{"product_id":"cybersecurity-and-third-party-risk-isbn-9781119809555","title":"Cybersecurity and Third-Party Risk","description":"\u003cp\u003e\u003cb\u003eMove beyond the checklist and fully protect yourself from third-party cybersecurity risk\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eOver the last decade, there have been hundreds of big-name organizations in every sector that have experienced a public breach due to a vendor. While the media tends to focus on high-profile breaches like those that hit Target in 2013 and Equifax in 2017, 2020 has ushered in a huge wave of cybersecurity attacks, a near 800% increase in cyberattack activity as millions of workers shifted to working remotely in the wake of a global pandemic.\u003c\/p\u003e \u003cp\u003eThe 2020 SolarWinds supply-chain attack illustrates that lasting impact of this dramatic increase in cyberattacks. Using a technique known as Advanced Persistent Threat (APT), a sophisticated hacker leveraged APT to steal information from multiple organizations from Microsoft to the Department of Homeland Security not by attacking targets directly, but by attacking a trusted partner or vendor. In addition to exposing third-party risk vulnerabilities for other hackers to exploit, the damage from this one attack alone will continue for years, and there are no signs that cyber breaches are slowing.\u003c\/p\u003e \u003cp\u003e\u003ci\u003eCybersecurity and Third-Party Risk\u003c\/i\u003e delivers proven, active, and predictive risk reduction strategies and tactics designed to keep you and your organization safe. Cybersecurity and IT expert and author Gregory Rasner shows you how to transform third-party risk from an exercise in checklist completion to a proactive and effective process of risk mitigation.\u003c\/p\u003e \u003cul\u003e \u003cli\u003eUnderstand the basics of third-party risk management\u003c\/li\u003e \u003cli\u003eConduct due diligence on third parties connected to your network\u003c\/li\u003e \u003cli\u003eKeep your data and sensitive information current and reliable\u003c\/li\u003e \u003cli\u003eIncorporate third-party data requirements for offshoring, fourth-party hosting, and data security arrangements into your vendor contracts\u003c\/li\u003e \u003cli\u003eLearn valuable lessons from devasting breaches suffered by other companies like Home Depot, GM, and Equifax\u003c\/li\u003e \u003c\/ul\u003e \u003cp\u003eThe time to talk cybersecurity with your data partners is now.\u003c\/p\u003e \u003cp\u003e\u003ci\u003eCybersecurity and Third-Party Risk\u003c\/i\u003e is a must-read resource for business leaders and security professionals looking for a practical roadmap to avoiding the massive reputational and financial losses that come with third-party security breaches.\u003c\/p\u003e \u003cp\u003eForeword xvi\u003c\/p\u003e \u003cp\u003eIntroduction xviii\u003c\/p\u003e \u003cp\u003e\u003cb\u003eSection 1 Cybersecurity Third-Party Risk\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 1 What is the Risk? 1\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eThe SolarWinds Supply-Chain Attack 4\u003c\/p\u003e \u003cp\u003eThe VGCA Supply-Chain Attack 6\u003c\/p\u003e \u003cp\u003eThe Zyxel Backdoor Attack 9\u003c\/p\u003e \u003cp\u003eOther Supply-Chain Attacks 10\u003c\/p\u003e \u003cp\u003eProblem Scope 12\u003c\/p\u003e \u003cp\u003eCompliance Does Not Equal Security 15\u003c\/p\u003e \u003cp\u003eThird-Party Breach Examples 17\u003c\/p\u003e \u003cp\u003eThird-Party Risk Management 24\u003c\/p\u003e \u003cp\u003eCybersecurity and Third-Party Risk 27\u003c\/p\u003e \u003cp\u003eCybersecurity Third-Party Risk as a Force Multiplier 32\u003c\/p\u003e \u003cp\u003eConclusion 33\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 2 Cybersecurity Basics 35\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eCybersecurity Basics for Third-Party Risk 38\u003c\/p\u003e \u003cp\u003eCybersecurity Frameworks 46\u003c\/p\u003e \u003cp\u003eDue Care and Due Diligence 53\u003c\/p\u003e \u003cp\u003eCybercrime and Cybersecurity 56\u003c\/p\u003e \u003cp\u003eTypes of Cyberattacks 59\u003c\/p\u003e \u003cp\u003eAnalysis of a Breach 63\u003c\/p\u003e \u003cp\u003eThe Third-Party Breach Timeline: Target 66\u003c\/p\u003e \u003cp\u003eInside Look: Home Depot Breach 68\u003c\/p\u003e \u003cp\u003eConclusion 72\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 3 What the COVID-19 Pandemic Did to Cybersecurity and Third-Party Risk 75\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eThe Pandemic Shutdown 77\u003c\/p\u003e \u003cp\u003eTimeline of the Pandemic Impact on Cybersecurity 80\u003c\/p\u003e \u003cp\u003ePost-Pandemic Changes and Trends 84\u003c\/p\u003e \u003cp\u003eRegulated Industries 98\u003c\/p\u003e \u003cp\u003eAn Inside Look: P\u0026amp;N Bank 100\u003c\/p\u003e \u003cp\u003eSolarWinds Attack Update 102\u003c\/p\u003e \u003cp\u003eConclusion 104\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 4 Third-Party Risk Management 107\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eThird-Party Risk Management Frameworks 113\u003c\/p\u003e \u003cp\u003eISO 27036:2013+ 114\u003c\/p\u003e \u003cp\u003eNIST 800-SP 116\u003c\/p\u003e \u003cp\u003eNIST 800-161 Revision 1: Upcoming Revision 125\u003c\/p\u003e \u003cp\u003eNISTIR 8272 Impact Analysis Tool for Interdependent Cyber Supply-Chain Risks 125\u003c\/p\u003e \u003cp\u003eThe Cybersecurity and Third-Party Risk Program Management 127\u003c\/p\u003e \u003cp\u003eKristina Conglomerate (KC) Enterprises 128\u003c\/p\u003e \u003cp\u003eKC Enterprises’ Cyber Third-Party Risk Program 131\u003c\/p\u003e \u003cp\u003eInside Look: Marriott 140\u003c\/p\u003e \u003cp\u003eConclusion 141\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 5 Onboarding Due Diligence 143\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eIntake 145\u003c\/p\u003e \u003cp\u003eData Privacy 146\u003c\/p\u003e \u003cp\u003eCybersecurity 147\u003c\/p\u003e \u003cp\u003eAmount of Data 149\u003c\/p\u003e \u003cp\u003eCountry Risk and Locations 149\u003c\/p\u003e \u003cp\u003eConnectivity 150\u003c\/p\u003e \u003cp\u003eData Transfer 150\u003c\/p\u003e \u003cp\u003eData Location 151\u003c\/p\u003e \u003cp\u003eService-Level Agreement or Recovery Time Objective 151\u003c\/p\u003e \u003cp\u003eFourth Parties 152\u003c\/p\u003e \u003cp\u003eSoftware Security 152\u003c\/p\u003e \u003cp\u003eKC Enterprises Intake\/Inherent Risk Cybersecurity Questionnaire 153\u003c\/p\u003e \u003cp\u003eCybersecurity in Request for Proposals 154\u003c\/p\u003e \u003cp\u003eData Location 155\u003c\/p\u003e \u003cp\u003eDevelopment 155\u003c\/p\u003e \u003cp\u003eIdentity and Access Management 156\u003c\/p\u003e \u003cp\u003eEncryption 156\u003c\/p\u003e \u003cp\u003eIntrusion Detection\/Prevention System 157\u003c\/p\u003e \u003cp\u003eAntivirus and Malware 157\u003c\/p\u003e \u003cp\u003eData Segregation 158\u003c\/p\u003e \u003cp\u003eData Loss Prevention 158\u003c\/p\u003e \u003cp\u003eNotification 158\u003c\/p\u003e \u003cp\u003eSecurity Audits 159\u003c\/p\u003e \u003cp\u003eCybersecurity Third-Party Intake 160\u003c\/p\u003e \u003cp\u003eData Security Intake Due Diligence 161\u003c\/p\u003e \u003cp\u003eNext Steps 167\u003c\/p\u003e \u003cp\u003eWays to Become More Efficient 173\u003c\/p\u003e \u003cp\u003eSystems and Organization Controls Reports 174\u003c\/p\u003e \u003cp\u003eChargebacks 177\u003c\/p\u003e \u003cp\u003eGo-Live Production Reviews 179\u003c\/p\u003e \u003cp\u003eConnectivity Cyber Reviews 179\u003c\/p\u003e \u003cp\u003eInside Look: Ticketmaster and Fourth Parties 182\u003c\/p\u003e \u003cp\u003eConclusion 183\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 6 Ongoing Due Diligence 185\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eLow-Risk Vendor Ongoing Due Diligence 189\u003c\/p\u003e \u003cp\u003eModerate-Risk Vendor Ongoing Due Diligence 193\u003c\/p\u003e \u003cp\u003eHigh-Risk Vendor Ongoing Due Diligence 196\u003c\/p\u003e \u003cp\u003e“Too Big to Care” 197\u003c\/p\u003e \u003cp\u003eA Note on Phishing 200\u003c\/p\u003e \u003cp\u003eIntake and Ongoing Cybersecurity Personnel 203\u003c\/p\u003e \u003cp\u003eRansomware: A History and Future 203\u003c\/p\u003e \u003cp\u003eAsset Management 205\u003c\/p\u003e \u003cp\u003eVulnerability and Patch Management 206\u003c\/p\u003e \u003cp\u003e802.1x or Network Access Control (NAC) 206\u003c\/p\u003e \u003cp\u003eInside Look: GE Breach 207\u003c\/p\u003e \u003cp\u003eConclusion 208\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 7 On-site Due Diligence 211\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eOn-site Security Assessment 213\u003c\/p\u003e \u003cp\u003eScheduling Phase 214\u003c\/p\u003e \u003cp\u003eInvestigation Phase 215\u003c\/p\u003e \u003cp\u003eAssessment Phase 217\u003c\/p\u003e \u003cp\u003eOn-site Questionnaire 221\u003c\/p\u003e \u003cp\u003eReporting Phase 227\u003c\/p\u003e \u003cp\u003eRemediation Phase 227\u003c\/p\u003e \u003cp\u003eVirtual On-site Assessments 229\u003c\/p\u003e \u003cp\u003eOn-site Cybersecurity Personnel 231\u003c\/p\u003e \u003cp\u003eOn-site Due Diligence and the Intake Process 233\u003c\/p\u003e \u003cp\u003eVendors Are Partners 234\u003c\/p\u003e \u003cp\u003eConsortiums and Due Diligence 235\u003c\/p\u003e \u003cp\u003eConclusion 237\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 8 Continuous Monitoring 239\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eWhat is Continuous Monitoring? 241\u003c\/p\u003e \u003cp\u003eVendor Security-Rating Tools 241\u003c\/p\u003e \u003cp\u003eInside Look: Health Share of Oregon’s Breach 251\u003c\/p\u003e \u003cp\u003eEnhanced Continuous Monitoring 252\u003c\/p\u003e \u003cp\u003eSoftware Vulnerabilities\/Patching Cadence 253\u003c\/p\u003e \u003cp\u003eFourth-Party Risk 253\u003c\/p\u003e \u003cp\u003eData Location 254\u003c\/p\u003e \u003cp\u003eConnectivity Security 254\u003c\/p\u003e \u003cp\u003eProduction Deployment 255\u003c\/p\u003e \u003cp\u003eContinuous Monitoring Cybersecurity Personnel 258\u003c\/p\u003e \u003cp\u003eThird-Party Breaches and the Incident Process 258\u003c\/p\u003e \u003cp\u003eThird-Party Incident Management 259\u003c\/p\u003e \u003cp\u003eInside Look: Uber’s Delayed Data Breach Reporting 264\u003c\/p\u003e \u003cp\u003eInside Look: Nuance Breach 265\u003c\/p\u003e \u003cp\u003eConclusion 266\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 9 Offboarding 267\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eAccess to Systems, Data, and Facilities 270\u003c\/p\u003e \u003cp\u003ePhysical Access 274\u003c\/p\u003e \u003cp\u003eReturn of Equipment 275\u003c\/p\u003e \u003cp\u003eContract Deliverables and Ongoing Security 275\u003c\/p\u003e \u003cp\u003eUpdate the Vendor Profile 276\u003c\/p\u003e \u003cp\u003eLog Retention 276\u003c\/p\u003e \u003cp\u003eInside Look: Morgan Stanley\u003c\/p\u003e \u003cp\u003eDecommissioning Process Misses 277\u003c\/p\u003e \u003cp\u003eInside Look: Data Sanitization 279\u003c\/p\u003e \u003cp\u003eConclusion 283\u003c\/p\u003e \u003cp\u003e\u003cb\u003eSection 2 Next Steps \u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 10 Securing the Cloud 285\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eWhy is the Cloud So Risky? 287\u003c\/p\u003e \u003cp\u003eIntroduction to NIST Service Models 288\u003c\/p\u003e \u003cp\u003eVendor Cloud Security Reviews 289\u003c\/p\u003e \u003cp\u003eThe Shared Responsibility Model 290\u003c\/p\u003e \u003cp\u003eInside Look: Cloud Controls Matrix by the Cloud Security Alliance 295\u003c\/p\u003e \u003cp\u003eSecurity Advisor Reports as Patterns 298\u003c\/p\u003e \u003cp\u003eInside Look: The Capital One Breach 312\u003c\/p\u003e \u003cp\u003eConclusion 313\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 11 Cybersecurity and Legal Protections 315\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eLegal Terms and Protections 317\u003c\/p\u003e \u003cp\u003eCybersecurity Terms and Conditions 321\u003c\/p\u003e \u003cp\u003eOffshore Terms and Conditions 324\u003c\/p\u003e \u003cp\u003eHosted\/Cloud Terms and Conditions 327\u003c\/p\u003e \u003cp\u003ePrivacy Terms and Conditions 331\u003c\/p\u003e \u003cp\u003eInside Look: Heritage Valley Health vs. Nuance 334\u003c\/p\u003e \u003cp\u003eConclusion 335\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 12 Software Due Diligence 337\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eThe Secure Software Development Lifecycle 340\u003c\/p\u003e \u003cp\u003eLessons from SolarWinds and Critical Software 342\u003c\/p\u003e \u003cp\u003eInside Look: Juniper 344\u003c\/p\u003e \u003cp\u003eOn-Premises Software 346\u003c\/p\u003e \u003cp\u003eCloud Software 348\u003c\/p\u003e \u003cp\u003eOpen Web Application Security Project Explained 350\u003c\/p\u003e \u003cp\u003eOWASP Top 10 350\u003c\/p\u003e \u003cp\u003eOWASP Web Security Testing Guide 352\u003c\/p\u003e \u003cp\u003eOpen Source Software 353\u003c\/p\u003e \u003cp\u003eSoftware Composition Analysis 355\u003c\/p\u003e \u003cp\u003eInside Look: Heartbleed 355\u003c\/p\u003e \u003cp\u003eMobile Software 357\u003c\/p\u003e \u003cp\u003eTesting Mobile Applications 358\u003c\/p\u003e \u003cp\u003eCode Storage 360\u003c\/p\u003e \u003cp\u003eConclusion 362\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 13 Network Due Diligence 365\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eThird-Party Connections 368\u003c\/p\u003e \u003cp\u003ePersonnel Physical Security 368\u003c\/p\u003e \u003cp\u003eHardware Security 370\u003c\/p\u003e \u003cp\u003eSoftware Security 371\u003c\/p\u003e \u003cp\u003eOut-of-Band Security 372\u003c\/p\u003e \u003cp\u003eCloud Connections 374\u003c\/p\u003e \u003cp\u003eVendor Connectivity Lifecycle Management 375\u003c\/p\u003e \u003cp\u003eZero Trust for Third Parties 379\u003c\/p\u003e \u003cp\u003eInternet of Things and Third Parties 385\u003c\/p\u003e \u003cp\u003eTrusted Platform Module and Secure Boot 388\u003c\/p\u003e \u003cp\u003eInside Look: The Target Breach (2013) 390\u003c\/p\u003e \u003cp\u003eConclusion 391\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 14 Offshore Third-Party Cybersecurity Risk 393\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eOnboarding Offshore Vendors 397\u003c\/p\u003e \u003cp\u003eOngoing Due Diligence for Offshore Vendors 399\u003c\/p\u003e \u003cp\u003ePhysical Security 399\u003c\/p\u003e \u003cp\u003eOffboarding Due Diligence for Offshore Vendors 402\u003c\/p\u003e \u003cp\u003eInside Look: A Reminder on Country Risk 404\u003c\/p\u003e \u003cp\u003eCountry Risk 405\u003c\/p\u003e \u003cp\u003eKC’s Country Risk 406\u003c\/p\u003e \u003cp\u003eConclusion 409\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 15 Transform to Predictive 411\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eThe Data 414\u003c\/p\u003e \u003cp\u003eVendor Records 415\u003c\/p\u003e \u003cp\u003eDue Diligence Records 416\u003c\/p\u003e \u003cp\u003eContract Language 416\u003c\/p\u003e \u003cp\u003eRisk Acceptances 417\u003c\/p\u003e \u003cp\u003eContinuous Monitoring 417\u003c\/p\u003e \u003cp\u003eEnhanced Continuous Monitoring 417\u003c\/p\u003e \u003cp\u003eHow Data is Stored 418\u003c\/p\u003e \u003cp\u003eLevel Set 418\u003c\/p\u003e \u003cp\u003eA Mature to Predictive Approach 420\u003c\/p\u003e \u003cp\u003eThe Predictive Approach at KC Enterprises 420\u003c\/p\u003e \u003cp\u003eUse Case #1: Early Intervention 423\u003c\/p\u003e \u003cp\u003eUse Case #2: Red Vendors 425\u003c\/p\u003e \u003cp\u003eUse Case #3: Reporting 426\u003c\/p\u003e \u003cp\u003eConclusion 427\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 16 Conclusion 429\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eAdvanced Persistent Threats Are the New Danger 431\u003c\/p\u003e \u003cp\u003eCybersecurity Third-Party Risk 435\u003c\/p\u003e \u003cp\u003eIndex 445\u003c\/p\u003e \u003cp\u003e\u003cb\u003eGREGORY C. RASNER\u003c\/b\u003e is the lead of Cyber Third-Party Risk at Truist Financial Corporation. He has extensive experience in cybersecurity and technology leadership in banking, biotech, software, telecom, and manufacturing. He is the author of several published articles on Third Party Risk and is a sought-after keynote speaker in this area.\u003c\/p\u003e  \u003cp\u003e\u003cb\u003eSTRENGTHEN THE WEAKEST LINKS IN YOUR CYBERSECURITY CHAIN\u003c\/b\u003e\u003c\/p\u003e\u003cp\u003eAcross the world, the networks of hundreds of different world-class organizations have been breached in a seemingly never-ending stream of attacks that targeted the trusted vendors of major brands. From Target to Equifax, Home Depot, and GM, it seems as if no company is safe from a third-party incident or breach, regardless of size. And the advanced threats are now exploiting the intersection of weaknesses in cybersecurity and third-party risk management.\u003c\/p\u003e\u003cp\u003eIn \u003ci\u003eCybersecurity and Third-Party Risk\u003c\/i\u003e, veteran cybersecurity specialist Gregory Rasner walks readers through how to lock down the vulnerabilities posed to an organization’s network by third parties. You’ll discover how to move beyond a simple checklist and create an active, effective, and continuous system of third-party cybersecurity risk mitigation.\u003c\/p\u003e\u003cp\u003eThe author discusses how to conduct due diligence on the third parties connected to your company’s networks and how to keep your information about them current and reliable. You’ll learn about the language you need to look for in a third-party data contract whether you’re offshoring or outsourcing data security arrangements.\u003c\/p\u003e\u003cp\u003ePerfect for professionals and executives responsible for securing their organizations’ systems against external threats, \u003ci\u003eCybersecurity and Third-Party Risk\u003c\/i\u003e is an indispensable resource for all business leaders who seek to:\u003c\/p\u003e\u003cul\u003e\n\u003cli\u003eUnderstand the fundamentals of third-party risk management\u003c\/li\u003e\n\u003cli\u003eConduct robust intake and ongoing due diligence\u003c\/li\u003e\n\u003cli\u003ePerform on-site due diligence and close vendor risks\u003c\/li\u003e\n\u003cli\u003eSecure your software supply chain\u003c\/li\u003e\n\u003cli\u003eUtilize cloud and on-premises software securely\u003c\/li\u003e\n\u003cli\u003eContinuously monitor your third-party vendors and prevent breaches\u003c\/li\u003e\n\u003c\/ul\u003e","brand":"Wiley","offers":[{"title":"Default Title","offer_id":47989019279589,"sku":"NP9781119809555","price":42.0,"currency_code":"USD","in_stock":false}],"thumbnail_url":"\/\/cdn.shopify.com\/s\/files\/1\/1842\/7735\/files\/9781119809555.jpg?v=1761782462","url":"https:\/\/k12savings.com\/es\/products\/cybersecurity-and-third-party-risk-isbn-9781119809555","provider":"K12savings","version":"1.0","type":"link"}