Updated 31 March 2022. This post was originally published on 6 August 2021 by Yang JianGang.
Third-party vendor risk management is a challenging and critical area for companies of all sizes and in all industries today. It is therefore no wonder that many regulatory compliance frameworks or guidelines contain requirements for third-party management, including MAS TRM Guidelines and ISO 27001ISO 27001 (A.15 Supplier relationships).
You may have a robust cybersecurity posture, but weaknesses in your third-party vendors' defenses can adversely affect you too, especially if you allow them to log in to your systems to perform certain operational and administrative functions.
Such breaches are more common than you think, and have caused total shutdowns of business functions in extreme cases.
In February 2022, a major Japanese car manufacturer was forced to suspend domestic factory operations after a plastic parts and electronic components supplier of theirs was hit by a suspected cyber attack. The suspension cost the manufacturer to lose 13,000 cars of output. The attack suffered by the supplier also caused affiliated plants of the car manufacturer to shut down too.
Closer to home, a telco in Singapore suffered a security breach because one of its supply chain vendors that had access to its critical data was compromised. This resulted in stolen personal information, of more than 129,000 NRIC numbers and a combination of names, dates of birth, mobile numbers, and addresses.
With such potentially devastating effects on your operations as a result of third-party incidents, here are five quick action items to help you improve your third-party or supply chain risk management.
1. Review The Vendor’s Security or Privacy Page
Every third-party vendor that is serious about the security of its product or services will have a dedicated security page talking about the robustness of its information security program.
If personal data is involved, a privacy page would be present as well. Reviewing the content on this page is one way your organization can quickly eliminate companies from the vendor selection process. Is the information poorly written? Is there no such page at all to review? Those are immediate red flags to take at face value.
2. Validate The Vendor’s Security Certification Reports
Find out if the vendor holds any industry-recognized security certifications, such as ISO/IEC 27001 or SOC 2SOC 2, after reviewing its security page. Then request the certification report from the vendor to validate that the certificate is indeed legitimate and valid.
In addition, your organization should verify, based on the report, that the scope of the certification is relevant to your organization. If a Customer Relationship Management (CRM) Vendor claims to be ISO/IEC 27001 certified but the scope of its certification only applies to its finance department, that does no good to validating the security of its CRM platform.
Typically, a legitimate security certification will be enough security assurance for you to pick a vendor. However, this is also dependent on risk - the greater the exposure that your organization has to the vendor, the more stringent your security checks have to be.
3. Conduct Additional Due Diligence Checks for Critical Vendors
If your vendor has access to your sensitive and critical data, you can't simply rely on security certification for assurance.
In such cases, consider having the vendor complete a due diligence questionnaire and provide the relevant evidence as proof. Has the vendor conducted a pentest on its software? How is the vendor securing its network and devices?
These are examples of additional checks you can include to provide you with better insight into the security posture of the vendor, giving you additional assurance on top of the certification reports. You might also identify issues that are unnoticed by the auditors as you review the evidence provided.
The same questionnaire process could also be applied to vendors without certification. It is an opportunity for those vendors to prove that they have implemented the necessary controls to protect your organization’s data in spite of a lack of certification.
4. Risk Acceptance and Management
You should have a better of the risks that the vendor poses after checking the certification and/or running through the questionnaire. While all your vendors will be compliant with all your security requirements in an ideal world, the reality is that you usually have to acknowledge and accommodate acceptable risks to ensure business continuity or other commercial reasons.
This is where your organization needs to clearly communicate the risk of these engagements with management. Document the security risks involved and monitor the engagement closely. In the meantime, your organization should continuously find ways to mitigate such risks, such as having appropriate incident response plans should a security incident strike, for instance.
5. Exit Management
The last tip, and an often overlooked one, is the offboarding of vendors. If an exit management process is not enforced on vendors, the vendors may continue holding your organization’s sensitive data or retain access to your organization’s systems or buildings.
As a result, the risk of your organization’s data getting compromised remains in spite of contract termination. To avoid that, your organization should ensure the following upon termination of the partnership:
- Require vendors to destroy or delete all data related to your organization, and provide a formal certificate or letter of data removal. If the vendor subcontracted your organization’s data to other vendors, this needs to be included too.
- Internally, check that all access rights that vendors have to your organization’s systems and physical locations have been terminated;
Reliance on third-party vendors is an unavoidable facet of business today. Vendor risk management should therefore be a part of your organization's overall security posture. These 5 quick actions serve as an initial guide for you to improve their vendor risk management swiftly. You should also be proactively and continuously reviewing and improving your vendor management practices to ensure you have a robust supply chain.