PROJECT BRIEF

BACKGROUND

The local government organization of Santa Clara County, California engages with many third-party vendors, some of whom possess a technology footprint assessed by the County's Information Security Office. To monitor these vendors, the County uses Bitsight, which generates "security alerts" based on predefined factors independent of the unique relationship these vendors have with the County. 

AIMS

Prioritizing the cyber risk of third-party vendors is challenging due to the high volume of incoming Bitsight ratings, which ultimately increase barriers to effectively managing cyber risk for the County and its residents. Without a method to prioritize vendors based on their risk level, it is difficult to identify where action is most needed to be taken first. 

METHODOLOGY

To address the cybersecurity risk prioritization process for Santa Clara County, the project team developed a grading rubric to evaluate the criticality of each third-party vendor, existing and new, and the potential impact to the County if a breach occurs. Methods included direct input from the Chief Privacy Officer of Santa Clara County, core elements of risk measurement that the County was currently using (Bitsight ratings), guidelines from current state regulations, and key aspects of current risk assessments, vendor scorecards, and surveillance rubrics. 

DELIVERABLES

To address the cybersecurity risk prioritization process for Santa Clara County, the team developed a grading rubric to evaluate the criticality of each third-party vendor, including existing and new vendors, and the potential impact to the County if a breach occurs. The methodology included direct input from the Chief Privacy Officer of Santa Clara County, core elements of risk measurement that the County was currently using (Bitsight ratings), guidelines from current state regulations, and key aspects of current risk assessments, vendor scorecards, and surveillance rubrics.