Page 52 - 网络防御Emagazine - 2017年10月
For a good example of risk management and third-party risk management, look back at the Target breach of 2013. That breach exposed information from 41 million user accounts, costing the retailer $18.5 million in settlement costs. It was triggered when thieves hacked an HVAC contractor and stole their credentials to Target’s network. This underscores the importance of creating a sound risk management plan. Companies need to look at where their data will reside and at whom, including third parties have access to it. They need to build their security policies to ensure that not only their own networks are reinforced but to hold third and fourth parties responsible for maintaining a level of security in their own networks. Adopting a risk management approach for cloud security extends beyond just developing the additional polices. Once your company has implemented the additional policies and controls based on the business vertical, additional process is also needed to validate continued compliance. You need to be able to track, monitor and validate the security posture with disparate internal and external partners and vendors. Don’t fall back on the historical practice of trying to enforce your own security procedures, but look to how you can monitor and validate your third- and fourth-party service providers. Make sure they align their own security policies that you have assessed as meeting or exceeding your own standards. You need to be able to not only validate that your partners, vendors, customers and other connections are compliant, but also be able to attest to the efficacy of that compliance to your customers; including the management of mitigation, remediation, incident response and breach notification. Here are six moves companies can make now to adapt their security policies to the growing use of data in the cloud. • Do a risk assessment – This is the first step in developing a whole risk management approach to cloud. You need to understand how you’re using the cloud and what functions you’re still running in your data center. Make a detailed report about the third parties your do business with and make sure they’re meeting your standards for data protection. • Implement third- and fourth-party risk management – This is no place to skimp. Make sure your sub-service vendors and service delivery partners also have mature cyber security programs that meet and exceed your own. And regularly review their current compliance to their own security programs. • Strengthen your encryption controls – In the old world, you could allow unencrypted communication within your network. You relied on your own network security to keep the bad actors out. Now, with cloud computing, you need be sure you have encryption at rest, and encryption in transit. What encryption methodology are you using to make sure they haven’t been broken? You have to assure that protection wherever that data resides. 52 Cyber Defense eMagazine – October 2017 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide.