Is Your Organization Following Best Practices for Vendor Risk Management?

One of the very hottest topics in information security recently has been supply chain risk. For the purposes of this paper, I will be discussing a particular type of supply chain risk: cyber supply chain risk. Cyber supply chain risk is defined as a lack of visibility into, understanding of, and control over many of the processes and decisions involved in the development and delivery of cyber products and services. The way to address this risk is through the proper implementation of vendor and third-party service provider risk management.

The most comprehensive and current guidance on this subject can be found in the NIST special publication 800-161r1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (C-SCRM). In this latest update, NIST has implemented their guidance in accordance with Executive Order 14028, Improving the Nation’s Cybersecurity, resulting in a massive body of guidance that is 315 pages long. Employing this guidance relies on users to examine their own systems and organizations minutely, and to custom-tailor the application of controls to fit their particular needs. This guidance is being constantly updated and users are urged to visit the NIST website to obtain the latest guidance for constructing their supply chain security program.

In the family supply chain risk management, 800-161r1 currently contains 13 sections of supplemental guidance for use in implementing a supply chain risk management program. I will outline vendor risk management strategies below, but I urge you to go through 800-161r1 yourself to get the full picture of supply chain risk management.

  • Inventory of service providers.
    • Maintain an up-to-date inventory of all service providers, categorizing them based on the level of access to sensitive data and the criticality of the services provided.
    • Assess the financial stability of vendors to ensure long-term viability and performance stability.
  • Due Diligence and risk assessment.
    • Perform initial and periodic risk assessments of service providers, documenting their ability to meet security and performance requirements.
    • Manage vendor concentration risk to prevent over-reliance on a single provider for critical services.
  • Contract management.
    • All contracts with service providers should include explicit security requirements, data protection clauses, and the right to audit compliance with the contract terms.
    • Contracts should address the responsibilities for both parties in the case of a breach or data protection incident.
  • Oversight and monitoring.
    • Regularly monitor service providers to ensure compliance with security requirements and contractual obligations.
    • Establish a process for reviewing service provider controls and performance, including the right to conduct audits or request third-party certifications of compliance.
  • Contingency planning.
    • Require service providers to have adequate business continuity and disaster recovery plans that align with the organization’s own resilience strategies.
  • Consumer protection and data privacy.
    • Require service providers to have adequate business continuity and disaster recovery plans that align with the organization’s own resilience strategies.
  • Compliance with laws and regulations.
    • Service providers must comply with all relevant laws and regulations.
  • Third-party relationship management.
    • Define clear roles and responsibilities for managing third-party relationships, including the process for ongoing due diligence and risk assessment.
  • Vendor offboarding.
    • Develop secure and documented processes for vendor offboarding, ensuring the safe return or certified destruction of organizational data, and revocation of system access upon termination of services.
    • Performance metrics and continuous improvement processes should be established to measure the effectiveness of the vendor risk management program.

Undertaking these steps will help ensure that your organization is handling supply chain risk management competently.