WEBVTT

1
00:00:00.000 --> 00:00:01.230
In this lesson,

2
00:00:01.230 --> 00:00:04.320
we will learn about third-party risk management.

3
00:00:04.320 --> 00:00:07.020
Third-party risk management involves assessing

4
00:00:07.020 --> 00:00:10.470
and mitigating risks associated with external parties

5
00:00:10.470 --> 00:00:14.430
that provide commodities or services to an organization.

6
00:00:14.430 --> 00:00:16.710
Third-party risk management considerations

7
00:00:16.710 --> 00:00:19.110
include subprocessor risk,

8
00:00:19.110 --> 00:00:22.740
which arises when third-party vendors subcontract work,

9
00:00:22.740 --> 00:00:26.100
vendor risk, which focuses on the potential impact

10
00:00:26.100 --> 00:00:28.650
of direct suppliers to the organization,

11
00:00:28.650 --> 00:00:30.480
and supply chain risk,

12
00:00:30.480 --> 00:00:33.090
which encompasses risks across all stages

13
00:00:33.090 --> 00:00:34.350
of the supply chain,

14
00:00:34.350 --> 00:00:37.980
including both subprocessors and vendors.

15
00:00:37.980 --> 00:00:41.580
Let's explore vendor risk, subprocessor risk,

16
00:00:41.580 --> 00:00:44.430
and supply chain risk in more detail.

17
00:00:44.430 --> 00:00:46.920
First, we have vendor risk.

18
00:00:46.920 --> 00:00:48.360
The vendors we rely on

19
00:00:48.360 --> 00:00:51.570
can significantly affect our business operations

20
00:00:51.570 --> 00:00:53.340
and security so it's essential

21
00:00:53.340 --> 00:00:55.350
to assess their risk carefully.

22
00:00:55.350 --> 00:00:58.350
For instance, if a software vendor we depend on

23
00:00:58.350 --> 00:01:01.590
for daily operations has poor security practices

24
00:01:01.590 --> 00:01:03.150
and suffers a data breach,

25
00:01:03.150 --> 00:01:05.490
our sensitive data could be exposed,

26
00:01:05.490 --> 00:01:09.210
even if the breach occurred outside our organization.

27
00:01:09.210 --> 00:01:13.530
That's why, for each new vendor, we conduct due diligence.

28
00:01:13.530 --> 00:01:15.300
Due diligence is the process

29
00:01:15.300 --> 00:01:19.770
of thoroughly evaluating reliability, risks, and integrity

30
00:01:19.770 --> 00:01:22.170
before entering into a partnership,

31
00:01:22.170 --> 00:01:24.090
such as a vendor agreement.

32
00:01:24.090 --> 00:01:27.420
Once they're on board and integrated into our systems,

33
00:01:27.420 --> 00:01:30.600
we apply due care to the vendor relationship

34
00:01:30.600 --> 00:01:34.290
by continuously taking reasonable steps to prevent harm

35
00:01:34.290 --> 00:01:35.850
and mitigate risks,

36
00:01:35.850 --> 00:01:39.510
ensuring that our operations remain secure.

37
00:01:39.510 --> 00:01:41.250
Now that we've covered the importance

38
00:01:41.250 --> 00:01:44.190
of managing initial vendor risk, it's clear

39
00:01:44.190 --> 00:01:46.920
that evaluating vendors is just the beginning

40
00:01:46.920 --> 00:01:49.440
of building a secure business environment.

41
00:01:49.440 --> 00:01:52.140
Once we've ensured that vendors are trustworthy

42
00:01:52.140 --> 00:01:54.810
through due diligence, we need to look deeper

43
00:01:54.810 --> 00:01:58.230
into how they impact our business operations.

44
00:01:58.230 --> 00:02:00.090
This includes considering factors

45
00:02:00.090 --> 00:02:02.280
like product support lifecycle.

46
00:02:02.280 --> 00:02:05.760
For example, purchasing software from an established vendor,

47
00:02:05.760 --> 00:02:07.590
like Microsoft, ensures

48
00:02:07.590 --> 00:02:09.690
that we will receive long-term updates

49
00:02:09.690 --> 00:02:12.270
and security patches, reducing the risk

50
00:02:12.270 --> 00:02:14.280
of vulnerabilities over time.

51
00:02:14.280 --> 00:02:17.340
In contrast, a newer or less stable vendor

52
00:02:17.340 --> 00:02:19.080
might not have the resources

53
00:02:19.080 --> 00:02:21.330
to offer this level of support.

54
00:02:21.330 --> 00:02:24.570
Second, we have subprocessor risk.

55
00:02:24.570 --> 00:02:28.020
A subprocessor is a third-party entity that a vendor

56
00:02:28.020 --> 00:02:31.590
or service provider outsources certain functions to.

57
00:02:31.590 --> 00:02:34.590
Processing data or managing specific services

58
00:02:34.590 --> 00:02:37.110
are common subprocessor functions.

59
00:02:37.110 --> 00:02:39.570
For example, a cloud service provider

60
00:02:39.570 --> 00:02:41.250
might use a subprocessor

61
00:02:41.250 --> 00:02:43.080
to manage their data centers

62
00:02:43.080 --> 00:02:45.810
or perform certain technical tasks.

63
00:02:45.810 --> 00:02:48.600
Managing subprocessor risk is important

64
00:02:48.600 --> 00:02:52.170
because even though we're not directly working with them,

65
00:02:52.170 --> 00:02:56.040
these subprocessors can still impact our security

66
00:02:56.040 --> 00:02:57.750
and business operations.

67
00:02:57.750 --> 00:03:01.080
If a vendor we rely on outsources critical functions

68
00:03:01.080 --> 00:03:04.320
like data storage or IT support to another company,

69
00:03:04.320 --> 00:03:06.540
we need to ensure that the subprocessor

70
00:03:06.540 --> 00:03:08.430
is reliable and secure.

71
00:03:08.430 --> 00:03:11.670
To manage this risk, we first need to ask our vendors

72
00:03:11.670 --> 00:03:14.640
to disclose who their subprocessors are

73
00:03:14.640 --> 00:03:16.950
and what services they provide.

74
00:03:16.950 --> 00:03:18.840
Then we need to verify

75
00:03:18.840 --> 00:03:22.650
that these subprocessors follow strong security practices

76
00:03:22.650 --> 00:03:25.260
and comply with the same standards we expect

77
00:03:25.260 --> 00:03:26.850
from our main vendors.

78
00:03:26.850 --> 00:03:30.690
This way, we can be confident that every link in the chain,

79
00:03:30.690 --> 00:03:33.150
both vendors and subprocessors,

80
00:03:33.150 --> 00:03:36.510
meet our security and performance requirements.

81
00:03:36.510 --> 00:03:40.140
Third and last, we have supply chain risk.

82
00:03:40.140 --> 00:03:43.560
When assessing the total supply chain risk, it's important

83
00:03:43.560 --> 00:03:46.710
to consider all components that make up your products,

84
00:03:46.710 --> 00:03:48.960
such as hardware and software.

85
00:03:48.960 --> 00:03:52.230
For instance, if you buy a router, it's possible

86
00:03:52.230 --> 00:03:54.990
that the parts inside may have been tampered with

87
00:03:54.990 --> 00:03:56.370
along the way.

88
00:03:56.370 --> 00:03:59.610
Conducting a supply chain assessment helps you understand

89
00:03:59.610 --> 00:04:02.880
where those parts came from and whether they can be trusted.

90
00:04:02.880 --> 00:04:05.100
You don't need to track every component,

91
00:04:05.100 --> 00:04:07.620
but knowing the reliability of your suppliers

92
00:04:07.620 --> 00:04:10.980
is key to ensuring a secure working environment.

93
00:04:10.980 --> 00:04:13.440
Another key aspect of supply chain risk

94
00:04:13.440 --> 00:04:15.390
is source authenticity.

95
00:04:15.390 --> 00:04:17.490
When buying equipment, it's important

96
00:04:17.490 --> 00:04:19.770
to purchase directly from trusted vendors,

97
00:04:19.770 --> 00:04:22.620
such as Cisco, rather than secondhand

98
00:04:22.620 --> 00:04:25.680
or unauthorized sources, which carry a higher risk

99
00:04:25.680 --> 00:04:28.290
of compromised or counterfeit devices.

100
00:04:28.290 --> 00:04:30.030
Evaluating the supply chain

101
00:04:30.030 --> 00:04:33.180
for products you're integrating into your systems

102
00:04:33.180 --> 00:04:35.460
helps ensure the final product is free

103
00:04:35.460 --> 00:04:36.690
from hidden threats,

104
00:04:36.690 --> 00:04:39.120
like malware embedded in firmware,

105
00:04:39.120 --> 00:04:41.970
which could go undetected for long periods,

106
00:04:41.970 --> 00:04:45.330
and pose serious security risks to your network.

107
00:04:45.330 --> 00:04:48.660
So remember, third-party risk management

108
00:04:48.660 --> 00:04:50.250
involves identifying

109
00:04:50.250 --> 00:04:53.520
and mitigating risks from external parties

110
00:04:53.520 --> 00:04:57.930
that provide services or products to our organization.

111
00:04:57.930 --> 00:05:00.480
Key aspects include vendor risk,

112
00:05:00.480 --> 00:05:03.930
which focuses on the direct impact of our suppliers,

113
00:05:03.930 --> 00:05:08.070
subprocessor risk, which arises when vendors outsource parts

114
00:05:08.070 --> 00:05:10.290
of their services to other providers,

115
00:05:10.290 --> 00:05:12.060
and supply chain risk,

116
00:05:12.060 --> 00:05:15.540
which encompasses risks across the entire supply chain.

117
00:05:15.540 --> 00:05:19.050
Managing these risks requires conducting due diligence

118
00:05:19.050 --> 00:05:21.900
to ensure the reliability and security of vendors

119
00:05:21.900 --> 00:05:23.400
and their subprocessors,

120
00:05:23.400 --> 00:05:26.190
as well as verifying the authenticity

121
00:05:26.190 --> 00:05:29.403
of products and services in the supply chain.