Third-party vendors are a vital part of your business ecosystem. But if you’re not careful, these companies can introduce cyber risk. The SolarWinds supply chain hack is a notable example of the jeopardy that even the most trusted partnerships can yield.
But with so many moving parts, creating a supplier risk management plan – and executing on it – can be a challenging and arduous task. According to Gartner, 60% of organizations work with more than 1,000 third-party vendors. That’s a huge pool of companies that require assessments, including both onboarding and throughout the relationship lifecycle.
While there are many cyber risk management frameworks and cybersecurity maturity models that you can reference, it’s hard to know where to start. We have created a template of the main elements you should include in your supplier risk management plan. This will make it easy to begin your vendor assessments in three steps.
A template for your supplier risk management plan
When crafting your plan, there are three key areas to consider:
- Which cybersecurity frameworks you will assess your vendors against
- The most critical questions you should ask them
- How you will continuously monitor supply chain cyber risk
Let’s look at each:
1. Determine the best cyber risk assessment methodologies
Cybersecurity frameworks provide a common language and set of standards for assessing your vendors’ security postures. They are helpful starting points for your plan. There are several frameworks that you can consider but we suggest you start with three:
- CIS Controls: This framework, which was formerly known as the SANS Top 20 or Critical Security Controls, provides a set of security suggestions and protocols that can help guide your organization in improving its security posture. CIS Controls can be a useful addition to your supplier risk management plan. They provide a benchmark for assessing your vendors' security performance, using guidelines that are trusted by many organizations.
- NIST Cybersecurity Framework: Considered the gold standard for assessing cybersecurity maturity; this framework combines a variety of cybersecurity standards and best practices (including CIS Controls) into one understandable document. It’s a useful reference for assessing vendor risk because it incorporates governance and technology considerations, whereas CIS Controls are focused on technology alone.
- Shared Assessments: A trusted source dedicated to developing best practices, education, and tools that drive third-party risk assurance. This organization is best known for its industry-leading vendor risk assessment tool – the Standardized Information Gathering (SIG) Questionnaire. Updated annually, it aligns with 50+ government regulations and industry standards.
2. Identify the critical questions you must ask your vendors
While these cybersecurity frameworks are valuable, there are literally thousands of questions you could mine from them. Knowing which are the most important to your organization isn’t easy.
This guide blends both NIST and CIS Controls frameworks and provides a baseline of the most critical questions you should ask your vendors. For instance:
- Does the vendor conduct drills and exercises to nail down their incident response to a cybersecurity event?
- How do incidents get reported?
- When was the last time they had a cybersecurity assessment performed by a third-party?
- What were the results of their most recent penetration test?
Your plan should also include a process for validating responses. But you don’t need to conduct lengthy and costly on-site assessments of each vendor.
Instead, use a tool like Bitsight to verify your suppliers’ security performance. Bitsight can provide an objective, data-driven representation of your vendors’ security postures. For example, Bitsight can identify if a vendor’s IT infrastructure has known security vulnerabilities, compromised systems, or fails to adhere to industry best practices.
3. Plan to continuously monitor your vendors for cyber risk
While cyber security risk assessments and questionnaires are among the most powerful tools for assessing your vendors’ security postures, traditionally, they have only captured a snapshot of risk. In between assessments, vulnerabilities can emerge without your knowledge and put your organization at risk.
That’s why your plan should include a strategy for continuously monitoring your third parties in near real-time – over the lifecycle of the relationship.
This process does not have to be a complex or unwieldy exercise. Using Bitsight for VRM and security ratings, you can automatically and continuously evaluate your vendors for cyber risk.
Start by setting acceptable vendor risk thresholds based on your industry and the criticality of the supplier. Make sure to add those thresholds into your plan.
Once onboarded, monitor your vendors for movement against these thresholds. For instance, If a vendor’s rating falls below a certain score Bitsight will alert you. With this insight, you can work with the vendor to remediate the issue or determine if a deeper security assessment is required.
It’s a great way of staying on top of emerging risk without waiting for the next periodic assessment and all the work it entails.
Turn your supplier risk management plan into an enabler, not a roadblock
Assessing supply chain risk can seem overwhelming. Before you dive in, develop a plan that takes into consideration frameworks grounded in best practices. Then automate wherever possible. It will save you time, reduce costs, and allow you to scale your supply chain risk management practice with ease.