Secure Supply Chain
Sharing information with suppliers is essential for any business to function, yet it also creates risk. Of all the supply chain risks, information risk is the least well managed. Your organisation goes to great lengths to secure on premise intellectual property and other sensitive information, yet when that information is shared across the supply chain, security is only as strong as the weakest link. Information compromised in your supply chain can be just as damaging as that compromised from within the organisation.
Some examples of your suppliers may include:
-
Cloud providers who may hold huge amounts of your and your clients’ data (e.g. credit information, personal data, staff records, intellectual property) in other organisations or in other countries;
-
IT contractors who deploy their staff into multiple client organisations, who may hold sensitive accesses at two competing companies simultaneously;
-
Network service providers who provide data storage or Security Operations Centre functions at remote locations (often overseas);
-
Overseas call centres;
-
Vendors who supply and maintain safety or physical security (e.g. barriers or alarms) to sensitive sites;
-
Third party recruitment consultancies
CISO365 help organisation ensure that third parties, partners or suppliers meet your information security standards required by your organisation, for example:
-
for all new agreements with third parties, due diligence is exercised around information security and that contractual arrangements are adequate
-
information security arrangements contained in existing agreements are reviewed and are adequate
-
the compliance of third parties is monitored against your information security requirements and contractual arrangements.
The approach typically covers the following key activities -
-
Identify existing contracts or engagements with suppliers
-
Identify a list of contracts and contract managers
-
Identify the contracts that need to be risk assessed
-
Agree criteria to be used to prioritise and risk assess the contract set
-
Apply the criteria consistently to the contract set
-
Identification representatives from the business, security and commercial areas to support specific supplier assessments
-
Explain the purpose of the supplier assessment and their role in ensuring that the risk is identified and properly managed
-
Conduct the specific supplier assessments and agree the outcome of findings with the supplier and internal representatives
-
Provide the Audit Report to key stakeholders of the outcome of the specific supplier assessment
-
Support the business representatives in managing out any specific supplier identified risks or escalate through the risk management process as appropriate
-
Lessons learned fed back into internal processes, e.g. into model contract terms and conditions
-
Track the entire secure supply chain programme of work, providing appropriate Project and Management Reporting
Your result, you have appropriate on-boarding due diligence and regular audit of existing and new suppliers. Ensure suppliers are equal to or exceed information security policy and standards.