Following on from the recent issues experienced by The Scottish Borders Council, we have been asked several times about what can be done to build some assurance into supply chain security.
At a very fundamental level, the solution is surprisingly simple: Carry out a security assessment on your supplier. It really is that easy. Visit them, carry out a survey against your own security standards (or ISO27001/27002, ISF SoGP or whatever is applicable for you) and determine if the controls are suitable for the risks the service faces.
Unfortunately, things are rarely that straightforward and there are lots of business realities which make life harder. For example, security departments are frequently under-resourced meaning that carrying out a survey on multiple suppliers simply becomes impossible. Additionally, there needs to be a contractual relationship in place before most suppliers will allow the stones to be properly turned over in a security review but this means if (when?) you find problems its too late – there is already a contract.
The only really workable solution is (as always) to adopt a risk management strategy where suppliers are not all treated equally. The Security Director / CSO / CISO (you do have one, dont you?), or their nominated deputy, should always be involved in bringing on board new suppliers and as early as possible an assessment needs to be made about the level of risk the relationship involves.
While every situation will be different, it is reasonable to suggest that supplier relationships dealing with personal data are higher risk, than ones involving the disposal of keyboard rests and mice pads.
Once the situational risk has been determined it is worth assigning the supplier to a category of security assurance. This gives an easy way of managing resources and prioritising the security teams interest.
Again, the exact breakdown will have to be specific to your organisations goals, risk appetite and approach to security but as a minimum you should consider three categories of supplier:
Category 1: The most important suppliers dealing with the highest risk relationships. Here is a supplier who can, through a security breach or compromise, cause significant harm to your organisation. Every supplier in this category should undergo a security assessment by your security team or a trusted professional. In the event that you find it impossible to carry out supplier assessments yourself, this is a service offered by Halkyn Consulting and our expert security professionals will work with you to determine what your requirements are, and fully assess the supplier in accordance with them. If this of interest, then contact us for further details.
Category 2: The middle-ground suppliers who are not handling the most sensitive information but can still cause harm. This may well be the largest category of suppliers you deal with. There is still a need to have some level of security assurance but they not enough to justify the time and cost of a formal set of site visits. Here you may want to consider providing your supplier with a self-assessment questionnaire which details what controls they have in place and gives you the ability to assess the areas of importance. To assist with this, Halkyn Consulting has provided a template Supplier Security Self Assessment Questionnaire that you can use as is, or modify to suit your needs (an MS Word version is available on request). You must keep in mind the fact that for the questionnaire to have value, there has to be a contractual obligation on the supplier to give truthful answers. You can find more security resources on our downloads page.
Category 3: All the other suppliers who do not pose a significant security risk in their dealings with your company. Although there is a tendency to worry about every supplier, a proper risk management approach will identify lots of situations where you dont really have much to worry about and even the effort of processing a self assessment questionnaire isnt justified. A good example of this is the company that deals with the food waste from your cafeteria – it is hard to envisage a realistic situation where a security compromise from the supplier (not including their behaviour on your site, which is a whole different area) is going to harm your organisation. This is not the same as saying the relationship has zero risk, obviously there are other ways problems can arise (improper disposal, failure to abide by eco-guidelines etc), but these are not within the Security departments remit to manage. For this category of supplier, all you really want to do is make a note of the relationship and what risk assessments have been carried out to categorise them.
Now, as mentioned previously, it is likely that your organisations needs will result in more than the three categories above (and if so, make sure you provide a graduated treatment rather than just increase the categories for the sake of it), but these are the minimum you want to consider.
For long lifespan contracts, it is also worth adding in a review cycle where you repeat the assurance check on an regular basis (for example, a yearly review).
By building this in to your routine processes, and going through the effort of carrying it out, you will have made significant progress towards protecting your business from the security risks that the supply chain presents.