This past few weeks I have been working with a few clients and researchers on the vendor side / supply chain risk of business operations. The common place activities of course exist, and include at least:
- Weighing the criticality of each vendor (to refer to supply chain too moving forward) to operational state of the business
- Weighing aspects of regulatory and contractual mandates of said vendor
- Weighing classic #infosec considerations – C.I.A. ++
- Establishing a tiered system of vendor management practices based upon data, system access, and of course points 1 & 2 above.
- Executing and evaluating these vendors through an actual evaluation of their operations (appropriate scope applied) to ensure that security and operational activities are in place for YOUR business dependent assets — this is key here: a powerpoint presentation is not satisfactory, period. It does not matter who the vendor is – big, small, big brand, or otherwise… the vendor assessment is not satisfied with this type of response, and should be considered a fail and raised to management to consider next steps.)
- Tight integration with legal, procurement, and risk management to ensure that (garbage in and garbage out) good vendors are added, and that actions can be taken balancing the strategic need of the business properly.
- Severe relationships with vendors that do not meet the requirements of your business
Now the above doesn’t mean establish a static assessment approach with a litany of questions pulled from the internet, but instead should be a thoughtful key set of controls that the vendor MUST address and maintain over the course of the relationship.
Generally, the above are quite standard and commonplace.. What recently has been interesting to me is (pardon the use of an industry phrase) the use of ‘out-of-band’ signals regarding vendor and supply chain risk. I shared two of these thoughts online today on twitter:
- How often does your risk assessment & vendor mgmt program factor in supply chain risk? Low hanging fruit: Monitor their breaches
- Who follows the 10-k filings of key businesses that are suppliers and peers at the CSO / CRO / CISO level? These are key inputs into where vendors are setting their priorities, and any red flags (infosec issues; operational concerns; financial challenges)
It is imperative today to KNOW what vendors (supply chain) participate in your organization, and extend the vendor program to bring these into consideration.
There are many other areas to consider, and I would love to hear others ideas .. here or @jdeluccia