Getting started with third-party security risk management

Auditing the security of critical suppliers is an important aspect of supply chain risk management (also referred to as Third Party Risk Management or TPRM) and may be a regulatory (DORA, NIS2) or framework compliance (ISO 270001, NIST SP800-161) requirement.  

Even if this is not required, it is strongly recommended that you monitor your vendors' security, as a large number of security incidents (up to 60% according to Forrester Research) originate with vendors, or an incident at a critical vendor can affect your business continuity.

Here are some steps that you can take to audit the security of your critical suppliers:

1. Define how to identify and manage supply chain (security) risks in your company

There are various standards and frameworks available to start from, but these two are the most frequently used :

• ISO 31000: This is an internationally recognized standard for risk management. It provides a framework for managing risk systematically and effectively and can be applied to any type of risk
• NIST Risk Management Framework: This framework provides a structured approach to managing security risks to organizational operations, assets, individuals, and other interests.
   

Other frameworks that can be considered include:

• FAIR: This is a risk management framework that focuses on quantifying and analysing information security and operational risk.
• OCTAVE: This is a risk assessment and management framework developed by Carnegie Mellon University. It is designed to help organizations identify and prioritize information security risks and develop risk mitigation strategies.

2. Identify critical suppliers

Start by identifying the critical suppliers in your supply chain. These are the suppliers who provide products or services that are essential to your business operations, or who have access to sensitive information.

3. Define security criteria

Define the security criteria that your critical suppliers must meet. This may include requirements for physical security, data security, access controls, incident response, and other relevant areas. This could include specific security policies, procedures, and technical controls.

Also here, standard frameworks can be used for this task : 

• ISO 27001: This is an internationally recognized standard for information security management. It provides a systematic approach to managing sensitive information and helps identify and manage risks to information security.
• NIST Cybersecurity Framework: This framework provides a set of guidelines for improving cybersecurity risk management for organizations. It includes a set of best practices, standards, and guidelines for managing cybersecurity risks.
• SOC 2: This is a standard developed by the American Institute of CPAs (AICPA) that defines the criteria for evaluating the effectiveness of a company's controls related to security, availability, processing integrity, confidentiality, and privacy.
• PCI DSS: This is a set of security standards created by the payment card industry to ensure that companies that process, store, or transmit credit card information maintain a secure environment.
• HIPAA: This is a set of standards that healthcare organizations in the United States must comply with to protect the privacy and security of patient health information.  HIPAA is a U.S. standard but can be used for reference purposes.
• CIS Controls: formerly known as the SANS Top 20 Critical Security Controls, are a set of best practices and guidelines developed by the Center for Internet Security (CIS) to help organizations improve their cybersecurity posture and protect against common cyber threats. These controls are designed to prioritize and guide organizations in implementing effective security measures.
• Cloud Controls Matrix:  composed of 197 control objectives that are structured in 17 domains covering all key aspects of cloud technology. It can be used as a tool for the systematic assessment of a cloud implementation and provides guidance on which security controls should be implemented by which actor within the cloud supply chain. The controls framework is aligned to the CSA Security Guidance for Cloud Computing, and is considered a de-facto standard for cloud security assurance and compliance.
• Cyber Fundamentals: The Cyberfundamentals Framework is a set of concrete measures developed by the Belgian Centre for CyberSecurity  to increase an organisation's cyber resilience.   The framework is based on and linked with 4 commonly used cybersecurity frameworks: NIST CSF, ISO 27001 / ISO 27002, CIS Controls and IEC 62443.
• ANSSI Guidelines: The ANSSI (Agence nationale de la sécurité des systèmes d'information) guidelines are a set of cybersecurity recommendations and best practices developed by the French National Cybersecurity Agency.
• BSI Standard 200-2: Developed by the German Federal Office for Information Security defines methods of setting up, reviewing, and expanding an information security management system (ISMS). Various procedures are available for basic, standard, or core protection. The standard is compatible with ISO 27001 certification.
• Cyber Essentials: is a cybersecurity certification program and scheme developed by the UK Government's National Cyber Security Centre (NCSC) to help organizations protect themselves against common cyber threats. The scheme focuses on fundamental security practices and encourages organizations to adopt basic cybersecurity controls to safeguard their systems and data.
• NIS for Operators of Essential Services: Written by the NIS Cooperation Group, composed of representatives of Member States, the Commission, and the European Union Agency for Network and Information Security (‘ENISA’), this document translates the first NIS directive into a set of security measures for operators of essential services.   We expect these to be updated in the coming years based on the subsequent NIS 2 directive.

For companies getting started, we recommend starting with NIS, CIS or (a selection of) ISO 27001 criteria.
 

4. Conduct a risk assessment

Periodically conduct a risk assessment of your critical suppliers to identify potential vulnerabilities and threats to their security.  This could involve the following activities :

•  Review their security practices and policies based on documentation provided, certifications obtained, as well as any security incidents or breaches they may have experienced in the past.
• Send a questionnaire: Send your critical vendors a security questionnaire to gather information about their security practices and controls. The questionnaire should address the security criteria you defined in step 3.   Note that Ceeyu provides questionnaire templates of the most popular frameworks.   We strongly recommend starting with a limited set of questions, rather than the full set of ISO or NIST questions, because in our experience, the longer the questionnaire, the lower the response rate and quality of responses.
• Scan the attack surface:   Scanning a vendor's attack surface reveals its exposed network and IT assets (often referred to as digital footprint) and their level of security.   This gives an indication of how well the vendor is managing its external cybersecurity risks.
• Request security audits: Request security audits from your critical suppliers. You may conduct the audits yourself or engage a third-party auditor. The audits should focus on the security criteria that you defined in step 3 and may be finetuned based on the outcome of the above three above steps.
• Following up on audit reports findings and recommendations: Review the audit reports and identify any areas of concern. If necessary, work with your critical suppliers to develop remediation plans to address any identified security issues.

5. Monitor ongoing compliance 

Monitor ongoing compliance with your security criteria and any remediation plans that were developed. This may include periodic audits, periodic reviews of their security practices, as well as ongoing attack surface scanning to identify the presence of critical vulnerabilities in the network of your supplier and monitoring of security incidents and breaches (and the way the supplier manages these breaches).

6. Establish contingency plans

Finally, establish contingency plans in case any critical suppliers experience a security breach or other security-related issues. These plans should outline steps to be taken to mitigate the impact of any such incident.

By following these steps, you can effectively audit the security of your critical suppliers and manage supply chain risk more effectively.