evaluate the features, functionality, and cost of each tool, and to consider factors such as ease of use, scalability, and integration with other systems. It's also important to involve key stakeholders in the selection process to ensure that the tool meets the needs of the organization and can be effectively integrated into the overall risk management strategy.
@balaasathya
@balaasathya 2 года назад
Very useful video. Thank you Johar
@satishr7288
@satishr7288 2 года назад
Please provide the detailed video on vendor risk management.
@LearnITSecuritywithLuvJohar
t.me/+8lcSF0urtEJlOWI1 please join my telegram group if you have more questions
@abhisheksawant2690
@abhisheksawant2690 3 года назад
Hello Luv, Want to understand about due diligence part in Information Security.
@manasranjanpatnaik9951
@manasranjanpatnaik9951 2 года назад
Sir, I have got an opportunity to start my career in Cyber Security TPRM. Can you give some insights about this? Interms of career, learning etc.
@LearnITSecuritywithLuvJohar
@LearnITSecuritywithLuvJohar 2 года назад
ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-W9J0CkqSPL4.html
@ashah6696
@ashah6696 2 года назад
Hi Luv , do you have a findings report on vendor assessment
@LearnITSecuritywithLuvJohar
sure, here is a sample for you Here is a sample findings report on a vendor assessment: Executive Summary: The purpose of this vendor assessment was to evaluate the security practices and controls of XYZ Vendor, with whom our organization has a business relationship. The assessment included a review of the vendor's policies, procedures, and security controls, as well as an onsite visit to evaluate their physical security measures. Overall, the assessment revealed that XYZ Vendor has implemented a number of strong security controls, but there are also areas where improvements are needed. The following report provides an overview of the findings and recommendations. Scope: The scope of this vendor assessment included an evaluation of XYZ Vendor's security practices and controls, including: Physical security measures Information security policies and procedures Access controls and authentication mechanisms Network security controls Incident response and business continuity planning Findings: The assessment identified the following key findings: Physical Security: The vendor's physical security measures were found to be strong. They have implemented multiple layers of security controls, including surveillance cameras, security guards, and access control systems. However, we identified one area where improvements are needed - the vendor does not have a formal visitor management process, which could pose a security risk. Information Security Policies and Procedures: The vendor has established information security policies and procedures, but they are not consistently followed by all employees. Additionally, the policies and procedures are not regularly reviewed and updated, which may lead to outdated or incomplete information. Access Controls and Authentication Mechanisms: The vendor's access controls and authentication mechanisms were found to be adequate, but there is room for improvement. For example, the vendor does not have a formal process for disabling accounts of employees who leave the company. Network Security Controls: The vendor has implemented a number of strong network security controls, including firewalls, intrusion detection systems, and regular vulnerability assessments. However, we identified several vulnerabilities during our testing, which the vendor needs to address. Incident Response and Business Continuity Planning: The vendor has established incident response and business continuity plans, but they have not been tested in practice. The plans should be tested periodically to ensure that they are effective and up-to-date. Recommendations: Based on the findings of the vendor assessment, the following recommendations are made: Implement a formal visitor management process to enhance physical security. Review and update information security policies and procedures on a regular basis. Develop a process for disabling accounts of employees who leave the company. Address the vulnerabilities identified in the network security controls. Test incident response and business continuity plans periodically to ensure effectiveness. Conclusion: Overall, the vendor assessment revealed that XYZ Vendor has implemented a number of strong security controls, but there are also areas where improvements are needed. By addressing the identified vulnerabilities and implementing the recommended improvements, the vendor can further enhance their security practices and better protect our organization's data and systems.
@manidharr1998
@manidharr1998 2 года назад
Can you share more information about what we have to check if the vendor provides software services or saas
@LearnITSecuritywithLuvJohar
@LearnITSecuritywithLuvJohar 2 года назад
sorry I am not clear, please expand your question a little more please
@lalji2008
@lalji2008 Год назад
what are the risks being handled by ServiceNow VRM?
@LearnITSecuritywithLuvJohar
sorry not now, but if you have any questions please join my telegram group - t.me/+8lcSF0urtEJlOWI1
@siddharthverma5004
@siddharthverma5004 3 года назад
Hi Sir, What evidences can we ask in prespective of Vendor Risk Assessment apart from policy documents
@satishr7288
@satishr7288 3 года назад
Dear Sir, How to perform risk assessment in practical way is more helpful, I had watched your videos which are more useful and information gathering.
@LearnITSecuritywithLuvJohar
@LearnITSecuritywithLuvJohar 3 года назад
watch session 4 of the workshop series and session 5, I have detailed out risk assessment there Satish
@satishr7288
@satishr7288 3 года назад
@@LearnITSecuritywithLuvJohar Dear Sir, Could I get the links of your videos
@nitadavid430
@nitadavid430 2 года назад
@@LearnITSecuritywithLuvJohar can I please be added to the third party group? If there is one
@lalitshekhawat02
@lalitshekhawat02 4 года назад
Thanks Luv, very well explained
@dmnick123ify
@dmnick123ify 3 года назад
Hello, Are there any books you can recommend for 3rd Party Risk? Or an online class?
@yogeshmahajan5258
@yogeshmahajan5258 4 года назад
Nicely explained. Please have a session ISMS reference to SOC.
@LearnITSecuritywithLuvJohar
@LearnITSecuritywithLuvJohar 4 года назад
SOC 2 and ISMS have 96% of common controls Yogesh, it depends upon your organisation's regulatory requirements, which one you should opt
@yogeshmahajan5258
@yogeshmahajan5258 4 года назад
@@LearnITSecuritywithLuvJohar Thanx . All webcasts are vsluable. I appreciate ur efforts.
@yogeshmahajan5258
@yogeshmahajan5258 4 года назад
@@LearnITSecuritywithLuvJohar valuable
@saurabhsharma5938
@saurabhsharma5938 4 года назад
​@@LearnITSecuritywithLuvJohar Hey, Can we cover Pharmaceutical Domain for EU and USA.
@saigeetawaingade6762
@saigeetawaingade6762 3 года назад
Very nicely explained..👍
@mmmaaa399
@mmmaaa399 2 года назад
Assessment for Critical Risk vendors
@LearnITSecuritywithLuvJohar
Assessing critical risk vendors is an important part of an organization's risk management process. Here are some key steps to follow when conducting an assessment for critical risk vendors: Identify critical risk vendors: Identify the vendors that provide critical services to your organization and that may pose a significant risk if they fail to deliver those services. Examples may include vendors that provide IT services, financial services, or supply chain services. Establish assessment criteria: Determine the criteria that will be used to assess critical risk vendors, such as their financial stability, security practices, compliance with regulations, and business continuity plans. Conduct a questionnaire: Develop a questionnaire that asks critical risk vendors about their security controls, policies, and procedures. The questionnaire should be customized to reflect the vendor's services and the risks associated with those services. Review vendor documents: Review the vendor's policies, procedures, and security controls to ensure they meet your organization's requirements. This may include reviewing the vendor's security and privacy policies, service level agreements, and incident response plans. Perform on-site assessments: Perform on-site assessments of the vendor's facilities, operations, and security controls. This may include physical security assessments, vulnerability scans, or penetration testing. Analyze findings: Analyze the findings from the questionnaire, document reviews, and on-site assessments. Identify any weaknesses or gaps in the vendor's security controls, policies, and procedures. Mitigate risks: Develop a plan to mitigate any identified risks, such as requiring the vendor to implement additional security controls or requesting that they revise their policies and procedures. Monitor vendors: Monitor critical risk vendors on an ongoing basis to ensure they continue to meet your organization's security requirements. This may include regular audits, vulnerability scans, or other assessments. By following these steps, organizations can effectively assess their critical risk vendors and minimize the risk of security breaches or disruptions to critical services. It's important to establish a consistent and thorough assessment process and to continuously monitor critical risk vendors to ensure they continue to meet security requirements over time.
@theignited
@theignited 3 года назад
Very well explained sir. 👍👍👍
@wasimhussain9533
@wasimhussain9533 4 года назад
Nice presentation, thank you & can we get some material on VRM
@LearnITSecuritywithLuvJohar
@LearnITSecuritywithLuvJohar 4 года назад
chat.whatsapp.com/G01F4fL6idoGy4kIOkxfDj
@priyadharshigagnanasekar5144
@priyadharshigagnanasekar5144 3 года назад
Can u plz comment the group invite link again
@satishr7288
@satishr7288 2 года назад
This WhatsApp group had reset request you share the new link.
@rajeshdua3699
@rajeshdua3699 2 года назад
Hi Sir, Please suggest about the certification in Vendor risk management . Currently I have done ISO27001 LA certification and looking for a certification in Vendor risk management.
@LearnITSecuritywithLuvJohar
thanks, please keep watching and share if you like this video :)
@susovanpaul2509
@susovanpaul2509 3 года назад
Hi Luv, Can you please share the updated whatsapp group chat link
@PriyaThakur-nr2tn
@PriyaThakur-nr2tn 3 года назад
Hello sir can I get the whtsap group link
@nitadavid430
@nitadavid430 2 года назад
Did you ever get the group link ?
@ashah6696
@ashah6696 2 года назад
Hi Luv, I do have a question on a vendor risk assessment, is there a email or WhatsApp number I can reach you. It’s a specific question.
@LearnITSecuritywithLuvJohar
t.me/+8lcSF0urtEJlOWI1 sure, please join me on my telegram group, please feel free to join the group for any questions related to information security and cyber security
@vidyayadav6
@vidyayadav6 2 года назад
What is WhatsApp group number
@LearnITSecuritywithLuvJohar
thanks, please keep watching and share if you like this video :)
Далее
Rate our flexibility 1-10🔥👯‍♀️😈💖
00:12
CPE Session on Third Party Risk Management
1:33:50
Просмотров 12 тыс.
2022 Outlook: Third Party Risk Management
1:25:18
Просмотров 13 тыс.
Conducting an Information Security Risk Assessment
1:04:09
Introduction to Third Party Risk Management
55:28
Просмотров 24 тыс.
Free Third Party Risk Management Series 1
2:00:20
Просмотров 14 тыс.