CAMP IT Conferences Gallery
CAMP IT produces events designed to help IT professionals understand new technologies and make the critical, strategic and tactical decisions for their enterprises. (more…)
Category Archives: Third-Party Risk & Vendor Risk Management
Third-Party Vendors: Are You on the Same Page?
Your Vendors May Be Weak Links in Supply Chain Breaches
(more…)
Insufficient Vendor Reviews = Rampant Third-Party Breaches
According to a survey conducted by the Ponemon Institute in 2018, 59 percent of companies have experienced a third-party breach of some type. Despite the high prevalence of these incidents however, only 16 percent say they effectively mitigate third-party risks. (more…)
Clarifying the new PCI DSS 3.2 Requirements for Service Providers
By Viviana Wesley, PCI QSA, ISO 27001 Auditor
The process of securing cardholder data is a shared responsibility amongst multiple parties that play a role in the card transaction process. They include merchants, processors, acquirers, backup tape storage facilities, issuers and service providers just to name a few. All of these entities play a part in the far-reaching responsibility of protecting consumer data. The Payment Card Industry Data Security Standard or PCI DSS is the roadmap that they can turn to in order to prevent the compromising of primary account numbers (PAN) and other sensitive consumer credit card information. (more…)
11 Insights into Cyber Insurance and How It Concerns Your Business
AUTHOR: Terry Kurzynski, CISSP, CISA, PCI QSA, ISO 27001 AUDITOR
There’s digital gold in your data storage units, computers, networks, and clouds. There is also a large portion of your reputational capital, liability of multiple kinds, and quite possibly the economic viability of your enterprise. With all this at stake, protection against IT incidents and accidents is a priority. However, data backups and IT security measures can only handle so much. Cyber security insurance can help shield your business against the rest. (more…)
PCI and Third Party Security Assurance: The PCI Council’s Guidance Summarized
Author: Viviana Wesley, PCI QSA
Some recent breaches of cardholder data have been the direct result of a successful compromise of a trusted third party to the breached entity. For example, a factor in the well-publicized breach at Target may have been compromised credentials of a trusted service provider with access to the Target internal network. In order to attain and maintain PCI compliance, all businesses must control the risk that third party service providers pose to the cardholder data environment. It’s important to understand the activities that you’ll need to undertake to manage this risk (third party risk management or TPRM). (more…)
Vendor Risk Management Hype Extends Beyond Target®
The Target® Breach in November 2013 lives infamously in our memories and has served as a pivot point for all businesses with regard to third party vendor management (TPRM). After all, who could have imagined that the giant retailer would have been breached through a seemingly insignificant third party that didn’t seem to have direct network access? (more…)
An Open Letter to Antivirus Vendors: It is Time for Antivirus Software to Flag Memory Dumping
Dear Antivirus Vendors,
On more and more incident response investigations, my clients (victims) have been asking the question “Why didn’t our Antivirus software detect the malware when we always keep it up to date?” I respond by telling them that they had targeted malware on their system. Their follow up question usually is whether antivirus software is relevant in this era of targeted threats and Modern Malware. (more…)
3rd Party Providers
3rd Party Providers. Remember when the big car companies in Detroit went through their quality measures and certifications, then began requiring all their 1st tier vendors to undergo the same quality certifications? This later trickled down to the multiple tiers of vendors that supported the 1st tier vendors. It was (is) called QS 9000. (more…)
March 1 – Your Vendor Contracts Were Supposed to be Updated
The Massachusetts law 201 CMR 17.00 that forces US organizations to protect the PII of Massachusetts residents went into its final enforcement phase on March 1, 2012. By that date, no exceptions, businesses that send Massachusetts-based PII to vendors (service providers) needed to require in providers’ contracts that they will also abide by the law. (more…)