Your key tools to secure suppliers

Your key tools to secure suppliers

As organizations increasingly rely on third parties to provide a wide variety of IT and business services, the lines between the business and its providers are becoming increasingly blurred. The result is a complex supply chain, with each element introducing additional risk.

It is often assumed that by paying a partner to deliver the work, these risks are transferred to that third party. However, this is not the case. The risk remains the responsibility of the organization, but different measures will be required to manage it now that a third party is involved.

In mitigating these risks, it is understandable that the organization in question would want to extend its own policies and controls to cover third parties. However, they themselves will balance the disparate requirements of many different partners.

Addressing supply chain risk is therefore a case of implementing multiple measures.

put on screen

The first phase is to carry out a systematic and rigorous screening of any potential trading partners both up and down the supply chain (ie customers and suppliers). This is already required in some industries (think anti-money laundering laws in the financial sector, for example), but should be considered good business practice, regardless of legislation.

It is essential that every company knows who they are working with, both directly and indirectly, and therefore who they are connected to around the world, with much deeper controls than a checkbox form filled out by the potential partner. Selection processes must be automated to handle the sheer volume of checks that must be performed to fully vet a partner, as well as ongoing, as a previously compliant third party could undertake activity that reverses their status.

Contracts

Having brought in a partner who has completed the initial selection process, the contracts legally enforce organizational policies. These must consider the handling of the information and establish how the company’s data will be protected while it is stored, but also during transmission and processing, as well as the procedure for its elimination.

They should also include security incident reporting, so that the company is notified of any event that may affect their information or data, and take into account external partner training on the organization’s core security values.

While this is simple on the surface, the reality is often more complicated. Large third parties can exercise their own policies with the assurance that they already meet the necessary requirements, but it can be difficult to verify that the specific measures implemented meet the organization’s requirements or to modify the contract to cover the specific conditions of that agreement in question. particular. At the other end of the spectrum, some potential partners may be too small to implement all the necessary controls without raising the price of their service to the point where it no longer makes business sense to continue.

The “right to audit” is a critical contractual clause if the organization wants to maintain some control in confirming that a partner complies with its policies, but it can be challenging to have this included, and even more difficult to enforce.

Corporate credit cards mean that it is also possible to sign contracts without the involvement of legal teams; for example, you can buy software as a service (SaaS) for a small project, or undertake another project that is small enough to implement without going through an organization’s entire change management and service integration process . Although “IT in the shadowBeing a perennial problem, organizations are often only looking for software; Services like these are much more difficult to identify and are often overlooked.

Compliance and governance

With a current contract, ensuring compliance is a key activity, as the company needs to know that the partner adheres to the agreed legalities. Many third parties will rely on providing confirmation of certifications such as ISO27001or regular reports such as SOC II Type 2. These may be sufficient in some cases, but there may be times when more detail is required regarding how the organization is achieving compliance.

Compliance monitoring can be challenging, but if there are third parties on an organization’s network or applications, it might be possible to monitor through security information and event management (SIEM) tools and logging management tools. privileged access (PAM), with activities reviewed to confirm that they are not breaching agreements such as sharing IDs.

If a security operations center (SOC) exists, additional monitoring of third-party activities, or setting a higher priority on alerts, can be critical to identifying noncompliance with organizational policies.

Technology

The integration of third parties with the existing technological heritage of the organization is a fundamental part of risk management. However, this is often overlooked when designing identity and access management systems, with third-party privileged access governance created that does not meet the control requirements for the organization’s employees.

For example, an application may be ruled out as “out of scope” of the controls, as it is managed by a third party, or there is no ability to extend the tools to the system, as it is configured and managed completely independently.

Many organizations outsource the entire administration of their network to third parties or integrate elements of third-party networks into their network through secure tunnels and other mechanisms. This can change the entire dynamic of how data needs to be protected as it flows across the network between applications and how insider threats are modeled, as the business no longer has guarantees about the security of everything that is transmitted over the Internet. your network. Concepts such as zero trust become more important, as it cannot be assumed that all network traffic is owned or visible to the organization.

Termination

Once a contract is terminated, data that is no longer needed must be deleted (by the partner) in accordance with the organization’s policies, and evidence that this has happened must be provided. Ideally, this should be enforced by contract, but it is often the case that smaller or time-limited projects that have shared data, such as small data analytics exercises, are carried out without a contract because the services are purchased outside the system. procurement officer (as mentioned above). ).

Ensuring that third parties properly close network connections when a service is no longer required is also essential to protecting both the organization’s network and its intellectual property, which may still be residing with the partner and accessible long after it has been compromised. terminated the contract. Data breaches can occur when a third party does not have the development or test environments, which can be included and used as a bridge to other organizations.

In summary

As always in the world of security, there is no panacea that solves all the problems arising from today’s interconnected businesses and complex supply chains, and not all challenges require the same solution.

However, assessment and insight are key tools: A comprehensive approach to systems and processes that considers the people, data, and applications that are part of each process can help identify problem areas that are outside of the company’s control. the organization. and point out where this introduces a risk. With this information, appropriate measures and controls can be negotiated and implemented.

Leave a Comment