Foreword xviIntroduction xviiiSection 1 Cybersecurity Third-Party RiskChapter 1 What is the Risk? 1The SolarWinds Supply-Chain Attack 4The VGCA Supply-Chain Attack 6The Zyxel Backdoor Attack 9Other Supply-Chain Attacks 10Problem Scope 12Compliance Does Not Equal Security 15Third-Party Breach Examples 17Third-Party Risk Management 24Cybersecurity and Third-Party Risk 27Cybersecurity Third-Party Risk as a Force Multiplier 32Conclusion 33Chapter 2 Cybersecurity Basics 35Cybersecurity Basics for Third-Party Risk 38Cybersecurity Frameworks 46Due Care and Due Diligence 53Cybercrime and Cybersecurity 56Types of Cyberattacks 59Analysis of a Breach 63The Third-Party Breach Timeline: Target 66Inside Look: Home Depot Breach 68Conclusion 72Chapter 3 What the COVID-19 Pandemic Did to Cybersecurity and Third-Party Risk 75The Pandemic Shutdown 77Timeline of the Pandemic Impact on Cybersecurity 80Post-Pandemic Changes and Trends 84Regulated Industries 98An Inside Look: P&N Bank 100SolarWinds Attack Update 102Conclusion 104Chapter 4 Third-Party Risk Management 107Third-Party Risk Management Frameworks 113ISO 27036:2013+ 114NIST 800-SP 116NIST 800-161 Revision 1: Upcoming Revision 125NISTIR 8272 Impact Analysis Tool for Interdependent Cyber Supply-Chain Risks 125The Cybersecurity and Third-Party Risk Program Management 127Kristina Conglomerate (KC) Enterprises 128KC Enterprises' Cyber Third-Party Risk Program 131Inside Look: Marriott 140Conclusion 141Chapter 5 Onboarding Due Diligence 143Intake 145Data Privacy 146Cybersecurity 147Amount of Data 149Country Risk and Locations 149Connectivity 150Data Transfer 150Data Location 151Service-Level Agreement or Recovery Time Objective 151Fourth Parties 152Software Security 152KC Enterprises Intake/Inherent Risk Cybersecurity Questionnaire 153Cybersecurity in Request for Proposals 154Data Location 155Development 155Identity and Access Management 156Encryption 156Intrusion Detection/Prevention System 157Antivirus and Malware 157Data Segregation 158Data Loss Prevention 158Notification 158Security Audits 159Cybersecurity Third-Party Intake 160Data Security Intake Due Diligence 161Next Steps 167Ways to Become More Efficient 173Systems and Organization Controls Reports 174Chargebacks 177Go-Live Production Reviews 179Connectivity Cyber Reviews 179Inside Look: Ticketmaster and Fourth Parties 182Conclusion 183Chapter 6 Ongoing Due Diligence 185Low-Risk Vendor Ongoing Due Diligence 189Moderate-Risk Vendor Ongoing Due Diligence 193High-Risk Vendor Ongoing Due Diligence 196"Too Big to Care" 197A Note on Phishing 200Intake and Ongoing Cybersecurity Personnel 203Ransomware: A History and Future 203Asset Management 205Vulnerability and Patch Management 206802.1x or Network Access Control (NAC) 206Inside Look: GE Breach 207Conclusion 208Chapter 7 On-site Due Diligence 211On-site Security Assessment 213Scheduling Phase 214Investigation Phase 215Assessment Phase 217On-site Questionnaire 221Reporting Phase 227Remediation Phase 227Virtual On-site Assessments 229On-site Cybersecurity Personnel 231On-site Due Diligence and the Intake Process 233Vendors Are Partners 234Consortiums and Due Diligence 235Conclusion 237Chapter 8 Continuous Monitoring 239What is Continuous Monitoring? 241Vendor Security-Rating Tools 241Inside Look: Health Share of Oregon's Breach 251Enhanced Continuous Monitoring 252Software Vulnerabilities/Patching Cadence 253Fourth-Party Risk 253Data Location 254Connectivity Security 254Production Deployment 255Continuous Monitoring Cybersecurity Personnel 258Third-Party Breaches and the Incident Process 258Third-Party Incident Management 259Inside Look: Uber's Delayed Data Breach Reporting 264Inside Look: Nuance Breach 265Conclusion 266Chapter 9 Offboarding 267Access to Systems, Data, and Facilities 270Physical Access 274Return of Equipment 275Contract Deliverables and Ongoing Security 275Update the Vendor Profile 276Log Retention 276Inside Look: Morgan StanleyDecommissioning Process Misses 277Inside Look: Data Sanitization 279Conclusion 283Section 2 Next StepsChapter 10 Securing the Cloud 285Why is the Cloud So Risky? 287Introduction to NIST Service Models 288Vendor Cloud Security Reviews 289The Shared Responsibility Model 290Inside Look: Cloud Controls Matrix by the Cloud Security Alliance 295Security Advisor Reports as Patterns 298Inside Look: The Capital One Breach 312Conclusion 313Chapter 11 Cybersecurity and Legal Protections 315Legal Terms and Protections 317Cybersecurity Terms and Conditions 321Offshore Terms and Conditions 324Hosted/Cloud Terms and Conditions 327Privacy Terms and Conditions 331Inside Look: Heritage Valley Health vs. Nuance 334Conclusion 335Chapter 12 Software Due Diligence 337The Secure Software Development Lifecycle 340Lessons from SolarWinds and Critical Software 342Inside Look: Juniper 344On-Premises Software 346Cloud Software 348Open Web Application Security Project Explained 350OWASP Top 10 350OWASP Web Security Testing Guide 352Open Source Software 353Software Composition Analysis 355Inside Look: Heartbleed 355Mobile Software 357Testing Mobile Applications 358Code Storage 360Conclusion 362Chapter 13 Network Due Diligence 365Third-Party Connections 368Personnel Physical Security 368Hardware Security 370Software Security 371Out-of-Band Security 372Cloud Connections 374Vendor Connectivity Lifecycle Management 375Zero Trust for Third Parties 379Internet of Things and Third Parties 385Trusted Platform Module and Secure Boot 388Inside Look: The Target Breach (2013) 390Conclusion 391Chapter 14 Offshore Third-Party Cybersecurity Risk 393Onboarding Offshore Vendors 397Ongoing Due Diligence for Offshore Vendors 399Physical Security 399Offboarding Due Diligence for Offshore Vendors 402Inside Look: A Reminder on Country Risk 404Country Risk 405KC's Country Risk 406Conclusion 409Chapter 15 Transform to Predictive 411The Data 414Vendor Records 415Due Diligence Records 416Contract Language 416Risk Acceptances 417Continuous Monitoring 417Enhanced Continuous Monitoring 417How Data is Stored 418Level Set 418A Mature to Predictive Approach 420The Predictive Approach at KC Enterprises 420Use Case #1: Early Intervention 423Use Case #2: Red Vendors 425Use Case #3: Reporting 426Conclusion 427Chapter 16 Conclusion 429Advanced Persistent Threats Are the New Danger 431Cybersecurity Third-Party Risk 435Index 445

GREGORY C. RASNER is the lead of Cyber Third-Party Risk at Truist Financial Corporation. He has extensive experience in cybersecurity and technology leadership in banking, biotech, software, telecom, and manufacturing. He is the author of several published articles on Third Party Risk and is a sought-after keynote speaker in this area.