For a good example of risk management and third-party risk management, look back at
               the  Target  breach  of  2013.  That  breach  exposed  information  from  41  million  user
               accounts,  costing  the retailer $18.5 million  in  settlement  costs. It was  triggered  when
               thieves hacked an HVAC contractor and stole their credentials to Target’s network.

               This  underscores  the  importance  of  creating  a  sound  risk  management  plan.
               Companies  need  to  look  at  where  their  data  will  reside  and  at  whom,  including  third
               parties have access to it. They need to build their security policies to ensure that not
               only their own networks are reinforced but to hold third and fourth parties responsible for
               maintaining a level of security in their own networks.

               Adopting  a  risk  management  approach  for  cloud  security  extends  beyond  just
               developing the additional polices. Once your company has implemented the additional
               policies and controls based on the business vertical, additional process is also needed
               to validate continued compliance. You need to be able to track, monitor and validate the
               security  posture  with  disparate  internal  and  external  partners  and  vendors.  Don’t  fall
               back  on the historical  practice  of trying  to  enforce  your own  security  procedures,  but
               look to how you can monitor and validate your third- and fourth-party service providers.
               Make sure they align their own security policies that you have assessed as meeting or
               exceeding  your  own  standards.  You  need  to  be  able  to  not  only  validate  that  your
               partners, vendors, customers and other connections are compliant, but also be able to
               attest to the efficacy of that compliance to your customers; including the management of
               mitigation, remediation, incident response and breach notification.

               Here  are  six  moves  companies  can  make  now  to  adapt  their  security  policies  to  the
               growing use of data in the cloud.


                   •  Do  a  risk  assessment  –  This  is  the  first  step  in  developing  a  whole  risk
                       management approach to cloud. You need to understand how you’re using the
                       cloud and what functions you’re still running in your data center. Make a detailed
                       report  about  the  third  parties  your  do  business  with  and  make  sure  they’re
                       meeting your standards for data protection.

                   •  Implement  third-  and  fourth-party  risk  management  –  This  is  no  place  to
                       skimp.  Make  sure  your sub-service  vendors and  service  delivery  partners also
                       have  mature  cyber  security  programs  that  meet  and  exceed  your  own.  And
                       regularly review their current compliance to their own security programs.


                   •  Strengthen  your  encryption  controls  –  In  the  old  world,  you  could  allow
                       unencrypted communication within your network. You relied on your own network
                       security  to  keep  the  bad  actors  out.  Now,  with  cloud  computing,  you  need  be
                       sure  you  have  encryption  at  rest,  and  encryption  in  transit.  What  encryption
                       methodology are you using to make sure they haven’t been broken? You have to
                       assure that protection wherever that data resides.

                    52   Cyber Defense eMagazine – October 2017 Edition
                         Copyright © Cyber Defense Magazine,  All rights reserved worldwide.