Organisations around the world are increasingly relying on third-party vendors to provide them with competitive advantage. Many companies in a race to optimise processes and reduce costs begin to outsource core functions. This leads to increased risk profile and new challenges of supplier oversight.
Dealing with third-parties has grown bigger than being just a procurement issue. Suppliers companies increasingly rely on, pose not only legal but also reputational risks that cannot be fully transferred. Security and privacy related incidents related to third-party providers are presenting new management challenges. Moreover, regulators are increasingly demanding the management of the third-party risk.
Suppliers, however, have their own challenges. Constant squeeze on costs from their clients reduces the profit margins making it increasingly difficult for vendors to prioritise security requirements implementation.
How do we make sure the suppliers we work with are trustworthy? How do we minimise the risk exposure from a potential incident? What level of assurance is required for a supplier?
These are the questions I’m going to answer in this blog.
Understanding business drivers and goals is essential for developing a third-party risk management approach. By analysing company’s corporate strategy I was able to derive multiple business attributes relevant to the shareholders. One of them stands out: Trusted. I’m going to disregard other attributes and focus on this one for the purposes of this case study. Not only it is important for the company to be trusted by its customers, but trustworthiness is also something I’m going to explore in this blog from the third-party relationship standpoint.
After a workshop with the CIO and IT managers in various business units, I’ve defined the following IT attributes supporting the main business attribute (Trusted): Transparent, Assured and Managed.
How does the security function support the wider IT objectives and corresponding attributes? After a number of workshops and analysing the security strategy document I’ve managed to create a number of security attributes. Below is a simplified example correlating to the business and IT attributes in scope:
Dealing with customers and managing relationships with them is one of the core activities of the company. As discussed above, being trusted by the customers is one of the main values of the organisation. IT department through the implementation of their technology strategy supported the business stakeholders in Sales and Marketing to outsource customer relationship management platform to a third party provider. A cloud-based solution has been chosen to fulfill this requirement.
A combination of attribute profiling, trust modelling and risk analysis is used to assess the degree of assurance required and compare third-party providers. Below is a recommended approach based on the attributes defined.
Security attributes mapping
Based on the internal security policy the following questionnaire has been developed to assess the supplier. Responses from the supplier have been omitted to preserve confidentiality. Below is a short excerpt from one of the sections of the questionnaire related to cloud services.
| Are terms of services and liabilities clearly defined in service agreements? | Governed |
| Are escrow arrangements in supplier contract agreement and cloud service agreements registered with procurement and documented in cloud service register. | Identified |
| Are physical security and environmental controls present in the data centre that contains company data? | Integrated |
| Are procedures for user authentication, authorization and access termination documented? | Access-Controlled |
| Has the Business Continuity Plan been reviewed and approved by the executive management? | Governed |
| How often is the Business Continuity Plans and Disaster Recovery Plans tested? | Available |
| Is there a specific Recovery Time Objective(s) (RTO) and Recovery Point Objective(s) (RPO)? If yes, specify the RTO and RPO for the company services. | Available |
| Are default settings customized to implement strong encryption for authentication and transmission? | Access-Controlled |
Attribute compliance is assessed based on the questionnaire answers, as every question is mapped to a specific attribute. Where a specific combination of an attribute corresponds to multiple questions, all answers are rated separately then an average rating for that attribute weight is calculated. Exceptions apply where certain specific questions are identified to have priority (higher level of impact on attribute compliance) over the other questions mapped to the same attribute. Expert judgement is applied to analyse such situations.
Attributes are evaluated with three main levels:
- High level of compliance with policy (Green),
- Medium level of compliance with policy (Amber),
- Low level of compliance with policy (Red)
Cyber Security Leadership 
Not undertaken the sabsa course yet – but the supplier question is a regular highlight in security assessments. Is there a deeper working example or recommendations on material to research whilst waiting for the course ? The blue manual is significantly old now, I believe the author also advised it getting out of date – appreciate you knowledge here.
SASBA doesn’t necessarily focus on third party reviews that much. When it comes to supplier security assessments, pretty much any security framework can be tailored for this purpose. ISF have some guidance you could look at as a starting point.