Deb Stonikas asks about security and third party vendors
Deb Stonikas: Last week’s headline news: ScottTrade data breach exposes 20,000 customer accounts. Their response? 20,000 customer accounts were exposed when a Third Party vendor uploaded a file to a server without proper security protocols. I guess this is just another example of how third party vendors never make headline news. But more importantly, what I want to talk about today is the NIST framework. In January of 2017, the NIST framework was updated to include supply chain risk management for security. Can you elaborate on those updates and tell us what’s happening now?
Steve Kent: So, yes, NIST updated their guidelines to include more supply chair vendor management than it previously had. The guidelines were previously there and had been there since ISO 27000-02. Those guidelines include any data handling within vendors or suppliers or even third parties working with the organization. Everything from HRM or HR outsourcing companies to healthcare providers, even as far as security guards and cleaning crew. Anyone that may have access to either sensitive data or have access to equipment in which that data may be located. So when whenever we’re looking at controlling security throughout the organization, classified, protecting the data we have, we have to take into account and audit those particular vendors and what access levels they may have and conduct risk management appropriate at each one of those vendors.