Certain industries have a better conceptual understanding of their supply chain than others. For instance, in manufacturing, it’s very clear that raw materials come in one end and out the other comes a completed, processed product for consumption. Those products may get shipped to another manufacturer for integration into their products or off to the consumer for their use. You can link these organizations together and build a map showing the full supply chain network. Indeed, this is often done to help planners, engineers, and managers better understand what their exposure is to hiccups in that chain. For other companies, however, this connection to the full breadth of vendors is more difficult to understand. The work is more evanescent as digital transformation makes work between companies seamless.
In a new ISACA white paper, Managing Third-Party Risk, I wanted to help organizations better understand how to build a third-party or vendor risk management program to better manage their cyber risk posture. When the basic building blocks of these vendor risk technologies and processes are in place, it allows other risk disciplines such as operational risk, privacy risk, country risk, etc., to gain a better handle on their loss exposure as well.
The white paper covers topics in the order in which the vendor process would be executed, starting with a discussion around governance and how foundational it is to have vendor roles clarified, procurement procedures locked down (not just anybody should be able to buy services), data sharing agreements solidified, and the collection of metadata secured (which feeds the next part of the assessment).
The main thrust of the paper is how to assess how much cyber risk a particular vendor poses to your organization. This involves triaging all your vendors and sorting them into buckets, with the riskier buckets meaning more evaluation. For those that need it, I discuss a series of artifacts that you should ask for and tests you should run.
I close with a discussion on what to do with that assessment data. I discuss how to threat model vendors and feed that into your risk assessment, and how to improve upon vendor risk evaluations done with a simple heatmap (such as focusing on the economic impact to the organization using cyber risk quantification). The paper ends with a discussion of ongoing monitoring and what to do with vendors exhibiting bad control posture.
I hope you find this white paper helpful in either establishing a new vendor risk management program or improving the maturity of your existing one. As companies continue transforming their operations with digital technologies, it’s inevitable that an organization will share its data (and its customers’ data) with more and more partners. Let’s be sure that the solutions are in place to help protect that data and engender trust in our digital economy by managing that vendor risk well.
About the author: Jack Freund, Ph.D., CISA, CRISC, CISM, is director, risk science for RiskLens, member of the Certified in Risk and Information Systems Control (CRISC) Certification Working Group, coauthor of Measuring and Managing Information Risk, 2016 inductee into the Cybersecurity Canon, IAPP Fellow of Information Privacy, and ISACA’s 2018 John W. Lainhart IV Common Body of Knowledge Award recipient.