Template: Everything you Need to Craft a Supplier Risk Management Plan

Kaitlyn Graham | June 16, 2021 | tag: Third Party Risk Management

Third-party vendors are a vital part of your business ecosystem. But if you’re not careful, these companies can introduce cyber risk. The SolarWinds supply chain hack is a notable example of the jeopardy that even the most trusted partnerships can yield.

But with so many moving parts, creating a supplier risk management plan – and executing on it – can be a challenging and arduous task. According to Gartner, 60% of organizations work with more than 1,000 third-party vendors. That’s a huge pool of companies that require assessments, including both onboarding and throughout the relationship lifecycle.

While there are many cyber risk management frameworks and cybersecurity maturity models that you can reference, it’s hard to know where to start. To help, we’ve outlined a template of the key things you should include in your supplier risk management plan so that you can kickstart your vendor assessments with three easy steps. 

A template for your supplier risk management plan

 

When crafting your plan, there are three key areas to consider:

  1. Which cybersecurity frameworks you will assess your vendors against
  2. The most critical questions you should ask them
  3. How you will continuously monitor supply chain cyber risk

Let’s look at each:

1. Determine the best cyber risk assessment methodologies


Cybersecurity frameworks provide a common language and set of standards for assessing your vendors’ security postures and are helpful starting points for informing your plan.There are several frameworks that you can consider but we suggest you start with three:

  • CIS Controls: Formerly known as Critical Security Controls or the SANS Top 20, this framework contains a list of security recommendations and controls that can guide your security improvement program. When incorporated into your supplier risk management plan, CIS Controls are a useful benchmark for assessing your vendors’ security performances using guidelines trusted historically by many organizations.
  • NIST Cybersecurity Framework: Considered the gold standard for assessing cybersecurity maturity; this framework combines a variety of cybersecurity standards and best practices (including CIS Controls) into one understandable document. It’s a useful reference for assessing vendor risk because it incorporates governance and technology considerations, whereas CIS Controls are focused on technology alone.
  • Shared Assessments: A trusted source dedicated to developing best practices, education, and tools that drive third-party risk assurance. This organization is best known for its industry-leading vendor risk assessment tool – the Standardized Information Gathering (SIG) Questionnaire. Updated annually, it aligns with 50+ government regulations and industry standards.

2. Identify the critical questions you must ask your vendors


While these cybersecurity frameworks are valuable, there are literally thousands of questions you could mine from them. Knowing which are the most important to your organization isn’t easy. To help jumpstart the process of building your template, we’ve compiled a list of the 40 Questions You Should Have in Your Vendor Security Assessment.

This guide blends both NIST and CIS Controls frameworks and provides a baseline of the most critical questions you should ask your vendors. For instance: 

  • Does the vendor conduct drills and exercises to nail down their incident response?  
  • How are these incidents reported? 
  • When was the last time they had a cybersecurity assessment performed by a third-party? 
  • What were the results of their most recent penetration test?
  • Plus many more...

Your plan should also include a process for validating responses. But you don’t need to conduct lengthy and costly on-site assessments of each vendor. 

Instead, use a tool like BitSight Security Ratings to verify your suppliers’ security performance. Security ratings provide an objective, data-driven representation of your vendors’ security postures. For example, the BitSight platform can identify if a vendor’s IT infrastructure has known security vulnerabilities, compromised systems, or fails to adhere to industry best practices. The higher the rating, the better the security posture.

3. Plan to continuously monitor your vendors for cyber risk


While cyber security risk assessments and questionnaires are among the most powerful tools for assessing your vendors’ security postures, traditionally, they have only captured a snapshot of risk. In between assessments, vulnerabilities can emerge without your knowledge and put your organization at risk.

That’s why your plan should include a strategy for continuously monitoring your third parties in near real-time – over the lifecycle of the relationship.

Again, this doesn’t have to be a complex or unwieldy exercise. Using security ratings, you can automatically and continuously evaluate your vendors for cyber risk.

Start by setting acceptable vendor risk thresholds based on your industry and the criticality of the supplier. Then, bake those into your plan. Once onboarded, monitor your vendors for movement against these thresholds. If a vendor’s rating falls below a certain score the BitSight platform will alert you. With this insight, you can work with the vendor to remediate the issue or determine if a deeper security assessment is required.

It’s a great way of staying on top of emerging risk without waiting for the next periodic assessment and all the work it entails.

Turn your supplier risk management plan into an enabler, not a roadblock

 

Assessing supply chain risk can seem overwhelming. Before you dive in, develop a plan that takes into consideration frameworks grounded in best practices. Then automate wherever possible. It will save you time, reduce costs, and allow you to scale your supply chain risk management practice with ease.

 

Ransomware: The rapidly evolving trend ebook

Suggested Posts

Third Party Services: The Cyber Risk They Pose and How to Protect Your Organization

To serve your customers and realize efficiencies, your organization may work with dozens if not hundreds of third parties including partners, vendors, cloud service providers, and subcontractors. 

But digital ties with these providers...

READ MORE »

Facebook Outage Highlights Urgency For Third-Party Risk Management

Facebook and the apps under its umbrella, including Instagram and WhatsApp, were inaccessible for hours on Monday. The outage hamstrung the communications of billions of people, businesses, and other organizations.

Though Facebook is...

READ MORE »

5 Steps to Creating a Cyber Security Roadmap

The recent rise in ransomware attacks and business-halting data breaches has made it clear that your organization must prioritize cyber security performance. But ad hoc security controls and defensive measures are not the answer....

READ MORE »

Get the Weekly Cybersecurity Newsletter.