The Center for Internet Security® (CIS) Critical Security Controls is a set of 18 recommended controls and 153 sub-controls (aka “Safeguards”) designed to help IT security teams reduce the impact of cybersecurity incidents. The CIS describes the controls as a “prescriptive, prioritized, highly focused set of actions that have a community support network to make them implementable, usable, scalable, and in alignment with all industry or government security requirements.”
Currently on version 8, the 18 CIS Controls and 153 Safeguards are prioritized into three Implementation Groups (IGs):
CIS also classifies each Safeguard by NIST security function to simplify cross-mapping with each core NIST function: Identify, Detect, Protect, Respond and Recover.
Two controls include specific guidance related to third-party risk management – Control 15: Service Provider Management and Control 17: Incident Response Management. This post shares best practices for speeding and simplifying the implementation of each control.
Align Your TPRM Program with CIS Critical Security Controls
Learn about the third-party risk management Safeguards in CIS Controls 15 and 17, and uncover best practices for speeding and simplifying their implementation.
CIS Control 15 recommends that organizations develop a process to evaluate the ability of their service providers to protect any sensitive data, critical IT platforms and/or key processes that they have access to or responsibility for.
Following are best practices for addressing each of the seven Safeguards under Control 15:
Build a centralized service provider inventory by importing vendors via a spreadsheet template or through an API connection to an existing procurement solution. Teams throughout the enterprise should be able to populate key supplier details with a centralized and customizable intake form and associated workflow. This capability should be available to everyone via email invitation, without requiring any training or solution expertise.
As all service providers are being centralized, teams should create comprehensive vendor profiles that contain insight into a vendor’s demographic information, 4th-party technologies, ESG scores, recent business and reputational insights, data breach history, and recent financial performance.
Key provisions in a service provider management policy should include:
Conduct a pre-contract due diligence assessment with scoring based on the following criteria to capture, track and quantify inherent risks for all third parties:
From this inherent risk assessment, your team can automatically classify and tier suppliers; set appropriate levels of further diligence; and determine the scope of ongoing assessments.
Centralize the distribution, discussion, retention and review of vendor contracts to ensure that key security requirements are built into the vendor contract, agreed upon, and enforced throughout the relationship with key performance indicators (KPIs). Key capabilities should include:
Gather and correlate intelligence on a wide range of vendor controls to determine threats to information management, based on the criticality of the third party as determined by the inherent risk assessment. For third parties that submit a SOC 2 report instead of a completed vendor risk assessment, review the list of control gaps identified within the SOC 2 report, create risk items against the third party, and track and report against deficiencies.
Avoid the use of spreadsheets to collect and analyze vendor controls information as this approach is highly manual and does not scale beyond a handful of suppliers.
Continuously track and analyze external threats to third parties by monitoring the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information.
Monitoring sources should include:
Results of assessments and continuous monitoring should be collated in a single risk register with heat map reporting that measures and categorizes risks based on likelihood and impact. With this insight, teams can easily see the consequences of a risk and have ready-made remediation recommendations for third parties to mitigate the risks.
Conduct contract assessments and offboarding procedures to reduce your organization’s risk of post-contract exposure, including:
CIS Control 17 recommends that organizations establish a program to develop and maintain an incident response capability (e.g., policies, plans, procedures, defined roles, training and communications) to prepare, detect and quickly respond to an attack. There are six specific Safeguards aligned to Control 17:
17.1 Designate Personnel to Manage Incident Handling
17.2 Establish and Maintain Contact Information for Reporting Security Incidents
17.3 Establish and Maintain an Enterprise Process for Reporting Incidents
17.4 Establish and Maintain an Incident Response Process
17.5 Assign Key Roles and Responsibilities
17.6 Define Mechanisms for Communicating During Incident Response
For Control 17, Prevalent recommends best practices focused on centrally managing vendors, conducting event assessments, scoring identified risks, correlating against continuous cyber monitoring, and accessing remediation guidance. These include:
By centralizing third-party incident response
into a single enterprise incident management process, your IT, security, legal, privacy and compliance teams can effectively work together to mitigate risks.
CIS Critical Controls provide structure and best practices for mitigating the risk of supply chain cybersecurity attacks. Prevalent offers a central, automated platform for addressing CIS Controls 15 and 17 and scaling your third-party risk management initiatives as part of your broader cybersecurity risk management program. Learn more by downloading the comprehensive CIS Controls Checklist, reading about our solutions for CIS Controls, or scheduling a personalized demonstration today.