BloomTech’s Downfall: A Long Time Coming

Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

YouTube

The Anti-Checklist Manifesto

44CON Information Security Conference via YouTube

Start learning Write review

Overview

Limited-Time Offer: Up to 75% Off Coursera Plus!
7000+ certificate courses from Google, Microsoft, IBM, and many more.
India: 75% Off World: 40% Off
The course focuses on redefining the approach to assessing Third Party Risk (3PR) by proposing a new method involving asking ten simple yet crucial questions. The goal is to shift from the traditional checklist approach to one that truly reflects an organization's commitment to trust and security. The course aims to equip participants with the skills to formulate effective questions that serve as proxies for evaluating trustworthiness and security practices. The teaching method involves a talk that provides insights into the shortcomings of current risk assessment practices and offers a sample set of questions to kickstart the new approach. This course is intended for executives, compliance officers, information security professionals, and anyone involved in assessing third-party risk within organizations.

Syllabus

Intro
The Anti-Checklist Manifesto Thoughts On Assessing Third Party Risk
Chances are, a business team set the deliverables The legal team discussed the contract terms Only then did the compliance and infosec team get brought in Odds are, engineering wasn't consulted at all
What Is To Be Done?
Ask questions. Up front.
A preliminary security speed bump at the start of a bake-off can prevent teams from wasting their time.
Speed bump. No more than 10 questions.
To work, these questions must be simple, and proxies for Security'.
Do you encrypt all our data in transit, and at rest within your systems? Are all our data segregated from other customers' data?
Please describe the architecture and segregation of customer data within S3 buckets/blob/etc storage.
Describe your internal authentication regime.
Please describe how you maintain least-privilege in your environments.
Do any of your internal systems use static credentials? How do you audit their use?
How do you manage secrets in your production and non-production environments?
Do you have a named executive responsible for security? What is their title, and to whom in the organization do they report?
Do you have written information security, data security, encryption, acceptable use, and physical security policies?
Does your company require all engineers to undergo regular secure coding training?
PISA: security questions before a bake-off. You still need DD- this just disqualifies providers. SOC2 is not a free pass [butland] Lack of SOC2 isn't a disqualifier (Use VSA Core) Seek sensible answers Stop the Spreadsheet Cat Rodeo.

Taught by

44CON Information Security Conference

Reviews

Start your review of The Anti-Checklist Manifesto

Start learning

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Sign up for free
Someone learning on their laptop while sitting on the floor.