Software Engineering Institute | Carnegie Mellon University
Software Engineering Institute | Carnegie Mellon University

Digital Library

Javascript is currently disabled for your browser. For an optimal search experience, please enable javascript.

Advanced Search

Basic Search

Content Type

Topics

Publication Date

Podcast

Supply Chain Risk Management: Managing Third Party and External Dependency Risk

  • March 2015
  • By Presenter John Haller2419, Matthew J. Butkovic2415 Interviewer Julia H. Allen4967
  • In this podcast, Matt Butkovic and John Haller discuss approaches for more effectively managing supply chain risks, focusing on risks arising from “external entities that provide, sustain, or operate Information and Communications Technology (ICT)."
  • Cyber Risk and Resilience Management
  • Publisher: CERT
  • Listen

    Loading Podcast.....
  • Related

  • Abstract

    One caveat of outsourcing is that you can outsource business functions, but you cannot outsource the risk and responsibility to a third party. These must be borne by the organization that asks the population to trust they will do the right thing with their data.

    In this podcast, Matt Butkovic, the Technical Manager of CERT’s Cybersecurity Assurance Team, and John Haller, a member of Matt’s team, discuss approaches for more effectively managing supply chain risks, focusing on risks arising from "external entities that provide, sustain, or operate Information and Communications Technology (ICT) to support your organization." This is sometimes referred to as third party or external dependency risk.
     

  • Transcript
  • Download
  • Additional Formats

    pdf

About the Speaker

  • John Haller

    John Haller is a member of the technical staff on the Cybersecurity Assurance team within the CERT® Division at the Software Engineering Institute (SEI), a unit of Carnegie Mellon University in Pittsburgh, PA. As a member of this team, Haller performs research on critical infrastructure protection, focusing on methods, tools and techniques for managing external dependency and third party risk. Prior to joining CERT in 2010, Haller was analyzing cybercrime attacks on the financial industry in collaboration with a U.S. law enforcement agency. Haller received his Juris Doctor from the University of Pittsburgh and is also a GIAC Certified Incident Handler.

  • Matthew  J. Butkovic

    Matthew Butkovic is the Technical Manager of the Cybersecurity Assurance team within the CERT® Division at the Software Engineering Institute (SEI), a unit of Carnegie Mellon University in Pittsburgh, PA. Butkovic performs critical infrastructure protection research and develops methods, tools, and techniques for evaluating capabilities and managing risk.

    Butkovic has more than 15 years of managerial and technical experience in information technology (particularly information systems security, process design and audit) across the banking and manufacturing sectors. Prior to joining CERT in 2010, Butkovic was leading information security and business continuity efforts for a Fortune 500 manufacturing organization.

    Butkovic is a Certified Information Systems Security Professional (CISSP) and Certified Information Systems Auditor (CISA).

  • Julia H. Allen

    Julia Allen is a principal researcher within the CERT® Division at the Software Engineering Institute (SEI), a unit of Carnegie Mellon University in Pittsburgh, PA. Allen’s areas of interest include operational resilience, security governance, and measurement and analysis. Prior to this technical assignment, Allen served as acting director of the SEI for an interim period of six months as well as deputy director/chief operating officer for three years. Her degrees include a Bachelor of Science in Computer Science (University of Michigan) and a Master of Science degree in Electrical Engineering (University of Southern California). Allen is the author of The CERT Guide to System and Network Security Practices (Addison-Wesley 2001) and moderator for the CERT Podcast Series: Security for Business Leaders. She is a co-author of Software Security Engineering: A Guide for Project Managers (Addison-Wesley 2008) and CERT Resilience Management Model (RMM): A Maturity Model for Managing Operational Resilience (Addison-Wesley 2010).