Common Questions When Managing Supplier Information Security Risks

Do you need to conduct information security risk management for your supply chain/suppliers’ subcontractors?

Whilst information security risk management is almost always necessary for your immediate suppliers, it can be difficult to determine when risk management relating to your suppliers’ subcontractors is required, and when this is superfluous.  URM has found that it may be useful to conduct supply chain mapping of your suppliers’ key subcontractors, and this is particularly true for those suppliers that are processing sensitive information (e.g., commercially sensitive information, and personally identifiable information or ‘PII’).  Where possible, you should include an element within your supplier contract that ensures you will be informed of any changes to the subcontractors they are engaged with.

What do you do if a supplier refuses to share information about their subcontractors?

In this circumstance, you will need to make a risk-based decision on how to proceed.  Depending on your risk appetite, you may be able to accept the risk and proceed in your engagement with the supplier without an understanding of the risks associated with its subcontractors.  Hopefully, however, you will be able to reach an agreement with the supplier in question, where you receive sufficient information to provide you with the necessary assurance that the risk is low enough for you to tolerate whilst still being acceptable to the supplier. For example, a supplier may not be able to provide you with a hard copy of their policies relating to their suppliers, but will be able to show these to you via a Microsoft Teams session to demonstrate that they have the appropriate policies in place.

Should contracts with suppliers include the right to audit their subcontractors?

Whilst it is important that you are able to verify the security posture of your suppliers’ subcontractors, auditing these subcontractors yourself is likely to be extremely onerous and impractical.  As such, we would recommend pushing the responsibility for this onto your suppliers by including a contractual requirement for them to provide you with a report on various measurements and metrics from their supplier management process.

How do you approach auditing your most critical suppliers?

First, we would recommend planning your audit schedule based on the categorisation of your suppliers and selecting appropriate controls to audit based on the product/services they are providing you with, instead of attempting to audit all of the clauses and controls from ISO 27001.  You may have a supplier that manages your key finance system, for example, so you would benefit from auditing the user management of its support users. There are a number of other key areas you should consider auditing:

• Access controls
• Data protection
• Technical testing (such as a penetration test – this may be particularly useful for SaaS platforms, web applications, etc.)
• Supply chain testing
• Security included with development
• Incident response
• Training and awareness
• Business continuity and disaster recovery
• New threats and changes in regulation.

Should supplier audits be conducted remotely or in person?

Both approaches have their merits and drawbacks.  Remote audits are much easier and more convenient, and can be conducted over a couple of hours without needing to travel to a supplier’s premises.  However, remote audits can sometimes lead to you missing opportunities to build rapport and relationships, and learn more about the audited organisation, e.g., observe the visitor management process in operation.  As such, it may be best to make a case-by-case decision on which approach is most appropriate for each key supplier.  Again, you will be taking into consideration the products/services they provide.  If you are auditing the security of a data centre, for example, understanding the physical security measures it has in place will be extremely important and will generally only be practicable with a site visit.

What steps do you need to take following a supplier audit?

Once the audit has been completed, it’s important to ensure reporting is relevant and shared with all of the appropriate personnel, which may include your CISO, IT, IT, Security, Procurement, Legal, and Compliance teams as well as the respective supplier for in-depth review and action planning.

When should suppliers be included in incident management exercises?

It is important to understand that you should only include your most critical suppliers in incident response exercising and those suppliers you have built a relationship with, as a significant level of detail, information and mutual support will be required from both parties to conduct an effective exercise.  The amount of effort required may not be justifiable for suppliers that have a lower criticality to your organisation, and will be difficult to achieve with a supplier you do not have a strong relationship with.

How do you ensure incident management exercises that include suppliers are meaningful?

To make the exercises more realistic and beneficial, we would recommend alternating which party is experiencing the incident, i.e., not always developing an exercise scenario in which the supplier has suffered an incident, but also scenarios in which your organisation has suffered an incident that the supplier is helping you respond to.  There are a range of realistic scenarios you could use in your exercises, however, in an information security context, the scenario of a cyber attack against the supplier tends to be used most frequently.  Due to their wide-ranging impact, there are a number of interesting aspects that emerge from cyber-attack scenarios, such as whether the incident is a data breach and whether it will need to be reported to any regulatory bodies.

Disruption to service delivery is another potential scenario that may be useful to consider, particularly when creating an exercise that involves an organisation such as a call centre or managed service provider.  The exercise will provide you with an opportunity to establish how an interruption to their services will impact your organisation, and how you and your supplier would work through any issues that arise.

Should supplier contracts for different suppliers be the same?

There are likely be some standard contractual clauses that are common to contracts with your different suppliers, however in the main, they should be tailored to each individual supplier in accordance with the services provided and the risks associated with that third party.  To learn more about developing supplier contracts, read our blog on How to Conduct Effective Supplier Information Security Risk Management.

When should organisations begin to consider a supplier risk management tool, rather than relying on spreadsheets?

As your supplier risk management increases in complexity, a supplier risk management tool will become necessary.  Whilst a tool will, most likely, not be required when you only have a small number of suppliers in place, as your supplier list grows and the number of individuals within your organisation responsible for different suppliers increases, the need for a tool will become apparent in order to manage the varying timescales, the different onboarding processes and supplier questionnaires, etc..

When assessing the information security criticality of your suppliers, should you consider CIA?

Confidentiality, integrity and availability (CIA) are the 3 fundamental principles that guide effective, best practice information security management (see our blog on What is the CIA Security Triad? Confidentiality, Integrity and Availability Explained for a comprehensive explanation of CIA and what it means in practice).  We would strongly recommend using these principles as a lens through which to assess the criticality of your suppliers.  You may, for example, find that you are sharing information that must remain confidential, but the availability of that information is less important, and it’s not as essential to ensure the information is kept up to date and accurate, i.e., that its integrity is maintained.  By evaluating suppliers in this way, you are more likely to achieve consistent and repeatable results when assessing the criticality of different third parties you are looking to engage with.