CXO Security Handout

Giving vendors access and making sure they can perform their duties in a timely  manner is important. Having vendors comply with an organization’s policies though can be tricky due to lack of monitoring, auditing, control of permissions and contracts. Many times vendors request or require non-delegated access to resources to complete tasks, which requires no onsite user interaction. This can be concerning if the vendor is not being audited and the organization would like to protect their data. The Extended Enterprise Framework is an easy to use tool to highlight gaps in your current cybersecurity posture with 3rd party vendors providing IT service delivery. This handout is to support the C-Level in quickly identifying where both compliance and security gaps exist when talking about 3rd party vendors accessing corporate resources. Handout is simple can you fill in all the boxes with examples of your production deployment. 

Review and Download

Supporting Information

National Institute of Standards and Technology (NIST)

NIST is an organization with strong values, reflected both in our history and our current work.  NIST leadership and staff will uphold these values to ensure a high performing environment that is safe and respectful of all.

Perseverance: We take the long view, planning the future with scientific knowledge and imagination to ensure continued impact and relevance for our stakeholders.

Integrity: We are ethical, honest, independent, and provide an objective perspective.

Inclusivity:  We work collaboratively to harness the diversity of people and ideas, both inside and outside of NIST, to attain the best solutions to multidisciplinary challenges.  

Excellence: We apply rigor and critical thinking to achieve world-class results and continuous improvement in everything we do

Find out more

National Conference of State Legislatures (NCSL)

 Security breach laws typically have provisions regarding who must comply with the law (e.g., businesses, data/ information brokers, government entities, etc); definitions of “personal information” (e.g., name combined with SSN, drivers license or state ID, account numbers, etc.); what constitutes a breach (e.g., unauthorized acquisition of data); requirements for notice (e.g., timing or method of notice, who must be notified); and exemptions (e.g., for encrypted information)   All 50 US states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private or governmental entities to notify individuals of security breaches of information involving personally identifiable information.

US Breach Compliance Requirements