Humans are your Asset: Maximize Cyber Security Awareness and Education 

18 July 2023 l 9.00AM (SGT) 
Free Cyber Security Online Event

Aman Kumar

Senior Director- Governance EC-Council Global Services

Aman is a post-graduate in Information Systems and Security & associated as a Senior Director with EC Council Global Services. He has 13+ years of experience in leading and delivering IT Security, Compliance and attestation engagements for large and mid-sized organizations in insurance, healthcare, real estate, Logistics, e-commerce, micro finance, manufacturing, electronics, IT and ITES verticals. He has a work experience in the areas of performing special attestation reviews (SOC 1, SOC 2), IT SOX, HIPAA, Application controls testing, Information Security Reviews, Internal Audits, ISO 27001, Third party security assessment, Network Security Audits and IT Due Diligence reviews. He has worked with 3 big advisory firms and one of the largest Insurance Companies across globe. He has an experience of working with clients across APAC, United States, Mexico and Guatemala.

Day 1: 18th July 2023

10:30 DISCUSSION: Address security gaps to better manage third-party risk

In today's interconnected digital landscape, organizations are increasingly reliant on third-party vendors and technology solutions. While this brings many benefits, it also introduces significant security challenges. During our panel discussion, we aim to explore strategies and best practices for addressing security gaps and effectively managing the associated risks. The discussion will revolve around three key talking points:


  1. Ensuring proper integration of external technology:

As organizations increasingly adopt cloud-based and mobile technologies, it is becoming more difficult for IT departments to keep track of all of the technology that is in use within the organization. This can create security gaps, as unauthorized or insecure technologies may be used to access sensitive data.

To mitigate this risk, organizations should implement a process for vetting all new technologies before they are put into use. This process should include an assessment of the technology's security features and a review of the vendor's security practices. Additional talking points include:

  • Highlight the importance of integrating technology solutions created outside of IT's purview into the organization's cybersecurity framework.
  • Discuss the risks associated with "shadow IT" and the need for proactive measures to identify and address such technology gaps.
  • Share insights from EGS on how organizations can establish clear guidelines and processes to ensure seamless integration while maintaining robust security protocols.


2. Identifying potential risks with third-party vendors:

Third-party vendors can pose a significant risk to an organization's security. Vendors may have access to sensitive data, such as customer PII, and they may not have the same level of security expertise as the organization itself.

To mitigate this risk, organizations should carefully vet all third-party vendors before engaging them. This process should include an assessment of the vendor's security posture, including their minimum security standards, incident response plans, and security auditing requirements. Additional talking points include:

  • Discuss the significance of conducting thorough risk assessments and due diligence when engaging with third-party vendors.
  • Highlight the importance of establishing minimum security standards, incident response plans, and security auditing requirements for vendors.
  • Share experiences and best practices for effectively identifying and mitigating potential risks posed by third-party vendors.

 

3. Implementing controls to manage data exposure and risk:

Once an organization has identified and mitigated the risks associated with third-party vendors, it is important to implement controls to limit the exposure of sensitive data. These controls may include data encryption, access controls, and monitoring systems. By implementing these controls, organizations can help to protect their sensitive data from unauthorized access, use, or disclosure. Additional talking points include:

  • Discuss the need for implementing stringent controls to limit the exposure of sensitive data to third-party vendors.
  • Share insights on how organizations can effectively manage and monitor data access, permissions, and data flow within the vendor ecosystem.
  • Discuss the role of ongoing risk assessments and regular security audits to ensure compliance and proactive risk management.