5 Steps to Improve Your Supplier Information Security Risk Management

It is argued that your security is often only as good as your suppliers and other providers in your supply chain.   Suppliers pose a significant risk to your organisation’s information security and data protection posture.  If suppliers have access to your sensitive information including personally identifiable information (PII) and do not have adequate security controls and practices in place, they could accidentally or deliberately expose your information to unauthorised parties.  And, in terms of adequate, it is your definition of adequate, based on your risk appetite, not what your suppliers deem to be appropriate.   There is also the additional threat that if your suppliers’ systems are compromised, it could lead to your systems and information being compromised.

As such, it is essential to thoroughly assess the information security and data protection risks attached to your various suppliers and to implement adequate measures to mitigate the associated risks.  You need to decide, based on the information a supplier has access to or processes on your behalf, what controls you expect them to have in place.  Managing information security and data protection risks from suppliers and the supply chain can be a complex task, but there are a number of actions you can take in mitigating any risks.  

In this webinar, we will present and discuss 5 key steps you can take to improve your supplier risk management.

• Categorise Suppliers Based on Risk: It is important to recognise that not all suppliers are the same and that they need to be categorised based on the sensitivity of the data they handle or have access to, the services they provide to you and the potential impact on your organisation if a breach occurs.  URM will advise on ways in which you can triage and categorise suppliers, which will help you determine the appropriate level of due diligence, monitoring and auditing required
• Conduct Supplier Due Diligence: Using Abriska 27036, URM’s risk management tool, we will demonstrate how you can streamline the due-diligence process and robustly identify your high risk suppliers for further action and tailor questionnaires with specific information security and data protection questions for more in-depth assessments of critical suppliers
• Implement Risk Treatment Controls: Having identified your critical suppliers, URM will discuss some of the controls (technical and organisational) you can implement to reduce your risks, including specific clauses you can add to supplier contracts and agreements or enhancing internal controls based on identified areas of weakness  
• Carry out Regular Audits: With your most critical suppliers, it is imperative you regularly audit them to ensure they are meeting any specified contractual requirements.  URM will discuss aspects that you should be auditing e.g., reviewing external certification audit reports and penetration test reports
• Develop and Exercise Incident Management Plans: It is recommended that you develop and exercise incident management plans and where appropriate involve the most critical suppliers in those exercises.  We will provide some ideas on scenarios you may want to use in your exercises.