Cyber-criminals’ successful targeting of service providers has made vendor risk management an increasingly hot topic in information security. But what about risk from your vendor’s vendors… and their vendors… What “fourth-party risk” or supply chain risk does your business face?
For example: When a manufacturer of mobile devices gets components from third parties, and those third parties use third-party chips, should the manufacturer check directly on that “fourth-party” chip manufacturer? How far downstream should your due diligence extend in today’s global, multi-tier supply chains?
As the Information Security Forum (ISF) puts it, “Sharing information with suppliers is essential, yet increases the risk of that information being compromised.” That makes cybersecurity a supply chain problem.
The challenge for many companies is to pinpoint which suppliers pose the most critical risks, whether directly or through their own subcontractors. Obviously you can’t chase down every vendor your vendors utilize, let alone the vendors those vendors utilize in turn. It’s also often challenging to identify what data is shared with what vendors.
Perhaps the most cost-effective and scalable approach is to develop risk-based information security controls that includes appropriate oversight of third-party risk so that you (and any regulators or auditors who come knocking) have adequate assurance that fourth-party/supply chain risk is, in turn, addressed.
As part of that effort, organizations can measure the security maturity across their supply chain, and then apply the results to their own security posture. Are your suppliers’ IT systems ISO 27001 certified, for instance? There are several cross-organizational standards initiatives that can help with this process:
- The Shared Assessments Program, which provides a standard, consistent and efficient “trust, but verify” model for vendor risk assessment leveraging the Standard Information Gathering (SIG) questionnaire and Agreed Upon Procedures (AUP).
- SecurityScorecard—a new service billed as “the first collaborative security risk platform,” which enables businesses to directly share detailed security information with partners, suppliers and vendors to facilitate faster, better-informed decisions on vendor risk.
- The ISF’s supply chain security initiative with its associated risk assurance process. The goal of this process is to provide support for managing contracts so that risk assessment efforts are in alignment with the risk that each vendor actually presents.
Examining fourth-party risk can be challenging given that there is generally no direct contractual relationship in place. Instead, it usually makes more sense to focus on how your third-party vendors conduct their own oversight programs and how they handle their own vendor risk management.
One option service providers have is to hire an outside assessment firm like Pivot Point Security to report on their controls against the Shared Assessments Program’s AUP. This “proactive attestation” provides clients and prospects with an independent assessment that saves them time and money.
For guidance on what due diligence in third-party risk management looks like for your organization, contact Pivot Point Security.
The post Considerations for Managing Fourth-Party/Supply Chain Risk appeared first on Pivot Point Security.