Foreword xvi Introduction xviii Section 1 Cybersecurity Third-Party Risk Chapter 1 What is the Risk? 1 The SolarWinds Supply-Chain Attack 4 The VGCA Supply-Chain Attack 6 The Zyxel Backdoor Attack 9 Other Supply-Chain Attacks 10 Problem Scope 12 Compliance Does Not Equal Security 15 Third-Party Breach Examples 17 Third-Party Risk Management 24 Cybersecurity and Third-Party Risk 27 Cybersecurity Third-Party Risk as a Force Multiplier 32 Conclusion 33 Chapter 2 Cybersecurity Basics 35 Cybersecurity Basics for Third-Party Risk 38 Cybersecurity Frameworks 46 Due Care and Due Diligence 53 Cybercrime and Cybersecurity 56 Types of Cyberattacks 59 Analysis of a Breach 63 The Third-Party Breach Timeline: Target 66 Inside Look: Home Depot Breach 68 Conclusion 72 Chapter 3 What the COVID-19 Pandemic Did to Cybersecurity and Third-Party Risk 75 The Pandemic Shutdown 77 Timeline of the Pandemic Impact on Cybersecurity 80 Post-Pandemic Changes and Trends 84 Regulated Industries 98 An Inside Look: P&N Bank 100 SolarWinds Attack Update 102 Conclusion 104 Chapter 4 Third-Party Risk Management 107 Third-Party Risk Management Frameworks 113 ISO 27036:2013+ 114 NIST 800-SP 116 NIST 800-161 Revision 1: Upcoming Revision 125 NISTIR 8272 Impact Analysis Tool for Interdependent Cyber Supply-Chain Risks 125 The Cybersecurity and Third-Party Risk Program Management 127 Kristina Conglomerate (KC) Enterprises 128 KC Enterprises'' Cyber Third-Party Risk Program 131 Inside Look: Marriott 140 Conclusion 141 Chapter 5 Onboarding Due Diligence 143 Intake 145 Data Privacy 146 Cybersecurity 147 Amount of Data 149 Country Risk and Locations 149 Connectivity 150 Data Transfer 150 Data Location 151 Service-Level Agreement or Recovery Time Objective 151 Fourth Parties 152 Software Security 152 KC Enterprises Intake/Inherent Risk Cybersecurity Questionnaire 153 Cybersecurity in Request for Proposals 154 Data Location 155 Development 155 Identity and Access Management 156 Encryption 156 Intrusion Detection/Prevention System 157 Antivirus and Malware 157 Data Segregation 158 Data Loss Prevention 158 Notification 158 Security Audits 159 Cybersecurity Third-Party Intake 160 Data Security Intake Due Diligence 161 Next Steps 167 Ways to Become More Efficient 173 Systems and Organization Controls Reports 174 Chargebacks 177 Go-Live Production Reviews 179 Connectivity Cyber Reviews 179 Inside Look: Ticketmaster and Fourth Parties 182 Conclusion 183 Chapter 6 Ongoing Due Diligence 185 Low-Risk Vendor Ongoing Due Diligence 189 Moderate-Risk Vendor Ongoing Due Diligence 193 High-Risk Vendor Ongoing Due Diligence 196 "Too Big to Care" 197 A Note on Phishing 200 Intake and Ongoing Cybersecurity Personnel 203 Ransomware: A History and Future 203 Asset Management 205 Vulnerability and Patch Management 206 802.1x or Network Access Control (NAC) 206 Inside Look: GE Breach 207 Conclusion 208 Chapter 7 On-site Due Diligence 211 On-site Security Assessment 213 Scheduling Phase 214 Investigation Phase 215 Assessment Phase 217 On-site Questionnaire 221 Reporting Phase 227 Remediation Phase 227 Virtual On-site Assessments 229 On-site Cybersecurity Personnel 231 On-site Due Diligence and the Intake Process 233 Vendors Are Partners 234 Consortiums and Due Diligence 235 Conclusion 237 Chapter 8 Continuous Monitoring 239 What is Continuous Monitoring? 241 Vendor Security-Rating Tools 241 Inside Look: Health Share of Oregon''s Breach 251 Enhanced Continuous Monitoring 252 Software Vulnerabilities/Patching Cadence 253 Fourth-Party Risk 253 Data Location 254 Connectivity Security 254 Production Deployment 255 Continuous Monitoring Cybersecurity Personnel 258 Third-Party Breaches and the Incident Process 258 Third-Party Incident Management 259 Inside Look: Uber''s Delayed Data Breach Reporting 264 Inside Look: Nuance Breach 265 Conclusion 266 Chapter 9 Offboarding 267 Access to Systems, Data, and Facilities 270 Physical Access 274 Return of Equipment 275 Contract Deliverables and Ongoing Security 275 Update the Vendor Profile 276 Log Retention 276 Inside Look: Morgan Stanley Decommissioning Process Misses 277 Inside Look: Data Sanitization 279 Conclusion 283 Section 2 Next Steps Chapter 10 Securing the Cloud 285 Why is the Cloud So Risky? 287 Introduction to NIST Service Models 288 Vendor Cloud Security Reviews 289 The Shared Responsibility Model 290 Inside Look: Cloud Controls Matrix by the Cloud Security Alliance 295 Security Advisor Reports as Patterns 298 Inside Look: The Capital One Breach 312 Conclusion 313 Chapter 11 Cybersecurity and Legal Protections 315 Legal Terms and Protections 317 Cybersecurity Terms and Conditions 321 Offshore Terms and Conditions 324 Hosted/Cloud Terms and Conditions 327 Privacy Terms and Conditions 331 Inside Look: Heritage Valley Health vs. Nuance 334 Conclusion 335 Chapter 12 Software Due Diligence 337 The Secure Software Development Lifecycle 340 Lessons from SolarWinds and Critical Software 342 Inside Look: Juniper 344 On-Premises Software 346 Cloud Software 348 Open Web Application Security Project Explained 350 OWASP Top 10 350 OWASP Web Security Testing Guide 352 Open Source Software 353 Software Composition Analysis 355 Inside Look: Heartbleed 355 Mobile Software 357 Testing Mobile Applications 358 Code Storage 360 Conclusion 362 Chapter 13 Network Due Diligence 365 Third-Party Connections 368 Personnel Physical Security 368 Hardware Security 370 Software Security 371 Out-of-Band Security 372 Cloud Connections 374 Vendor Connectivity Lifecycle Management 375 Zero Trust for Third Parties 379 Internet of Things and Third Parties 385 Trusted Platform Module and Secure Boot 388 Inside Look: The Target Breach (2013) 390 Conclusion 391 Chapter 14 Offshore Third-Party Cybersecurity Risk 393 Onboarding Offshore Vendors 397 Ongoing Due Diligence for Offshore Vendors 399 Physical Security 399 Offboarding Due Diligence for Offshore Vendors 402 Inside Look: A Reminder on Country Risk 404 Country Risk 405 KC''s Country Risk 406 Conclusion 409 Chapter 15 Transform to Predictive 411 The Data 414 Vendor Records 415 Due Diligence Records 416 Contract Language 416 Risk Acceptances 417 Continuous Monitoring 417 Enhanced Continuous Monitoring 417 How Data is Stored 418 Level Set 418 A Mature to Predictive Approach 420 The Predictive Approach at KC Enterprises 420 Use Case #1: Early Intervention 423 Use Case #2: Red Vendors 425 Use Case #3: Reporting 426 Conclusion 427 Chapter 16 Conclusion 429 Advanced Persistent Threats Are the New Danger 431 Cybersecurity Third-Party Risk 435 Index 445.