We all depend on each other. One way or another, every single person, every business, and every organization, from the smallest one to hundreds of thousands of employees, are part of the global supply chain ecosystem. Regardless of being the local coffee shop getting the coffee beans from a local distributor or being a Fortune 100 company that uses outsourced data centers for storage, we are all dependent on the services that are provided to us. Even if we are not aware of it just yet. Therefore, it is essential to have a clear understanding of business-critical services, systems that support such services, and suppliers who provide any component of these systems. Understanding such dependencies in the organization is key to establishing an effective supply chain risk management program.
When organizations want to maximize their supply chain security, it is crucial to extend security practices from procurement and contracting until execution, which includes periodic reviews of suppliers on agreed security requirements and industry best practices.
Information security should be included in supplier evaluations from the start to ensure only those suppliers are selected who provide adequate and proportionate information security controls for the service they provide. Often, the cost of service and security controls are very much debated as business lines prioritize cost vs. functionality while the information security department focuses on security vs. functionality. Finding the right balance between cost, security, functionality, and usability is difficult. It requires clearly defined processes for each function in selecting a supplier and, finally, what level of risk the organization is willing to accept. Clearly defined processes ensure that every supplier is evaluated based on the same criteria, allowing the organization to keep a consistent level of security regardless of budget, time constraints, functionality, and resources.
It is crucial to keep suppliers up to a high-security standard (defined by the organization’s internal information security requirements and industry best practices) and to ensure they comply with such requirements. Organizations should establish and maintain information security appendices that can be inserted into supplier contracts and define the minimum baseline security requirements suppliers have to comply with.
Just as with legal terms and conditions, information security requirements are oftentimes negotiated between the customer and supplier because suppliers do not want to over-commit to requirements that might not be in scope or they are unable to comply with. These are usually centered around incident notification timelines, password configurations, encryption protocols, user access management, audit rights, and attestation reports. Nevertheless, the ultimate goal is to formally establish and agree on information security requirements that are proportionate to the service, measurable, and auditable. In case of compliance gaps, there is a willingness from the supplier to cooperate and mitigate the gaps.
For an effective supply chain risk management program, it is essential to have a clear overview of services and systems that run in the organization and to have a clear understanding of their criticality to the business. Emerging technologies such as cloud-based services paved the way for data and service management roles and responsibilities to be pushed further outside the organization. Therefore, understanding critical systems, the data they process, and the level of access suppliers have is a must. Having clear visibility over critical services and supplier dependences not only helps to set up adequate protection measures but also helps to respond to supply chain disruptions effectively. Organizations should leverage their Business Impact Analysis (BIA) to determine business-critical systems. A BIA should always identify priorities and dependencies related to system interconnections, processes, functions, and actual suppliers therefore, it provides a great way to identify critical systems, their relations to suppliers, and applicable risks.
A risk-based approach to reviewing and auditing suppliers is a key element of an effective supplier management program. Based on the criticality of the service, the level of access suppliers have to customer data are both factors that must define the type of review to be conducted to protect the organization from supplier risks. Such assessments may range from manual questionnaire-based reviews (e.g., custom questionnaire, SIG Lite, SIG Full, ad-hoc zero-day based review) to actual in-person audits where a thorough examination of the entire control environment is performed based on a design, implementation, and operating effectiveness level. Organizations often opt for third-party risk management tools to automate their overall monitoring program. However, many of these tools are not scalable, they often set up requirements based on industry best frameworks and do not allow for tailored assessments hence resulting in many false-positive risks or don’t focus on the priorities of your organization. Moreover, another key challenge of such tools is that suppliers often reject uploading supporting documentation due to confidentiality reasons.
Regardless of the type of review conducted, organizations should always ensure that at least the following documents are obtained and reviewed to get an independent overview of the control environment:
Recent attacks have shown how exposed organizations are to supply chain risks, and even the seemingly most secure businesses can fall victim to cyber-attacks. The SolarWinds incident in 2020 showed us how little we know about our supply chain and blindly trust vendor practices, as many customers unknowingly installed the malware as part of a regular update.
Just recently, Atlassian released a security advisory to address a remote code execution vulnerability affecting all Confluence Servers and Data Centers, which also affected companies on a global scale.
Such incidents, and many others in the past, have shown that regular, high-level reviews of suppliers are just not enough. It should be a key focus point for organizations to extend their program with monitoring capabilities where suppliers’ security effectiveness is measured based on data-driven open-source intelligence.
Do you know if your supplier risk management program is operating effectively? Here are some points to consider:
If you have answered ‘No’ to any of these questions, then you could be at an increased risk in your vendor space.
Compyl has created a platform with built-in processes and workflows that simplify the development and ongoing management of a vendor management framework and many other supporting functions across IT security, compliance, governance, and asset management. If you want to learn more about what we can do for you, feel free to contact us!