{"id":92,"date":"2022-06-24T19:35:00","date_gmt":"2022-06-24T19:35:00","guid":{"rendered":"http:\/\/closehelmsecurity.co.uk\/?p=92"},"modified":"2024-03-17T16:27:32","modified_gmt":"2024-03-17T16:27:32","slug":"assessment-and-knowledge-your-key-tools-to-secure-suppliers","status":"publish","type":"post","link":"http:\/\/closehelmsecurity.co.uk\/?p=92","title":{"rendered":"Assessment and knowledge: Your key tools to secure suppliers"},"content":{"rendered":"\n<p>Originally Published Online: <a href=\"https:\/\/www.computerweekly.com\/opinion\/Assessment-and-knowledge-Your-key-tools-to-secure-suppliers\">Assessment and knowledge: Your key tools to secure suppliers | Computer Weekly<\/a><\/p>\n\n\n\n<p>As organisations increasingly rely on third parties to provide a myriad of IT and business services, the boundaries between the enterprise and its suppliers have become ever more blurred. The result is a complex supply chain \u2013 with each element\u00a0introducing additional risk.\u00a0<\/p>\n\n\n\n<p>It is often assumed that, by paying a partner to deliver the work, these risks are transfer to that third party. However, this is not the case. The risk is still the responsibility of the organisation, but different measures will be required to manage it now that a third party is involved.<\/p>\n\n\n\n<p>When mitigating these risks, it is understandable that the organisation in question will want to extend its own policies and controls to cover third-parties. However, they themselves will be balancing the disparate requirements of many different partners.<\/p>\n\n\n\n<p>Addressing supply chain risk is therefore a case of implementing various measures.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Screening<\/h3>\n\n\n\n<p>The first phase is to undertake systematic and rigorous screening of any potential business partner both up and down the supply chain (i.e. customers as well as suppliers). This is already mandatory in some industries (think anti-money laundering laws in the financial sector, for example), but it should be regarded as good business practice, regardless of legislation.<\/p>\n\n\n\n<p>It is essential that every enterprise knows who it is working with \u2013 both directly and indirectly \u2013 and therefore who it is connected to around the world, with checks being far more in-depth than a tick-box form completed by the potential partner. Screening processes should be automated to handle the huge volume of checks that need to be undertaken to fully vet a partner, as well as continuous, as a previously compliant third party could undertake an activity that reverses their status.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Contracts&nbsp;<\/h3>\n\n\n\n<p>Having onboarded a partner that has satisfied the initial screening process, contracts legally enforce organisational policies.&nbsp;These need to consider information handling and laying out how the enterprise\u2019s data will be protected while it is stored, but also during transmission and processing, as well as the procedure for its deletion.&nbsp;<\/p>\n\n\n\n<p>They also need to include security incident reporting, so that the business is notified of any event that could impact their information or data, and factor in training for the third-party partner on the organisation\u2019s core security values.<\/p>\n\n\n\n<p>While this is straightforward on the surface, the reality is often more complicated. Large third parties may wield their own policies with assurance that these already meet the necessary requirements \u2013 but it can be hard to verify the specific measures in place meet the organisation\u2019s requirements or to alter the contract to cover the specific conditions of that particular agreement. At the other end of the spectrum, some potential partners may be too small to implement all the controls required without increasing the price of their service to the point where it no longer makes commercial sense to continue.<\/p>\n\n\n\n<p>The \u201cright to audit\u201d is a critical contractual clause if the organisation is to retain any control by confirming that a partner is complying with its policies, but it can be challenging to have this included \u2013 and even more challenging to enforce it.<\/p>\n\n\n\n<p>Corporate credit cards mean it is also possible for contracts to be signed without legal teams being involved \u2013 software as a service (SaaS) for a small project can be purchased, for example, or another project undertaken which is small enough to be implemented without going through an organisation\u2019s full change management and service integration process. Despite \u201cshadow IT\u201d being\u00a0a perennial problem, organisations often only look for software \u2013 services such as these are much hard to identify and are often overlooked.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Compliance and governance<\/h3>\n\n\n\n<p>With a contract in place, ensuring compliance is a key activity as the enterprise needs to know that the partner is adhering to the legalities agreed. Many third parties will rely on providing confirmation of certifications such as\u00a0ISO27001, or regular reports such as SOC II Type 2. These may be sufficient in some cases, but there may be occasions where more details related to how the organisation is achieving compliance are required.<\/p>\n\n\n\n<p>Monitoring for compliance can be a challenge, but if third parties are on an organisation\u2019s network or in its applications, it might be possible to monitor via security information and event management (SIEM) tooling and privileged access management (PAM) tool logs, with activities reviewed to confirm they are not breaching agreements such as sharing IDs.<\/p>\n\n\n\n<p>If a\u00a0security operations centre\u00a0(SOC) is in place additional monitoring of third-party activities, or the setting a higher priority on alerts can be critical in identifying non-compliance with organisational policies.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Technology<\/h3>\n\n\n\n<p>Integrating third parties with the organisation\u2019s existing technology estate is a critical part of managing risks. However, this is often overlooked when designing identity and access management systems, with privileged access governance for third parties created that does not meet the control requirements for employees of the organisation.<\/p>\n\n\n\n<p>For example, an application may be ruled \u201cout of scope\u201d for controls as it is managed by a third party, or there is no capability of extending tooling into the system as it is set up and managed completely separately.<\/p>\n\n\n\n<p>Many organisations outsource their entire network management to third parties or integrate elements of third-party networks into it via secure tunnels and other mechanisms.\u00a0This can change the entire dynamic of how data should be protected as it flows over the network between applications, and how insider threats are modelled, as the enterprise no longer has assurance over the safety of anything transmitted on its network.\u00a0Concepts such as zero trust\u00a0become more important as it cannot be assumed that all network traffic is owned, or visible to the organisation.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Termination<\/h3>\n\n\n\n<p>Once a contract is terminated, data that is no longer required should be disposed of (by the partner) in accordance with organisational policies, and evidence that this has happened provided. Ideally this should be enforced contractually, but it is often the case that smaller or time limited projects that have shared data, such as small data analysis exercises, are undertaken without a contract due to services being purchased outside the official procurement system (as referenced above).<\/p>\n\n\n\n<p>Ensuring any third parties shut down network connections correctly when a service is no longer required is also essential to protect both the organisation\u2019s network and its intellectual property, which could still be hosted with the partner and accessible long after the contract has been terminated. Data breaches can occur when a third party does not dispose of development or test environments, which can be comprised and used as a bridge into other organisations.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">In summary<\/h3>\n\n\n\n<p>As always in the security world, there is\u00a0no silver bullet\u00a0that will resolve all the issues arising from today\u2019s interconnected businesses and complex supply chains \u2013 and not all challenges require the same solution.<\/p>\n\n\n\n<p>Assessment and knowledge however&nbsp;are key tools \u2013 an end-to-end approach for systems and processes that considers the people, data and applications that are part of every process can help to identify problem areas that are outside the scope of control of the organisation, and flag where this introduces risk. With this insight, the appropriate measures and controls can be negotiated and implemented.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>There is no silver bullet that will resolve all the issues arising from today\u2019s interconnected businesses and complex supply chains, but there are some key tools at your disposal<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[5,3],"tags":[26,12,7],"class_list":["post-92","post","type-post","status-publish","format-standard","hentry","category-computerweekly","category-published","tag-3rd-party-risk","tag-security-think-tank","tag-turnkey"],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/paGq19-1u","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"http:\/\/closehelmsecurity.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/92","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/closehelmsecurity.co.uk\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/closehelmsecurity.co.uk\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/closehelmsecurity.co.uk\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/closehelmsecurity.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=92"}],"version-history":[{"count":1,"href":"http:\/\/closehelmsecurity.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/92\/revisions"}],"predecessor-version":[{"id":93,"href":"http:\/\/closehelmsecurity.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/92\/revisions\/93"}],"wp:attachment":[{"href":"http:\/\/closehelmsecurity.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=92"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/closehelmsecurity.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=92"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/closehelmsecurity.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=92"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}