understanding data security risks when using technology
TRANSCRIPT
![Page 1: Understanding Data Security Risks When Using Technology](https://reader036.vdocument.in/reader036/viewer/2022062412/58e4cc051a28abc24e8b64b7/html5/thumbnails/1.jpg)
![Page 2: Understanding Data Security Risks When Using Technology](https://reader036.vdocument.in/reader036/viewer/2022062412/58e4cc051a28abc24e8b64b7/html5/thumbnails/2.jpg)
"Cyberwarfare is like a soccer game with all the fans on the field with you and no one is wearing uniforms,”
- Marshall Lytle, Chief Information Officer of the Joint Staff
PERFECTLY STATED
![Page 3: Understanding Data Security Risks When Using Technology](https://reader036.vdocument.in/reader036/viewer/2022062412/58e4cc051a28abc24e8b64b7/html5/thumbnails/3.jpg)
CHANGING DYNAMICS
Your data is more accessible today. You are only as secure as your weakest partner.
Time and Billing
Software
Case and Client
ManagementE-Discovery
Cybersecurity Software Solutions
DocumentManagement
Local Counsel
![Page 4: Understanding Data Security Risks When Using Technology](https://reader036.vdocument.in/reader036/viewer/2022062412/58e4cc051a28abc24e8b64b7/html5/thumbnails/4.jpg)
CUSTOMER DATA FLOW CHART
Integrity of data security throughout supply chain is cost of doing business across as customers demand secure vendors
Customers
Law Firm
Vendor Vendor Vendor
![Page 5: Understanding Data Security Risks When Using Technology](https://reader036.vdocument.in/reader036/viewer/2022062412/58e4cc051a28abc24e8b64b7/html5/thumbnails/5.jpg)
Communicate your security policies and procedures throughout the supply chain
Identify, quantify, and prioritize security risk related to sharing sensitive data throughout the supply chain (hardware, software, and services)
Cybersecurity
ComplianceRisk Management
CYBER SUPPLY CHAIN RISK MANAGEMENT
![Page 6: Understanding Data Security Risks When Using Technology](https://reader036.vdocument.in/reader036/viewer/2022062412/58e4cc051a28abc24e8b64b7/html5/thumbnails/6.jpg)
Phishing attach
against Fazio Mechanical
Accessing the Target
network
Gained access to vulnerable machines
Installed malware on Point of Sale
terminal
Collected credit card information
from PoS
Moved data out of Target
network
A Google search would have shown vendor portal and a list of HVAC and refrigeration companies and a Microsoft case study of Target’s architecture
40 million credit and debit cards and 70 million records of personal information
TARGET CASE STUDY
![Page 7: Understanding Data Security Risks When Using Technology](https://reader036.vdocument.in/reader036/viewer/2022062412/58e4cc051a28abc24e8b64b7/html5/thumbnails/7.jpg)
THREE PILLARS OF SUPPLY CHAIN THREATS
People / Employees
Services
Products
What employees have access to my data? Have you completed an in-depth screening of each employee?
Can you adequately protect my assets and personnel?
What technologies are used in your products? Is my data being shared with your third-parties (4th Party Risk)?
![Page 8: Understanding Data Security Risks When Using Technology](https://reader036.vdocument.in/reader036/viewer/2022062412/58e4cc051a28abc24e8b64b7/html5/thumbnails/8.jpg)
BEST PRACTICES – ROAD MAP
Identify ALL vendors in supply chain
Create the right questions based on the risk level & role of the vendor
Translate areas of risk into the contract Terms and Conditions
Catalog vendors by criticality to business
Score results and communicate with business units for transparency
1
2
Automate Reassessment to ensure compliance – enforce audit clause
6
3
5
4
![Page 9: Understanding Data Security Risks When Using Technology](https://reader036.vdocument.in/reader036/viewer/2022062412/58e4cc051a28abc24e8b64b7/html5/thumbnails/9.jpg)
CREATING VENDOR INVENTORY
Expanded definition of vendor Include all third parties that
touch your networks, components or information systems
Vendors that provide physical security and support services (executive protection, janitorial, CCTV)
Determine data access and business criticality
Tier 1
Real-time
risk
priorities Tier 2
High Criticality Business Critical Systems
Tier 3 Medium Criticality
Tier 4 Low Criticality
![Page 10: Understanding Data Security Risks When Using Technology](https://reader036.vdocument.in/reader036/viewer/2022062412/58e4cc051a28abc24e8b64b7/html5/thumbnails/10.jpg)
WHAT INFORMATION IS RELEVANT
Depending on the data access and criticality of your vendor, the security assessment should be customized to meet your firms’ policies, compliance requirements and best practices
Key Security Domains Business continuity/disaster
management Personnel security System development Application security Overall system security Network security Data security and Life Cycle
Management Access control (physical and cyber) Vulnerability management Change Management Third Party Vendors
![Page 11: Understanding Data Security Risks When Using Technology](https://reader036.vdocument.in/reader036/viewer/2022062412/58e4cc051a28abc24e8b64b7/html5/thumbnails/11.jpg)
DEVELOPING THE CONTRACT
Translate results in Terms and Conditions of contracts How the vendor should handle your data What employees should have access and background checks for new
employees Evaluation requirement of components and/or technologies used in
their products Patch update notification requirements before deployment Breach notification clauses
![Page 12: Understanding Data Security Risks When Using Technology](https://reader036.vdocument.in/reader036/viewer/2022062412/58e4cc051a28abc24e8b64b7/html5/thumbnails/12.jpg)
HOW FREQUENTLY SHOULD THIS BE COMPLETED
Baseline Security
AssessmentAnnual
ReassessmentReal-Time
Critical Updates
Ad Hoc Vendor Audits
The organization that shares the data has the ultimate right to control who has access to the data and how frequently you evaluate their security
![Page 13: Understanding Data Security Risks When Using Technology](https://reader036.vdocument.in/reader036/viewer/2022062412/58e4cc051a28abc24e8b64b7/html5/thumbnails/13.jpg)
CONCLUSION
Vendors typically need you more than you need them Complete assessments on a regular basis Require 3rd Party Risk Assessment by your vendors (your 4th party) Enforce your audit clause to validate compliance
Ensure background checks and training are completed by your vendors that have customer information
Set a policy, stick with it, and communicate to all stakeholders
![Page 14: Understanding Data Security Risks When Using Technology](https://reader036.vdocument.in/reader036/viewer/2022062412/58e4cc051a28abc24e8b64b7/html5/thumbnails/14.jpg)
CONTACT INFORMATION
Ishan GirdharChief Executive Officer
[email protected]+1 (443) 800 – 3499
www.privva.com
![Page 15: Understanding Data Security Risks When Using Technology](https://reader036.vdocument.in/reader036/viewer/2022062412/58e4cc051a28abc24e8b64b7/html5/thumbnails/15.jpg)