Print this page

A Deep-Dive into TPRM & NIST Framework Integration

032422TN

Recorded:    April 20 | 2023      Watch

The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is one of the leading frameworks for private and public sector cybersecurity maintenance and used by organizations of all sizes. The Framework helps to secure information systems and guide key decision points about risk management activities through the various levels of an organization from senior executives, to business and process level, and operations.

NIST has issued special publications focused on improving Third-Party Risk Management (TPRM) and Supply Chain Risk Management (SCRM), however this isn’t a light read. With 5 functions, 23 categories, and 108 subcategories, identifying the NIST CSF security controls applicable to cyber supply chain risk management is a daunting task. On this CPE webinar we will address the specific security controls for third-party information security management and explain how to align risk management processes against these requirements, including how to:

  • Prioritize and assess third-parties using a cyber supply chain risk assessment process,
  • Develop processes for continuously monitoring third-party security postures, and determining control effectiveness,
  • Identify security gaps and conduct response action plans with suppliers and third-party providers,
  • Track the progress of implementing the NIST framework through a 4-tier maturity scale.

 Moderator

colin whittakerColin Whittaker, PCI Industry Alumni, Founder and Director Informed Risk Decisions Ltd. Colin has been instrumental in driving forward a risk and security strategy for payments over the last 15 years since he retired from the military in 2001, and took up the role of Head of Security at APACS. Whilst there he was one of the first people to be elected to the PCI SSC Board of Advisors where he was always keen to try and promote the differences in threat between Europe and UK, and the US. Since that election he hasn't moved far from the PCI domain. In 2010 he moved to Visa Europe and became the Vice President Payment System Risk with responsibilities for designing and operating the Visa Europe PCI compliance strategy for European merchants and service providers. He was also responsible for coordinating Visa Europe's approach to cardholder data breaches in Europe, and for the changes to the Visa Europe Compliance strategy through the creation of the Technology Innovation Programme which gave the very first PCI DSS compliance relief for EMV chip accepting merchants. In 2015 he went independent and currently provides cyber security risk consultancy services to a wide range of public and private companies. Colin has presented on Information Security at major events around the world, and has published a number of papers on security.

Panel

Alastair Parr Joe Toley, Project Director, R&D Development at Prevalent. Joe is responsible for assisting organizations in operationalizing and maturing their Third Party Risk Management Program. He joined Prevalent from 3GRC where he was instrumental in defining the services and deliverables to support the use of the risk management technology and prides himself in taking client requirements and translating them into achievable plans. He comes from an IT security background, with an original focus on data security and data loss prevention, before shifting his efforts to the Third Party Risk Management space 5 years ago.

Steve Tobias Bio Pic MedSteve Tobias, Lead Client Success Advisor. As a Lead Client Success Advisor at RiskRecon by Mastercard, Steve partners with clients from various industry sectors to ensure they get the most out of the RiskRecon platform. He leverages his risk management experience to provide recommendations for incorporating vendor security ratings into and maturing third-party cyber risk management programs. His 20+ years of cybersecurity experience include information security, frameworks, governance, risk & compliance, third-party risk management and cyber risk program development. Prior to RiskRecon\Mastercard, he led a cyber risk management team and helped develop a cyber risk/TPRM program in the Healthcare sector. Steve holds a Bachelor’s in Information Systems Management, as well as CISSP, CISM and CTPRP certifications.

paul headshotPaul Asadoorian is currently the Principal Security Evangelist for Eclypsium and the founder of Security Weekly, a security podcast network (acquired by CyberRisk Alliance in 2020). Paul's previous roles have been spent “in the trenches” coding in Python, testing security products, and evaluating and implementing open-source software. Paul's career began by implementing security programs for a lottery company and then a large university. Paul is offensive, having spent several years as a penetration tester. As Product Evangelist for Tenable Network Security, Paul built a library of materials on the topic of vulnerability management. 

vdourVincent Dour, Senior Manager, Implementation Services at LogicGate, a SaaS company whose proprietary Risk Cloud® platform helps organizations automate and streamline their GRC processes. Prior to joining LogicGate, Vince worked in Risk & Compliance Consulting at Protiviti and RSM, helping clients assess, manage, and remediate risk and enhance their controls. At LogicGate, Vince leverages his risk knowledge and experience at Protiviti and RSM to identify and design GRC and Third-Party Risk Management processes based on industry trends and best practices to be used by Risk Cloud customers.