Risk Assessments

 View Only
  • 1.  TPRM stress testing and scenario

    Posted 13 days ago

    Dear all,

    one of my recent challenges in terms of TPRM implementations, our regulator issued a new instructions asking for TPRM stress testing and scenarios . therefore, I need any support such as references, related template...etc. . and in this occasion also my  TPRM team needs a practical well prepared training courses, conferences .

    Your support and recommendations will be highly appreciated .

    Said Abdel Megeed 

    ORM and TPRM ,General Manager 

  • 2.  RE: TPRM stress testing and scenario

    This message was posted by a user wishing to remain anonymous
    Posted 13 days ago
    This message was posted by a user wishing to remain anonymous

    From a BCP standpoint, we have an annual tabletop discussion that our BCP vendor Trellance spearheads. We have designated employees from our disaster recovery team who participate in the tabletop. We are given a scenario, for example, a fire, a cyber-attack, a pandemic, etc. that we go step by step who or which department is to do what and when, like a chain of commands. Everyone provides input and resolution which is documented by us from our minutes taker that is sent to Trellance upon completion of the exercise. They generate a report and a score that is turned in during our annual audit. 

  • 3.  RE: TPRM stress testing and scenario

    Posted 8 days ago

    Thank you for your feedback but this is not what I am looking for ,I need something moreover BCP scope 

  • 4.  RE: TPRM stress testing and scenario

    Posted 7 days ago

    Hi Saeed,

    Thank you for your question.

    I don't have a certification recommendation but have a way to roll your own. Sorry if that is not what you want. 

    One: The new Govern addition is the latest craze and very welcomed. In many cases it just re-labels existing controls, but for many, it finally gives a meeting ground between Executive Management and the Board and the rest of the organization attempting to manage IT Cyber Risk. When reviewing NIST CSF 2.0, and the waterfall of regulations that mirrored it (NYDFS Part 500 v2 - 11/1/23), etc -- I focused on the third party aspects and requirements to extend your internal concepts of cyber and IT risk to what you expect your third party SaaS and other service providers to meet as the minimum and most desired cybersecurity controls, employee awareness practices, employee termination processes, RBAC, backup and business continuity, disaster recovery, incident response and notifications, etc. as you must rely on their controls and their fourth party controls in times of business disruption. Both Security Scorecard and Cloud Security Alliance offered solid insight into NIST CSF 2.0, and how to implement the NIST CSF 2.0 Controls.

    And --- most on point to your question:

    Two: Have you considered giving your team a goal of 20 CPE credits, etc.?  For instance there is the 6 CPE credits offer from Venminder offers twice a year with their TPRM Bootcamp.  Cloud Security Alliance (CSA) offers a Cloud Trust Summit that cover regulatory (including financial services industry) sessions with valuable information and strategies for all SaaS and related vendors.  Baker Tilly is another source on both vertical industry specific regulatory and third party risk management.

    This year, all three organizations offered TPRM session already including SOC2 review specifics, templates, sample presentations, sample stakeholder reports, what etc..

    For instance, most recently material that we are looking to introduce all business units for BC and DR plan awareness and their roles and responsibilities, how to report status was enhanced by "Third_Party_Risk_Management_Reports_Right_Data_Frequency_and_Content_Webinar" on July 9th from Venminder. Also, all the TPRM score card companies offer great ideas on communications of cyber risk issues and is very practical like the other sources mentioned above.. See competitors in this space (https://www.gartner.com/reviews/market/it-vendor-risk-management-solutions/vendor/upguard/product/upguard-cyberrisk/alternatives which has Security Scorecard, UpGuard, Bitsight, Venminder, etc.)  See example from Security Scorecard, that tends to use Bright Talk for sharing events.  I regular attend all these vendor events to discover the common cross-functional language being used and to share across our business units as we ask them to improve their readiness (i.e., what happens if a critical SaaS vendor is out for 1 day, 1 week, 1 month) so their employees are just as versed on what they need to do during business disruptions. 

    All the best with your search.  Larry

  • 5.  RE: TPRM stress testing and scenario

    Posted 4 days ago

    I would like to thank all who contributed in this topic , but I am still find the answer to my question about TPRM stress testing 

    please if any one has an concrete answers I will be appreciated 

    best regards