Managing Third Party Risk in the Cloud Ecosystem Dallas IIA Super Conference Nov 1 , 2021 INNOVATE. TRANSFORM. SUCCEED. Adapt to the new business reality. Internal Audit, Risk, Business & Technology Consulting INTRODUCTION © 2021 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. Internal Use only, confidential and for Protiviti Exclusive Client : Not for external distribution Technology Consulting DISCLAIMER This Talk is NOT … • A Primer on Cybersecurity 101 • Deep Dive in Cloud This Talk is ALL About… • Cloud Fundamentals • Challenges with Hybrid Cloud • Evolve the TPRM Programs © 2021 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm an d does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. 3 AGENDA FOR THIS SESSION • What is the Cloud • • Market Drivers • Challenges & Risks • Let’s talk SolarWinds • Shared Responsibility Governance • Compliance in the Cloud • Evolve the Cloud GRC & Audit Program Next Steps & Q&A © 2021 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm an d does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. QUICK QUESTION How would you describe your response about knowledge of Cloud and Cloud Security? A. I can give an elevator pitch but would be nervous if someone asked me for technical details B. I’ve performed security assessments that have included Cloud platforms C. If you wanted to interview me for a Cloud security job, I’m confident I can impress you with my technical and conceptual knowledge D. I think Cloud and Cloud security is a bunch of technology products, right? E. Cloud and Cloud Security is no different than Traditional IT and security © 2021 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm an d does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. 5 WHAT IS CLOUD? WHAT IS CLOUD? Too many overly Complex or overly Simplified definitions Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction. • e.g., networks, servers, storage, applications, and services National Institute of Standards and Technologies Definition Cloud is just someone else’s computer! computer © 2021 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. Internal Use only, confidential and for Protiviti Exclusive Client : Not for external distribution Technology Consulting SOME KEY TERMS The NIST Cloud Definitions Standard Essential Characteristics Broad Network Access Rapid Elasticity Measured Service On-Demand Self-Service Deployment Models Service Models Public Cloud Software as a Service (Saas) Community Cloud Platform as a Service (PaaS) Private Cloud Resource Pooling Hybrid Cloud Infrastructure as a Service (IaaS) Image courtesy NIST This is the “Magic” This is the “Type” © 2021 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. Internal Use only, confidential and for Protiviti Exclusive Client : Not for external distribution This is the “Service” Technology Consulting CLOUD SERVICE MODELS #ProtivitiTech Consume It SaaS Build On It PaaS Migrate To It IaaSIaaS Key Characteristics and Benefits 9 Logos are registered trademarks of their owners IT Costs Scalability Deployment Efforts SaaS Licensing costs Transparent – part of SaaS model Already Deployed PaaS Lower upfront Costs Improved Quicker and Easier IaaS No infrastructure management costs Dynamic (scaling up & out) Faster with on-demand provisioning © 2021 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. MARKET DRIVERS BENEFITS OF CLOUD Big Data, Data Analytics, Machine Learning, Artificial Intelligence Internet of Things, Operational Technology Digital Transformation and DevOps Requires massive processing power, secure data storage capabilities and agile design to exponentially improve business opportunities, security risk visibility and with trillions of data statistics Requires secure connectivity, plus massive storage and processing capabilities across global zones Require customerfacing services able to support rapid change (e.g., multiple releases per day) and secure automation services Massive power, agility, connectivity, storage, automation and security © 2021 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. Your traditional data centers cannot achieve this at cost or at scale Cloud WHY MOVE TO CLOUD? MARKET DEMANDS A CLOUD SOLUTION This is Silicon Valley… Organizations O with no traditional IT and born in the cloud Massive power, agility, connectivity, storage, automation and security © 2021 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. Challenges & Risks Today’s Organizations are Facing Unprecedented Challenges NEW NORMAL -A COMPLEX LANDSCAPE 14 © 2021 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. #ProtivitiTech A COMPLEX SUPPLY CHAIN 15 © 2021 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. #ProtivitiTech WHO’S IN THE SUPPLY CHAIN? #ProtivitiTech CSP_EFG CSP_BDE CSP_XYZ CSP_BDE CSP_OPQ CSP_ZTG Staff - Contractors CSP_QRE GitLab CSP_ZXE CSP_ABC CSP_FVG CSP_KLM Customers CSP_BDE CSP_KLM CSP_TUV CSP_HIJ CSP_QRS CSP_BDE CSP_BDE CSP_FGH CSP_OHI Big Data CSP_RST Vendors/Partners 16 CSP_YXR GitHub CSP_TVW Clouds Everywhere! © 2021 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. CSP_TRE CSP_MNO CSP_JAL Let’s Talk about SolarWinds WHAT HAPPENED #ProtivitiTech SolarWinds is an American company that has provided software products to almost all Fortune 500 companies to help manage their networks, systems, and IT infrastructure. In early 2020, hackers gained access and added malicious code into SolarWinds's software system, “Orion,” which is used by 33,000 of its customers. As many as 18,000 customers ran this software and spread the vulnerability to several major companies and federal agencies. 18 © 2021 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. Source: What Is the SolarWinds Hack and Why Is It a Big Deal? (businessinsider.com) Source: SolarWinds says dealing with hack fallout cost at least $18 million (yahoo.com) Source: Massive SolarWinds hack has big businesses on high alert CNN IMPACT #ProtivitiTech Microsoft said “the intruders only downloaded the source code of a few components related to some of its cloud-based products” including: a small subset of Azure components (subsets of service, security, identity), Intune components, and Exchange components - MSN Organizations Attacked “ State Department of Treasury Department of Department Homeland Department Energy Security Since the hack was done so stealthily, and went undetected for months, security experts say that some victims may never know if they were hacked or not –The Wall Street Journal “ 19 National Nuclear Security Administration Source: What Is the SolarWinds Hack and Why Is It a Big Deal? (businessinsider.com) Source: SolarWinds says dealing with hack fallout cost at least $18 million (yahoo.com) Source: Massive SolarWinds hack has big businesses on high alert – CNN Source: Microsoft says SolarWinds hackers downloaded some Azure, Exchange, and Intune source code (msn.com) © 2021 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. IMPACT #ProtivitiTech “ Ongoing Investigations Hearings “ Actions Taken Companies will need to do clean-up similar to a hurricane," she added. "It is going to be expensive and extensive — companies are going to have to identify what has been breached and what, if anything, remained stable. – Kiersten Todt (former cybersecurity official in the Obama administration) Remediation Efforts Investments in Cybersecurity Researching New Cybersecurity Methods Source: What Is the SolarWinds Hack and Why Is It a Big Deal? (businessinsider.com) Source: SolarWinds says dealing with hack fallout cost at least $18 million (yahoo.com) Source: Massive SolarWinds hack has big businesses on high alert - CNN 20 © 2021 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. CHALLENGES & RISKS Cyber threats that are increasing rapidly in volume and sophistication. Threat actors using techniques we simply didn’t see but have always been there. The cloud ecosystem makes it’s harder to protect sensitive data; leading to financial, legal , reputation and safety consequences. Shared Responsibility of the ecosystem is not well understood across the business; traditional GRC practices have not evolved to the new reality. 21 © 2021 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. #ProtivitiTech CHALLENGES & RISKS Data regulations are increasing around the world 22 Personal Information Protection and Electronic Documents Act (PIPEDA) #ProtivitiTech General Data Protection Regulation (GDPR 2016) California Consumer Privacy Act (CCPA) 2018 The Privacy Protection Act (PPA) 2017 Federal Data Protection Law 2000 Personal Data Protection Bill 2018 Texas Privacy Protection Act (2019) Personal Data Protection Act (PDPA 2012) Lei Geral de Proteção de Dados Pessoais (LGPD 2019) Personal Information Security Specification 2018 Australia Privacy Principles 2014 Personal Information Protection Act (PIPA) 2011 Protection of Personal Information Act 2013 (POPI) Act on Protection of Personal Information (APPI) 2017 © 2021 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. OUTCOMES OF CLOUD SECURITY CHALLENGES People fatigue Ineffective incident management lifecycles Worrying about incomplete visibility 23 #ProtivitiTech © 2021 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. Incomplete knowledge of how embedded it is GRC/Privacy Programs need to Evolve GOVERNANCE PROGRAMS NEEDS TO BE UPDATED FOR CLOUD #ProtivitiTech • What are the Cloud Services we are prepared to Adopt? • Who Owns and is Accountable for the Cloud Service Relationship, Services, Subscriptions or Tenants? • Does our Cloud Adoption align with our Business Strategy? • Do we have a Common Language when we speak of Cloud? • How our Use of Cloud for Compliance Effectiveness? • How does Cloud Adoption introduce new Risks into our Organization? • Do we have Understanding and Visibility of What and Where Cloud Services are Deployed? • What Compliance Activities are we Responsible for versus our CSP’s? • Do we Know what Cloud Controls are in Place and Are they Different from our Traditional Standards? “Of 1200 companies surveyed, 69% wrongfully believed that Data Protection, Compliance and Privacy obligations were the Responsibility of the Cloud Provider “ –Veritas 2020 Data Survey 25 © 2021 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. SHARED RESPONSIBILITY – NEW GOVERNANCE A NEW GOVERNANCE PARADIGM – SHARED RESPONSIBILITY #ProtivitiTech Pizza as a Se r v ice The higher the cloud stack, the 27 Traditional On-Premises (On Prem) Infrastructure as a Service (IaaS) Platform as a Service (PaaS) Software as a Service (SaaS) Dining Table Dining Table Dining Table Dining Table Soda Soda Soda Soda Electric / Gas Electric / Gas Electric / Gas Electric / Gas Oven Oven Oven Oven Fire Fire Fire Fire Pizza Dough Pizza Dough Pizza Dough Pizza Dough Tomato Sauce Tomato Sauce Tomato Sauce Tomato Sauce Toppings Toppings Toppings Toppings Cheese Cheese Cheese Cheese Made at Home Take and Bake Delivered Pizza Dined Out You Manage Vendor Manages less control you have over the environment © 2021 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. WHERE IS OUR DATA? #ProtivitiTech The dynamics of Hybrid Cloud deployments have changed the way Governance, Risk and Compliance Programs need to treat data lifecycle management. Cloud Requires a New POV Managing Data Lifecyle Data is Ethereal Data Assets and Locations are Elastic Multi-Tenancy Shared Governance Your Data GRC policies do not bind Multi-Tenants or the CSP’s; Weak security could leak to other tenants Data Custodian Trust/Privacy Clarity Hosting a SaaS solution on an IaaS platform makes you the custodian and processor but not the owner Data Owner Supply Chain/BIA’s Contract As the Data Owner, you are responsible for 3 rd , 4th , 5th party handling which includes unknown CSP Supply Chain No Collection Standards CSP becomes Data Processor and is not bound by your Data GRC nor adherence to a Standard Data Processor Data Sovereignty 28 Governance Considerations Data Flows not Known CSP’s do not allow inspection of Orchestration and Abstraction layers Managed Services/Forensics © 2021 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. THE CLOUD PROVIDER SUPPLY CHAIN IS MASSIVE! Image: Cloud Security Alliance Cloud Providers Infrastructure is not in scope for its custom er’s audits; they support it but not responsible for it 29 © 2021 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. #ProtivitiTech INTEGRATED APPROACH TO THIRD PARTY RISK 30 #ProtivitiTech 1 Scoping of vendors based on risk 2 Organisation focused on key specific risks that the supplier/service presents 3 Vendors can manage customer risk through their own process –thru Multi-tenants? 4 System reminds supplier of their commitments –in Cloud? 5 Process established to track/manage the closure of remediation plans –Cloud vendor tracking? 6 Process fully integrated with business risk process © 2021 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. CHALLENGES WE SEE IN EXECUTION #ProtivitiTech As a result of an increase in outsourcing of business and IT services, including the acceleration of cloud adoption, the proportion of services and technology which sits outside of the boundaries of an organization has increased significantly. Vendor risk management processes have often not effectively evolved to address this change in focus Risk management vs. blanket control adherence – Are Risks unique to Cloud? Pre-contractual due diligence –Does this include the Cloud Supply Chain? Risk tracking and reporting –Who owns this for Cloud Licenses? Risk acceptance not risk management Regulatory drivers 31 © 2021 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. WHAT REGULATORS ARE SAYING Most regulatory and standards bodies have issued guidance or are revaluating previous guidance for cloud including • • • • • • • • • PCI-DSS FFIEC HIPAA ISO 27018 SEC FERPA FEDRAMP Multiple International Laws Cross Border Data Restriction Laws Interestingly, there are few updates from SEC/PCOAB on Cloud topics –and that Cloud Adoption and the impact on Auditors is still in the Research stage For Immediate Release April 30, 2020 FFIEC Issues Statement on Risk Management for Cloud Computing Services The Federal Financial Institutions Examination Council (FFIEC) on behalf of its members today issued a statement to address the use of cloud computing services and security risk management principles in the financial services sector. https://nasba.org/blog/2019/11/25/pcaob-still-studying-use-of-technology/ 32 © 2021 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. Internal Use only: Not for external distribution Technology Consulting OUTCOMES OF TRADITIONAL APPROACHES TO GRC/TPRM Cloud Adoption is hard to Govern Ineffective TPRM lifecycles leads to Shadow IT Reliance on Cloud Provider to manage risk in their Supply Chain 33 #ProtivitiTech © 2021 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. Technology sprawl/bloat • Poor integration • Cost overruns Update GRC Processes Include Cloud Supply Chain in GRC START WITH CLOUD GOVERNANCE Polices, Standards and Controls Policies, standards, controls for target w orkloads Regulatory Com pliance and Audits Identification, enforcement, and reporting of compliance controls Polices, Standards and Controls #ProtivitiTech Cloud Security Fram ew orks Security standards and framew orks to protect data and manage business service risk Cloud Security Regulatory Compliance and Audits Enterprise Architecture Governance Hybrid Cloud Governance Chargeback Model Tagging of resources for cost allocations Service Consum ption Governance Access control, scale-up /scale-dow n resources, auto-shutdow n, cost performance metrics tracking 35 Cloud Center of Excellence Showback / Chargeback Model Service Consumption Governance Cloud Service Lifecycle Management © 2021 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. Enterprise Architecture Governance Ensure alignment of architecture to set vision and objectives Cloud Center of Excellence Explore, Introduce new capabilities and build skills to support them Cloud Service Lifecycle Managem ent Maintain, retire, upgrade and ingest cloud services for consumption by business groups ADAPTED PEOPLE, PROCESS & TECHNOLOGIES TO ADDRESS RISK Shared Responsibility Model and Know ledge Fram ew orks and Benchm arks Technical Capabilities and Tools 36 #ProtivitiTech • Define how Shared Responsibility Model impacts structure and operational models for your organization – Formalize and Communicate – Update Governance policies, RACI’s – Measure and Monitor • Train employees • Provide incentives and paths to certifications w here relevant • Use established framew orks to holistically address environment – Example: CSA Cloud Security Guidance, STAR and AZURE Well-Architected Framew ork • Compliance and Regulatory concerns • Align CIS Benchmarks, CCM and others to approved standards and governance policies • Implement technical capabilities to enable real-time understanding of w hat is going on in the environment • Use tools to reduce or remove human error, w hich increases speed of response and allow s security controls to be automated • Key considerations: – Open Source vs. Enterprise – Platform Agnostic vs. Platform Specific vs. Cloud Native © 2021 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. TOOLS TO ADDRESS TPRM GOVERNANCE – CSA CLOUD SECURITY GUIDANCE & ATTESTATIONS Application Security Supply Chain TvM Virtualization and Containers Domain 4 Domain 3 Domain 2 Domain 7 Data Security and Encryption Infrastructure Security Legal issues, contracts and E-discovery Domain 8 Domain 1 Domain 6 Management Plane and Business Continuity Governance and Enterprise Risk Management Domain 17 Domain 12 Related Technologies Information Governance Cloud Computing Concepts & Architectures Domain 16 Domain 11 Incident Response Domain 15 Domain 10 Domain 9 CSA Domains establish a stable, secure baseline for cloud operations and should become a part of your Standards library. Cloud Polices can be built from Domains which emphasize security, stability, and privacy in a multi-tenant environment. Domain 5 • Use established framew orks to holistically address environment – CSA Cloud Security Guidance and CSP Well-Architected Fram eworks • Compliance and Regulatory concerns – Example: CSA CCM – CIS, Azure Security Center, Azure/AWS/GCP Compliance FAQ’ • Compliance and Regulatory concerns – Example: CSA CCM – CIS, Azure Security Center, Azure/AWS/GCP Compliance FAQ’s • Join ISAC’s and Peer Sharing Groups Domain 14 Fram ew orks and Benchm arks #ProtivitiTech Compliance and Audit Management Identity, Entitlement, and Access Management Universal Endpoint Source: Cloud Security Alliance 37 © 2021 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. HAVE CONTINGENCY PLANS FOR DEPRECIATED/OBSOLETE SERVICES © 2021 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. 38 ADD CSP SUPPLY CHAIN MONITORING TO YOUR GRC DASHBOARDS © 2021 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. 39 MONITOR CSA STAR REGISTRY –EXAMPLE: AZURE ATTESTATIONS © 2021 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. MONITOR FOR CERTIFICATIONS AGAINST LEADING STANDARDS – EXAMPLE: AWS © 2021 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. 41 FINAL THOUGHTS Consider the cloud ecosystem as part of the organization Evolve the TPRM program Include cloud in everything you do for GRC Stay vigilant in monitoring for updates from your cloud providers 42 © 2021 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. #ProtivitiTech Q&A RECOMMENDED RESOURCES Recover: The NIST Cybersecurity Framework’s Outlier Are You in the Ransomware Sweet Spot? #ProtivitiTech Key Strategies to Mitigate Ransomware Impact Looking for more? Check out our Tech Insights Blog 44 © 2021 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. Ransomware Crisis: 11 Actions to Secure Critical Infrastructure