Wayne Tufek
Wayne Tufek is currently a Director of CyberRisk ( For over 20 years he has formulated pragmatic, business driven strategies to establish, execute and improve cyber risk management in ASX listed companies and some of Australia’s largest organisations across the public sector, Big 4, financial services, consumer products, education and retail sectors. Wayne is a member of Chartered Accountants Australia and New Zealand and holds the SABSA SCF, CISSP, CRISC, CISM, CISA and ISO/IEC 27001 Lead Implementer qualifications. He is frequently asked to present at security conferences and events in Australia and internationally including the Australian Cyber Security Centre Conference, RSA APJ and CeBit. Wayne_Tufek-AusCERT18-The Weakest Link - Managing Supplier and Third Party Risk

The Weakest Link - Managing Supplier and Third Party Risk

Third party vendors and suppliers often have access to your network and your organisation's confidential information. The best way to prevent a data breach is to have robust program to assess how your third parties are managing their risk and protecting your data. Organisations must have a clear understanding of the risks inherent in their business relationships with third parties. Continually assessing your vendors is the best way to manage your third party risk. How should you approach managing third party risk? This presentation will cover the following topics:
  • Discuss the major failings of traditional third party risk management programs
  • Creating a supply chain awareness program
  • Creating a comprehensive catalogue of vendors and suppliers
  • Risk based segmentation of identified vendors and suppliers
  • Risk assessment and rules based due diligence activities
  • The key contractual clauses all contracts with third parties should contain and why
  • Methods for continuous monitoring
  • How to develop and present a supplier risk dashboard for management
  • A model for a comprehensive process to effectively and efficiently manage third party riskThird party actors often directly interact with sensitive data and business processes-- organisation's have been forced to adopt new controls, tactics, and technology to shield their enterprise from cyber threats.