Governance, Regulation & Compliance

Education Level: Intermediate

4417 - Intrusive Monitoring: The Nuclear Option for Monitoring Third Parties

Speaker(s)

• 

  Peter Gregory, CISSP CISM CISA CRISC CCISO CCSK PCI-QSA

  Executive Director - CISO Services
  Optiv Security

The structure of most organizations’ information processing involves large numbers of third-party organizations that have access to organizations’ most critical and sensitive data. Even modest-sized organizations have hundreds of third parties. Without mature structure for effective management of third parties, organizations fail to uncover and manage risks they would find unacceptable had they been known.

This session discusses program structure for managing third-party risk, including the concept of risk tiering, based on various criteria, with corresponding levels and types of due diligence activities: including short and long questionnaires, requests for evidence, on-site visit, and assessments by expert security firms. The discussion will highlight case studies for intrusive monitoring, where an organization will be monitoring one or more of their third parties’ networks, as a part of its overall event visibility.

Learning Objectives:

• Understand the nature of third-party risk programs.
• Develop a strategy for monitoring a third party’s environment.
• Understand why intrusive monitoring may help an organization’s third-party risk program.