Project Background

The local government organization of Santa Clara County, California engages with many third-party vendors, some of whom possess a technology footprint assessed by the County's Information Security Office. To monitor these vendors, the County uses Bitsight, which generates "security alerts" based on predefined factors independent of the unique relationship these vendors have with the County.

Methodology

To address the cybersecurity risk prioritization process for Santa Clara County, Paragon Policy Fellows developed a grading rubric to evaluate the criticality of each third-party vendor, including existing and new vendors, and the potential impact to the County if a breach occurs. The methodology included direct input from the Chief Privacy Officer of Santa Clara County, core elements of risk measurement that the County was currently using (Bitsight ratings), guidelines from current state regulations, and key aspects of current risk assessments, vendor scorecards, and surveillance rubrics.

Problem Statement

Prioritizing the cyber risk of third-party vendors is challenging due to the high volume of incoming Bitsight ratings, which ultimately increase barriers to effectively managing cyber risk for the County and its residents. Without a method to prioritize vendors based on their risk level, it is difficult to identify where action is most needed to be taken first.

Deliverables

In response to this challenge, Paragon Policy Fellows developed a grading rubric to help evaluate the sensitivity of each vendor and potential for damage if a breach occurs. This rubric enhances the interpretation of Bitsight and other cybersecurity ratings by considering the nature of the vendor relationships, impact on the County, individual/personal impact, and data risk variables to systematically rank and manage third-party cybersecurity risks. This ensures that the most critical threats are addressed first to maintain the County's security and operational resilience. Also provided is a policy memo including technical instruction for replicating the rubric and a mock case study on a current technology vendor to the County.

Project Impact and Future Work

This risk rubric was developed to score individual third-party vendors on their risk to a security breach, allowing the County to categorize each vendor's risk level, prioritize mitigation efforts, and identify key areas of data vulnerabilities. It would be beneficial to ensure future versions of this rubric remain agile to easily incorporate changing laws and regulations regarding privacy and data protection, particularly considering the rapidly evolving AI landscape. (Note: This project was completed as of October 2024.)

Contributors