Suppliers and Information Security Risk

What is the challenge?

Most businesses need to engage with suppliers in order to ensure reliable and effective supply of goods and services. These suppliers range from those who store or process sensitive information, to those that pose little or no information security risk at all. For instance, the variation in the level of risk posed by a specialist IT provider as opposed to an office stationery supplier would be very different.

The supplier risk assessment process, therefore, needs be proportionate to the service the supplier provides you and the information you share with them. For example:

  • Do you outsource your payroll and pension provision? How much access do these suppliers need to your HR information?
  • Do you outsource management of your network infrastructure? What processes do they have to ensure that only authorised individuals within their organisation access your network?
  • Does your supplier need direct access to your network components to deliver an effective service? What network security controls does the supplier have in place?
  • Do you share critical information with your suppliers in order for them to deliver their services? Where is this information stored?
  • Do you use any Software as a Service (SaaS) or other cloud solutions? What information is being stored and/or processed? Where is the solution located and what is the risk associated with this?

Unfortunately, for many organisations, the answer to some of the above questions is likely to be “I don’t know.” There will be someone in the organisation who does know, but they may not be responsible for information security.
Even if you are aware of the answers to the above questions, do you know what security controls your suppliers have in place to protect your information? Whilst they may be perceived as being adequate by the suppliers, are the controls sufficient for your risk appetite?

Knowing where the information security risk lies

Supplier risk management is the same as any other risk management activity; to understand and make measured decisions on where resources should be allocated or where changes to processes should be made. This is especially important in organisations who rely on products and services from a wide variety of different types of suppliers. But where do you start?
Here, URM presents its 5-step process for helping manage risks associated with your suppliers.

  1. Establish a robust process to capture all suppliers

  2. You need to know who your suppliers are – and you need to know about all of them. Therefore, you need to identify all of your suppliers and ensure that your procurement/ contract management processes are amended to include steps capturing the information security related details of new suppliers. It is critical to engage with all departments within your organisation to understand how new suppliers are evaluated and selected.

  3. Categorise suppliers based on what they do for you

  4. As we have already determined that all suppliers are different, why would you want the same assessment process for all suppliers? This step enables you to allocate each supplier to one or more categories which will determine which assessment questions a supplier is required to complete.
    Depending upon the nature of your business, these categories will look different from one organisation to another. Example categories could include ‘Organisations that have direct connection to your network’, or ‘Organisations that have physical access to offices’ or ‘Cloud service providers’. By determining a number of high level categories, new suppliers can be quickly segmented, allowing you to conduct more detailed risk assessments later in the process.

  5. Prioritise based on the information you share with your suppliers or the information they may have access to

  6. At this stage you have categorised your suppliers by the service they offer or how they interact with your organisation. The next step is to understand what information they store, process or transmit and the level of sensitivity of that information. This allows you to prioritise the evaluation of suppliers based on the business impact of the information.
    Typically, this is best completed by engaging with people within your business who understand what each of the suppliers provide you and what information of yours they store, communicate or process. From this, you can gain a pretty good idea of which suppliers present the greatest information security risks. Take two cloud service providers for example: there will be different priorities and risks attached to one which stores HR data compared to one which processes your publicly available social media feeds.

  7. Conduct tailored assessments of suppliers

  8. Now that you have an understanding of what suppliers you have, how they interact with your systems and what information they have access to, you should be in a position to tailor a questionnaire relevant to the supplier and the service they provide.

  9. Analyse responses and integrate the results with existing risk management activities

When the questionnaire responses are analysed, you will have a better understanding of whether your suppliers’ information security measures and controls meet your risk appetite based on the information that you share with that supplier. This will enable you to make risk treatment decisions about what to do next:

  • Some suppliers may have provided sufficient evidence which satisfies that they are low risk and you can schedule a follow-up questionnaire to be sent out in an appropriate time period e.g. twelve months.
  • Other suppliers may pose a level of risk which requires further attention (i.e. outside of your risk appetite). As such, you have a number of courses of action available:
    • Simply communicate your expectations and ask certain suppliers to meet those.
    • For organisations that pose a higher risk, you may add them to your internal audit plan to ensure that they are meeting your information security requirements.
    • You may wish to see some form of evidence that the supplier is doing what they say they have indicated in their questionnaire response.
    • You may decide to just keep in touch with them periodically to ensure they are maintaining their approach and send them further questionnaires in the future.
    • Where the risk is considered too great, services may be brought in house or transferred to another provider.

It doesn’t end there

As we mentioned in step one, you need to ensure that new suppliers are taken into consideration but you also need to remember to revisit and verify existing suppliers. Each supplier should be sent a new questionnaire periodically and if their categorisation changes, you need to capture any changes and ensure that this does not affect the risk that the organisation poses to you. Understanding and addressing supplier risk should be an ongoing ‘business as usual’ activity.
Many organisations are in a situation where, even though their own processes are locked down in terms of information security risk, they are leaving themselves vulnerable to risks caused by suppliers. What may be keeping you awake at night is that you probably don’t really understand what information security controls your suppliers have in place and whether, in your opinion, they are sufficient to address your risk.

Is it time to start finding out and taking control?

For more information about tools to help manage the information security risk associated with suppliers, contact Matt Thomas, Risk and Product Director at URM