After giving CMMC v0.4 a bit of a butchering in September of last year, I thought it only fair to revisit the Cybersecurity Maturity Model Certification being proposed by the US DoD, that all third party contractors will have to adhere to from June 2020. I have to say I am pleasantly surprised with the …
Historically, Third Party Assurance meant evaluating the financial resilience of an organisation to determine whether they were viable enough to deliver what you needed. Today, the Third-Party Assurance landscape has moved on significantly. Like the expanding Universe, Third Party Assurance regulation, legislation and requirements seem to be accelerating. Anti-money laundering, Bribery and Corruption, Modern Slavery, …
This initial investigation was triggered by guidance that was released by the ICO in the UK, that insists that processors must allow audit and inspection rights to their controllers in their contractual terms. In the GDPR , Article 28.3.h states: That contract or other legal act shall stipulate, in particular, that the processor: makes available …
We left off last time out on Risk Treatment. The previous post is here. So following up using ISO 27001 as a base for our questions, the next section would be Performance Evaluation. Performance Evaluation In ISO 27001 speak, this is the monitoring of your security controls. You can understand a lot about the maturity …
Third Party Security Assurance Questions – Part 2 Read More »
The US Department of Defense recently released version 0.4 of its CyberSecurity Maturity Model Certification (CMMC). This is supposed to make third parties more accountable for their security controls to the DoD for the sensitive information they handle. If you cannot follow the link, it is because you are not in the US. They have …
How not to create a Maturity Model for Third Parties Read More »
Third Party Security Assurance has made a pretty poor name for itself. This is due to many organisations paying lip-service to the requirement and not implementing it properly. Many organisations view Third Party Security Assurance as the need to send your supplier a questionnaire with some security questions on it, and when (or even IF) …
Organisations spend considerable sums of money to protect themselves against the cyber risks that they see in front of them. Unfortunately, you can’t manage what you can’t see. This has been the problem with third party assurance for a significant length of time. Historically, data was fairly immobile with mainframes and the lack of an …
