In the sprawling office of a high rise in Sydney CBD, like every day; Cynthia who is a busy executive, is looking at a recent CPS234 internal audit report from their internal audit team. The internal audit has reported the organisation’s unpreparedness in managing vendor cyber risks. Her counterparts in other organisations who had faced an APRA audit are now focussing on uplifting their cyber vendor management processes. With mounting pressure from the board, she has very less time to act.
The above story is a work of fiction, but has lots of reality in the current times, where the pendulum is swinging between low risk appetite and high compliance.
Transformationplus research based on open source threat intelligence suggests that cyber- attacks through suppliers have increased by more 40% in 2019. As CPS234 gets rolled out for vendors in June 2020, it has changed the dynamics of the game for organisations with respect to managing the risks originating out of vendors and suppliers.
Currently an organisation’s vendor management and assurance are restricted to conducting desktop-based assessments through pre-defined assessment questionnaires. While, desktop-based assessments provide minimum level of assurance needed for an organisation, it is not sufficient to satisfy the numerous requirements in CPS234 and the ever-increasing supply chain attacks.
CPS234 asks financial and financial services organisations to manage vendors based on the risks they portray for the organisation and also the organisation’s risk appetite. Accordingly, organisation will need to mandate the vendors to implement appropriate controls such as conducting appropriate control testing periodically, implementing appropriate data safeguards etc. to mitigate the risks. The organisation will need to assess the information security capabilities of the vendor to ascertain if vendors can effectively manage the risks below the organisation’s risk appetite.
The organisation’s internal audit will need to provide independent assurance by reviewing the organisation’s vendor governance and assurance process including reviewing the design and operating effectiveness of controls and the information security control assurance reports provided by vendors.
Organisations need to do much more than desktop vendor assessment and establish a dynamic governance model.
Based on our experience interacting with many organizations dealing with complex vendors we have identified the following activities to effectively manage threats and comply with CPS234 requirements:
Step 1 – Vendor categorization: Categorise vendors based on their risk to the organization.
From vendor governance and risk management perspective there are four broad groups of vendors in an organisation.
- Suppliers with access to data
- Suppliers who store data in their data centers or cloud
- Suppliers with access to infrastructure
- Suppliers who own or manage infrastructure
- Hardware/software supplier
Step 2 – Contracts: Incorporate security clauses in vendor agreements that enable the organization to enforce the vendor to implement appropriate controls and provide the organization the ability to audit the vendor’s information security capabilities.
Step 3 – Risk management: The risks identified through the assessment need to be recorded in the risk register, followed up with the vendor and tracked to completion.
Step 4 – Situational awareness: Implement key risk indicators for measuring key controls implemented by vendors for the protection of organisation and organisation data and track them periodically. Key risk indicators are the measurement of controls implemented by vendor that organisations deem as critical for the protection of organisation and organisation data., encryption etc.
Step 5 – JAP (Joint Assurance Program): Establish joint assurance programs to create working relationships with cyber security personnel of key vendors. This would include establishing and agreeing on incident notification timelines and conducting joint incident response testing.
So how can our iSecureCyber tool help?
iSecureCyber is the only cyber vendor management software that automates end to end cyber vendor management. With iSecureCyber’s vendor categorization, assessment and key risk indicators modules, organisations can effectively manage cyber risk. The assessment based on ISO27001 is intelligently crafted based on yes or no answers to identify the maturity level of the vendor and benchmark it against peers in the industry. The software’s policy enforcement and compliance
tracking features enable organisations enforce vendor assurance activities on vendor and also automatically view compliance status of each vendor against the enforced policies.
Overall, the software has been developed based on inputs from more than 20 CISO’s in the industry.
Cynthia since then implemented iSecureCyber as a part of their SOE. It was an easy integration. Their vendor management team and internal audit team loves using the tool. She just was reading the last APRA audit report from their internal audit team which showed that they did not have any major finding, but only some minor observations. On top of that the vendor management team now is almost fully automated with the help of iSecureCyber and it has created better dynamics, less error and above all saved a huge amount of expenses in doing this compliance.