In the cyber landscape today, you will likely agree when I say that third-party vendor risk management is a challenging and critical area for companies of any size or industry, given how much organizations rely on third-party vendors for the processing of data. As such, many regulatory compliance frameworks or guidelines contain requirements for third-party management, including MAS TRM Guidelines and ISO 27001 (A.15 Supplier relationships).
Depending on the business processes or the data outsourced to the third party, the security breach of the vendor could cause catastrophic damage to your organization. Take the example of a charity organization whose main source of income is the donation from the general public through a third-party fundraising platform. If the fundraising platform is compromised and all donors’ sensitive information is leaked to the hacker, many donors will lose confidence in supporting the charity group. As a result, the charity group could lose a huge chunk of its income source, and the business operations will be significantly impacted.
Take a real-life example of a Singapore-based telco that suffered from a security breach because a supply chain vendor with access to its critical data was compromised. This resulted in stolen personal information, of more than 129,000 NRIC numbers and a combination of names, dates of birth, mobile numbers, and addresses.
Having established the potentially catastrophic impact that an organization could face as the result of third-party incidents, this blog post will discuss five quick action items to help organizations improve third-party or supply chain risk management.
1. Review The Vendor’s Security or Privacy Page
Every third-party vendor that is serious about the security of its product or service they offer will have a dedicated security page talking about the robustness of their information security program. If personal data is involved, a privacy page would be present as well. Reviewing the content on this page is a one way your organization can quickly eliminate companies from the vendor selection process. Is the information poorly written? Is there no such page at all to review? Those are immediate red flags to take at face value.
2. Validate The Vendor’s Security Certification Reports
Find out if the vendor holds any industry-recognized security certifications, such as ISO/IEC 27001 or SOC 2, after reviewing its security page. Then request the certification report from the vendor to validate that the certificate is indeed legitimate and valid.
In addition, your organization should verify, based on the report, that the scope of the certification is relevant to your organization. If a Customer Relationship Management (CRM) Vendor claims to be ISO/IEC 27001 certified but the scope of its certification only applies to its finance department, that does no good to communicate the security of its CRM platform.
Typically, a legitimate security certification will be enough security assurance for you to pick a vendor. But this is also dependent on risk; the greater the exposure that your organization has to the vendor, the more stringent your security checks have to be.
3. Conduct Additional Due Diligence Checks for Critical Vendors
If your business data that the vendor has access to is highly sensitive and critical, simply relying on security certifications might not provide you with enough assurance. In those cases, consider having the vendor complete a due diligence questionnaire and provide the relevant evidence as proof. Has the vendor conducted a pentest on its software? How is the vendor securing its network and devices? These are examples of additional checks you can include to provide you with better insight into the security posture of the vendor, giving you additional assurance on top of the certification reports. You might also identify issues that are unnoticed by the auditors as you review the evidence provided.
The same questionnaire process could also be applied to vendors without certification. It is an opportunity for those vendors to prove that they have implemented the necessary controls to protect your organization’s data in spite of a lack of certification.
4. Risk Acceptance and Management
After checking the certification and/or running through the questionnaire, your organization should have a better idea of the risks that the vendor poses. As much as we wish for vendors to be compliant with ALL your security requirements, that is usually not the case. Nonetheless, because of various business reasons, such work with vendors may still need to go on, regardless of risk.
This is where your organization needs to clearly communicate the risk of these engagements with management. Document the security risks involved and monitor the engagement closely. In the meantime, your organization should continuously find ways to mitigate such risks, such as having appropriate incident response plans should a security incident strike, for instance.
5. Exit Management
The last tip, and an often overlooked one, is the exit management of vendors. If an exit management process is not enforced on vendors, the vendors may continue holding your organization’s sensitive data or retain access to your organization’s systems or buildings. As a result, the risk of your organization’s data getting compromised remains in spite of contract termination. To avoid that, your organization should ensure the following upon termination of the partnership:
- Require vendors to destroy or delete all data related to your organization, and provide a formal certificate or letter of data removal. If the vendor subcontracted your organization’s data to other vendors, this needs to be included too.
- Internally, check that all access rights that vendors have to your organization’s systems and physical locations have been terminated;
As companies today become more interconnected with each other, the reliance on vendors will continue to increase. Vendor risk management plays a big role in the overall security posture of organizations. These 5 quick actions serve as an initial guide for organizations to improve their vendor risk management quickly. Organizations should continuously review and improve their vendor management practices to stay proactive, helping to maintain a robust supply chain.