15 February 2023
Working with third party suppliers
When it comes to information security risk management, how do you ensure that the third parties engaged to do work for your organisation preserve the confidentiality, integrity, and availability of your information?
Often their “work” could include access to your organisation's data, intellectual property, financial, operational, or other sensitive information. Your third party supplier may also be working with other supply partners to complete the delivery of your work so the information security risks may be greater than your organisation understands.
Here are three reasons why cyber security must be a key consideration when collaborating with suppliers and partners:
- Over time it is likely you will increase the number of external touchpoints in your organisation, so if any of these “touchpoints” are compromised, you are at risk
- Third parties may be targeted as a route into your organisation, alternatively you may be targeted as a way into a third party
- At times you may have to share sensitive or valuable data or information which you expect your suppliers to protect
Some examples of the steps you can take to make improvements in this third-party risk area include:
- Identifying and categorising your third parties based on agreed criteria
- Identifying and classifying the information to be used by or shared with third parties
- Determining the level of due diligence you will apply upfront and ongoing to each of your third party categories
- Investigating whether any of those third parties have security policies, incident response plans, or experienced an information security incident, and so on
It is well worth getting this aspect of your IT and business operations in hand, in doing so you will help to protect your business from a range of possible reputational, regulatory, financial and legal issues.
Being able to demonstrate a good level of cyber security is increasingly a key component of supplier and provider contracts. Click below to find out how we can assist you to conduct a comprehensive third party information security risk review.
Third Party Information Security Risk Review
Getting ready for PCI DSS v4.0
With the release of the PCI DSS v4.0 standard, Kaon Security has initiated an upgrade exercise for Policy Management as a Service (PMaaS) to reflect the changes being introduced.
PCI DSS v3.2.1 is valid until 31 March 2024 to allow organisations time to understand the changes in version 4.0, update their templates and forms, and apply the necessary changes to meet the new requirements, at which point PCI DSS v4.0 will be the only active version of the standard. By 31 March 2025 organisations must also implement new requirements identified as best practices in v4.0.
There are 51 new requirements in PCI DSS v4.0 for all entities, and 13 new requirements for service providers (64 in total), as well as several clarifications and rearrangements applied to the existing requirements. This will result in several new best practice statements being added to PMaaS, as well as modifications to existing content.
All part of the service!
The maintenance and upkeep of IT policies is typically driven by changes in business requirements, the adoption of new technology, changes in best practice standards or more frequently a cybersecurity incident. In some of these examples the maintenance and upkeep work of policies may not be too significant however, when it comes to changes in best practice standards the work to go through policies and the updated standards guidance to check and/or edit wording to maintain alignment can be significant.
With the release of new versions of ISO27002 and PCI-DSS the standards bodies have allowed a reasonable timeframe for organisations to adopt the new version of their standard, which is necessary as there is a reasonable amount of work for organisations to do to align policies, processes and procedures with the new material.
A key benefit of Policy Management as a Service (PMaaS) is the fact that we do the heavy lifting when it comes to understanding and communicating the impact of changes in best practice standards. Our new online upgrade function within PMaaS delivers an efficiency gain as it allows customers to go straight to the specific policy material that needs to be reviewed as a result of a change in a standard. The upgrade function provides new or changed policy statement wording options that customers can adopt to ensure their policies are aligned with the new guidance.