Or: The PAW Service
Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . .
I’m working on a talk about the new vendor management guidance. Let me give my take on the guidance with the good old fashioned risk management approach, defined as risk measurement, risk response, and risk monitoring.
Risk measurement tells us one predictable thing: Most of the risk community banks face is either with their employees or their vendors.
Risk-response is well guided by the FFIEC, or in this case, the inter-agency process. While I usually say you don’t want to wait for the federal government to improve your practices, non-technical guidance like this one, which is really a hybrid of observed best practices, really do help us manage risk.
As for Risk Monitoring, I am really glad to see that there is a heightened emphasis on incident response, monitoring, and proactive management of third-party relationships. The guidance is about more than what we are knee-deep in, which is monitoring third-party access to bank networks. In fact, it doesn’t really speak to monitoring their access to your network. But we have always maintained that this control is critical if you have granted network access to 1099 employees, subcontractors, auditors, consultants, or entire businesses
We’ve been doing third-party network access monitoring since about 2008. For a while, we called it our PAW service. I thought PAW was so much easier to say than third-party network access monitoring. And the PAW service was about more than third parties. PAW stood for “Put a Watch” – we can watch almost anything and report on it if you’d like. We can “Put a Watch” on any asset, user ID, account number, word … anything you can find in network traffic, or any record in the logs associated with network access.
While PAW turned out to be a terrible name, we have been protecting our Clients from illegitimate legitimate third-party access. (The essence of the insider threat is that it is legitimate illegitimate use).
It is one more way our Clients have been way ahead of the regulations.
Original article by Dan Hadaway CRISC CISA CISM. Founder and Information Architect, infotex
”Dan’s New Leaf” – a fun blog to inspire thought in IT Governance.