Asset management is often regarded as the foundation of a security programme. You can’t protect something that you don’t know you have. This extends beyond internal systems to your organisation’s partners. Depending on the line of business, supply chains can get increasingly complex. They include vendors, manufacturers, retailers and distributors in multiple geographies and regulatory regimes. Securing such a network is no easy task and should start with visibility and careful risk management.
Begin by getting answers to the following questions:
- What type of information is being shared?
- Where is the information stored (geography) and who else (4th parties) it is shared with?
- What level access is required to our internal systems and how is it controlled?
- What is the partner’s security posture?
To assess the security posture, a number of third party risk assessment approaches can be used. It usually involves a questionnaire based on an established security framework but not all questions were created equal. I recommend paying particular attention to the incident response (with customer notification) process and governance, including internal/external audit and security testing regime. If your partner already maintains compliance with a security standard and has this independently verified through, for example, ISO27001, SOC 2 or PCI DSS, it’s best to start with requesting these – there is little value in duplicating the effort. Services that provide risk scores based on open source intelligence and non-intrusive scans can complement your risk assessment.
For this initiative to be successful, it’s essential to adopt a strategic approach that goes beyond vendor onboarding. Continuous engagement throughout the lifecycle becomes essential. Integrate cyber security in the wider procurement and third party management process and prioritise your strategic relationship first. You can start with the following:
- Define security requirements and level of security function involvement based on vendor criticality
- Define and tailor security questions and share with the vendor
- Analyse the vendor response and request artefacts/evidence
- Meet with the vendor’s security/data protection teams for clarification, deep dive, challenge and evidence review, if appropriate
- Perform vendor risk analysis based on the assessment results, update risk registers and involve relevant parties internally
- Support contract negotiation (e.g. inclusion of security requirements based on the assessment results, review of confidentiality and data protection clauses)
- If successful, support secure vendor onboarding and continuous performance monitoring
For best results, engage the right stakeholders early. I provide example interfaces and interaction topics below but feel free to tailor to the needs of your organisation.
|Procurement and vendor management team||Align with the wider vendor management process and provide security requirements|
|Legal||Agreement on standard contractual clauses, contract templates|
|Data Protection Officer||Alignment on data protection requirements (data transfers, compliance with international data protection laws, etc.)|
|Security Committee||Keep informed and seek guidance on major decisions|
|Internal audit||Alignment on internal controls and periodic review|
|R&D||Alignment on architecture, requirement and integration|
|Service Management||Performance management and monitoring|