• CUSTOMER LOGIN
  • Products
    • TPRM by ThirdPartyTrust
    • Beacon by ThirdPartyTrust
  • Resources
    • Blog
    • Strategy Guides
    • Case Studies
    • Data Sheets
    • Webinars
    • API
  • Company
    • About us
    • Partners
    • Product Security
    • Privacy Policy
REQUEST DEMO
  • Products
    • TPRM by ThirdPartyTrust
    • Beacon by ThirdPartyTrust
  • Resources
    • Blog
    • Strategy Guides
    • Case Studies
    • Data Sheets
    • Webinars
    • API
  • Company
    • About us
    • Partners
    • Product Security
    • Privacy Policy
REQUEST DEMO
  • CUSTOMER LOGIN
  • Products
    • TPRM by ThirdPartyTrust
    • Beacon by ThirdPartyTrust
  • Resources
    • Blog
    • Strategy Guides
    • Case Studies
    • Data Sheets
    • Webinars
    • API
  • Company
    • About us
    • Partners
    • Product Security
    • Privacy Policy
REQUEST DEMO
  • CUSTOMER LOGIN
  • Products
    • TPRM by ThirdPartyTrust
    • Beacon by ThirdPartyTrust
  • Resources
    • Blog
    • Strategy Guides
    • Case Studies
    • Data Sheets
    • Webinars
    • API
  • Company
    • About us
    • Partners
    • Product Security
    • Privacy Policy
REQUEST DEMO
  • Products
  • TPRM by ThirdPartyTrust
  • Beacon by ThirdPartyTrust
  • Solutions
  • Risk Assessment Automation
  • Security Questionnaire Automation
  • Shadow IT Management
  • Zero Day Remediation
  • Integrations
  • Industries
    • Financial
    • Energy
    • Healthcare and Hospitals
    • Legal
    • Life Sciences
    • Manufacturing Industry
    • Retail
    • Technology
    • Other Industries
  • Pricing
  • Resources
  • Blog
  • Strategy Guides
  • Case Studies
  • Data Sheets
  • Webinars
  • Dictionary
  • API
  • Company
  • About us
  • Careers
  • Partners
  • Partners Login
  • Product Security
  • Privacy Policy

At Morningstar Security Summit, Experts Discuss Vendor Risk Management

Published by Guest Writer on July 27, 2017
Categories
  • Blog
Tags
  • TPRM Best Practices
MORNINGSTAR SECURITY SUMMIT VENDOR RISK MANAGEMENT

At the Morningstar Security Summit on June 26th, 2017, Morningstar’s CIO and team gathered industry experts to discuss best practices in cyber security and risk assessment. Sessions throughout the day included: State of the Security Industry, Understanding Emerging Threats and Regulatory Trends, Amazon Web Services Security, Protecting What Matters and a panel discussion on “Should You Trust Your Third Party Vendors?.”

The panelists included Anders Norremo, the CEO of ThirdPartyTrust, a leading vendor risk management platform; Amy Voegeli, the moderator from Morningstar’s IT Risk and Compliance team; Dan Nellessen, IT Risk and Compliance analyst at Morningstar; Vince Concilaldi, Partner at Grant Thorton LLP; Ryan O’Leary, Vice President at Whitehat Security; and lastly, Jay Schulman, a Principal of Security and Privacy at RSM US LLP.

ARE SOC REPORTS SUFFICIENT? 

Voegeli moderated the panel of security experts and started the conversation by asking if a SOC Report was sufficient to properly assessing the risk of third and fourth party vendors. System and Organization Controls (SOC) reports came about from the introduction of the Statement on Standards for Attestations and Engagements (SSAE) 16 auditing standard for service organizations in 2011 replacing SAS 70. Concilaldi from Grant Thornton says his firm has been performing SOC audits for enterprises for years and sees them as a great baseline.

The panelists agreed that there exists a multitude of additional measures to assess vendors, such as app scans, pen tests, risk assessment questionnaires, cyber insurance, perimeter scanning, and other certification requirements. However, the number of necessary measures depends on the level of risk associated with each vendor.

SOC reports have created a base standard companies to default to during an audit but the enterprise still must asked themselves which principles will be included in the scope of the SOC audit.

Vince Concilaldi, Grant Thornton
MORNINGSTAR SECURITY SUMMIT VENDOR RISK MANAGEMENT

WHERE DO I START AS AN ENTERPRISE? 

According to Anders Norremo of ThirdPartyTrust, the first step of a good vendor management program entails, “examining your vendor inventory and then measuring these entities’ inherent risk ratings.” The level of risk, says Norremo, will determine the level of necessary precautions in your risk management procedure.

Read more: Building a scalable TPRM program

Shulman of RSM suggested abiding by a framework, more specifically a framework your industry or clients adhere’s to most closely. The ISO 2700 family of standards can help organizations manage the security of assets such as financial information, intellectual property and healthcare data. Another set of standards was put out by The National Institute of Science and Technology (NIST) focusing on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s risk management processes. But again, before investing time, money and resources, understand what you’re customers want. 

WHAT DOES A HOLISITC VIEW LOOK LIKE? 

Anders Norremo and the other panelists advocate a holistic and customized approach to cyber security and to achieving third and fourth party assurance. 

A holistic approach includes considerations to applications and software, infrastructure hardware and software, remote and mobile hardware with software, network components and other technology considerations. For further reading on security considerations, read up on the security basics. 

ThirdPartyTrust is making it simple to assess third and fourth party vendor information to ensure your gaining every insight to potential cyber risks. It’s a supply chain security tool for companies wanting a holistic approach to vendor risk management. 




To learn more about how ThirdPartyTrust can help you manage third-party risk, request your free trial now:


Trial Account Sign-Up
Guest Writer
Guest Writer
    • Phone
      |+1-617-245-0469
    • Address
      |
      111 Huntington Ave, Suite 2010, Boston, MA 02199
    • Sales
      |sales@bitsighttech.com
    • Contact Us
    Laika_SOC2_TypeI_PurpleIris        CSA_Trusted_Cloud_Provider

    ©2022 ThirdPartyTrust, LLC and its Affiliates. All Rights Reserved. | 111 Huntington Ave. Suite 2010 Boston, MA 02199
    • BLOG
    • PARTNERS LOGIN
    • CONTACT US
    • PRIVACY POLICY
    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
    Do not sell my personal information.
    Reject AllAccept
    Cookie Settings
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
    CookieDurationDescription
    cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
    cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
    cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
    cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
    cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
    viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
    Functional
    Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
    Performance
    Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
    Analytics
    Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
    Advertisement
    Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
    Others
    Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
    SAVE & ACCEPT