Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

ISO 27001 is commonly used for assessing supply chain and data breach risks during due diligence. This post provides a free ISO 27001 vendor questionnaire template for a high-level evaluation of vendor information security standards. Though this security assessment template only broadly covers Supply Chain Risk Management aspects of ISO 27001, it should still be sufficient for identifying potential deficiencies in a vendor’s security control strategy requiring further investigation.

With digital transformation rapidly multiplying attack vectors across the cloud, remote work environments, and Shadow IT endpoints, mapping your digital footprint, let alone implementing an effective attack surface management strategy, is not as easy as it once was. As a result, communicating the value and progress of Attack Surface Management (ASM) to the board is becoming a considerable challenge that must be addressed before threat landscapes evolve beyond the reach of mitigation capabilities.

Though very helpful in representing the efficacy of a service provider’s third-party risk management program, SOC reports aren’t always available. Some service providers either don’t have the budget for a SOC report or are unwilling to undergo the laborious process of an SSAE-18 audit. While a lack of a SOC report should raise alarm bells during the due diligence process, it shouldn’t necessarily result in the disqualification of a prospective vendor.

FedRAMP refers to the Federal Risk and Authorization Management Program, a US government-created program to smooth the connection between its federal agencies and cloud service providers. The General Services Administration (GSA) established FedRAMP Program Management Office (FedRAMP PMO) to help achieve the following goals: This post will examine the benefits of using FedRAMP and will provide an overview of the system and its requirements for cloud service offerings (CSOs).

The following list offers three effective strategies for keeping your board informed of the business’s third-party risk exposure and the efficacy of its Third-Party Risk Management program.

Exposure management in cybersecurity is a set of processes that helps organizations view their entire attack surface and understand which areas in their IT infrastructure are most exposed to cyber threats. Organizations can then take the necessary steps to reduce their cyber risk exposure through risk mitigation and risk remediation steps. Exposure management goes hand in hand with attack surface management (ASM) and threat and vulnerability intelligence.

Cyber risk governance (also called cyber risk governance or governance, risk, and compliance — GRC) and cyber risk management are often used interchangeably, but they are actually very different parts of the way an organization achieves data protection. While cybersecurity risk management focuses on implementing cybersecurity controls, cyber risk governance is more concerned with the strategy behind that implementation.

Because unmanaged assets are not continuously monitored for security risks, they likely contain cybersecurity exposures, like software vulnerabilities and cloud security misconfigurations. When these assets are connected to the internet, they become active attack vectors heightening your risk of suffering a data breach. If you’re looking for ideas for reducing your organization’s attack surface, start by locating and decommissioning unmanaged internet-facing assets.