One aspect of risk management that is often overlooked is managing risks from suppliers and third parties. Too often organisations assess risks originating from external sources, script kiddies, hackers and even nation states, but third parties that are actually already on the network are overlooked as trusted parties.
However, recent highly publicized data breaches such as Target have highlighted the need to manage suppliers and third parties securely, and to ensure that a level of trust is gained before allowing these parties access to your networks and data.
Under ISO 27001 Supplier Security, controls must be established to identify all suppliers with access to your systems that may pose a risk to preserving the confidentiality, integrity and availability of your data. In modern day environments, organisations maintain relationships with a large number of suppliers so managing these relationships could be considered a full time job. Indeed, many large organisations do have full time personnel managing these relationships from a commercial perspective, but security is often overlooked.
Recent statistics identify a high risk of data loss when allowing suppliers access to data
To ensure compliance with the ISO 27001 Supplier Security controls, organisations must securely manage these relationships to ensure that:
- Suppliers only have access to systems (and data) that they are specifically authorized for.
- Supplier accesses are managed, controlled, monitored and ideally time-bound.
- Suppliers have a suitable baseline level of security, commensurate to your organisations security posture.
- Suppliers are governed by security policies and procedures, and subject to non-disclosure and confidentiality clauses.
- Suppliers are delivering services as anticipated and that any lack of service provision does not adversely affect the organisation, or expose the organisation to unnecessary risk.
Ensuring the above statements can be realized significantly reduces the organisations exposure to risk. For example, allowing a supplier full network access via an always-on connection with no background checks or vetting of the supplier significantly increases the risk to the organisations data.
This may result in a compromise on the suppliers side being exploited to access your organisations systems and data via an authorized connection mechanism. If you think about it logically, a supplier with access to your network is simply an extension of your current workforce and authorized user set, unless appropriately managed.
So how do you identify high risk suppliers and govern these appropriately? The first thing to do is to identify all your suppliers and the services they provide. By doing this, you are able to group suppliers based on perceived risk i.e. a supplier providing toner or stationary is not likely to prove as bigger threat as a supplier managing your network, for example.
One way to calculate risk is to assess the suppliers accessibility to your systems (or being more granular to your sensitive systems holding card holder or personal information data, for example) and afford a risk rating assuming complete loss or compromise of this data.
For example, Supplier A managing my web server containing publicly available information is unlikely to be as bigger risk as Supplier B managing my back end databases for production environments. Therefore, I would want increased assurance that Supplier B operates a secure environment sufficient to handle my sensitive data.
Once you have a list of all suppliers and the services they provided with associated risk scorings, you can begin to focus attention on ensuring those suppliers are not presenting a security risk to your environment. ISO 27001 Supplier Security controls suggest you achieve this by vetting the supplier either through a supplier security questionnaire or via an audit process.
If you are not already in contract with a supplier, an easy way to achieve this is to issue a supplier security questionnaire based on a selection of controls you feel are necessary to protect your information appropriately. Responses to the questionnaire may require validation before proceeding into a contractual relationship with that supplier.
The next step is to ensure contracts with suppliers include the relevant clauses to enforce information security obligations. You may wish to work with your legal department, but as a minimum the contract should specify requirements for handling and managing your data securely in addition to any specific requirements you may have.
For example, you may wish to ensure your suppliers personnel have undertaken appropriate vetting to manage your data so this should be specified in the contract. More importantly, the contract should state the right to audit at any time so as to maintain complete transparency.
Finally, once in contract the service should be regularly reviewed to identify the impact that any changes or inability to meet service level agreements may have on the business. For example, change of location or outsourcing may impact the security of your data so this should be reviewed regularly.
Supplier security should be integrated with supplier management from a commercial perspective to stream line as far as possible. It is recommended that organisations feature security aspects into commercial meetings with account managers, and ensure the organisations expectations for security are defined at the start of a contract as implementing mid-way through a contract can be difficult. ISO 27001 Supplier Security controls offer a good baseline level of security that should be considered.