Category Archives: Third-Party Risk & Vendor Risk Management

As people “Stay at Home” and work remotely during the COVID-19 pandemic, organizations have an increased reliance on external partners, suppliers, and third-party vendors to keep their businesses running. For some companies, this may be the first time their employees worked outside of their office, without the benefit of established security policies for working from home. It is crucial that third-party vendors be on the same page as their clients to ensure proper safeguards and business continuity. (more…)

While companies are consumed with the task of implementing remote work strategies in response to the COVID-19 crisis, it is critical to remember one thing: No matter how chaotic things get, Coronavirus does not exempt you from your industry or government compliancy obligations such as HIPAA, CCPA and PCI DSS. It also does not release you from your responsibility of employing Duty of Care when it comes to protecting third party personal data. (more…)

CAMP IT produces events designed to help IT professionals understand new technologies and make the critical, strategic and tactical decisions for their enterprises. (more…)

Your Vendors May Be Weak Links in Supply Chain Breaches

According to a survey conducted by the Ponemon Institute in 2018, 59 percent of companies have experienced a third-party breach of some type.  Despite the high prevalence of these incidents however, only 16 percent say they effectively mitigate third-party risks. (more…)

Author: Viviana Wesley, PCI QSA

Some recent breaches of cardholder data have been the direct result of a successful compromise of a trusted third party to the breached entity. For example, a factor in the well-publicized breach at Target may have been compromised credentials of a trusted service provider with access to the Target internal network. In order to attain and maintain PCI compliance, all businesses must control the risk that third party service providers pose to the cardholder data environment.  It’s important to understand the activities that you’ll need to undertake to manage this risk (third party risk management or TPRM). (more…)

The Target^® Breach in November 2013 lives infamously in our memories and has served as a pivot point for all businesses with regard to third party vendor management (TPRM).  After all, who could have imagined that the giant retailer would have been breached through a seemingly insignificant third party that didn’t seem to have direct network access? (more…)

Dear Antivirus Vendors,

On more and more incident response investigations, my clients (victims) have been asking the question “Why didn’t our Antivirus software detect the malware when we always keep it up to date?” I respond by telling them that they had targeted malware on their system. Their follow up question usually is whether antivirus software is relevant in this era of targeted threats and Modern Malware. (more…)

The Massachusetts law 201 CMR 17.00 that forces US organizations to protect the PII of Massachusetts residents went into its final enforcement phase on March 1, 2012. By that date, no exceptions, businesses that send Massachusetts-based PII to vendors (service providers) needed to require in providers’ contracts that they will also abide by the law. (more…)