Latest Report: The 2022 Gartner® Market Guide for IT Vendor Risk Management Solutions

Cyber Supply Chain Risk Management (C-SCRM) Best Practices

An effective C-SCRM program can help your organization make informed decisions and select suppliers that take cybersecurity and compliance seriously.
By:
Alastair Parr
,
Senior Vice President, Global Products & Services
September 19, 2022
Share:
Blog cyber supply chain risk management 0921

While your organization may invest significant resources into its IT security program, it can still be enormously challenging to secure your cyber supply chain against third-party data breaches, ransomware attacks, and other security risks. This task gets even more difficult as your supply chain becomes more complex or relies heavily on overseas partnerships.

How can you gain visibility into risks posed by the third, fourth and Nth parties in your extended supply chain, while ensuring that your suppliers have the security controls necessary to protect your business? This article will get you started by sharing some best practices for building a more effective and efficient cyber supply chain risk management (C-SCRM) program.

What Is Cyber Supply Chain Risk Management (C-SCRM)?

Cyber Supply Chain Risk Management (C-SCRM) is the process of identifying, analyzing and mitigating vulnerabilities, data exposures, and other security gaps that threaten an organization’s ability to deliver information technology (IT) or operational technology (OT) products and services.

Managing cyber risk in your supply chain requires not only securing your organization against direct attacks, but also mitigating the risk of third-party and Nth-party data breaches that could disrupt your business.

Supply chain risk is now a board-level concern for many organizations. This is no surprise, considering the following statistics from a recent Prevalent study:

  • 45% of organizations experienced a third-party data or privacy breach in the past 12 months
  • 54% of respondents reported a supply chain disruption
  • 55% reported a compliance violation related to a lack of third-party oversight

An effective C-SCRM program can help your organization make informed decisions and select suppliers that take cybersecurity and compliance seriously.

Examples of Cyber Supply Chain Risks

Ransomware

Ransomware is malicious software that prevents access to compromised computer systems, encrypts files on the systems, or threatens the release of sensitive stolen data unless money is paid to the attacker. While ransomware has been around for decades, technological advances have enabled criminal actors to attain new levels of scale and sophistication. Instead of mainly targeting SMBs to extort small sums as they did in the past, attackers are now targeting large corporations that are linchpins of global supply chains.

It’s no surprise that ransomware has been a major news topic. One example related to C-SCRM is last year's Kaseya breach, which led to ransomware attacks against thousands of businesses through the company’s remote monitoring and management (RMM) tool.

Software Vulnerabilities

Using software with known vulnerabilities or having poor visibility into a software vendor’s security practices can leave your organization vulnerable to significant disruptions, data breaches and downtime. Take for example the 2020 SolarWinds Breach, which left thousands of organizations and government entities exposed to malicious actors for months.

Physical and Virtual IT Access

Physical and virtual IT access is one of the most obvious channels by supply chain compromises can occur. Numerous companies have been hacked as a result of contractors that initially appeared to have a low levels of profiled risk. However, because these contractors had physical access to facilities and IT systems, malicious actors were able to leverage them as trojan horses to gain access to enterprise clients.

Stolen Credentials

In many cases, cybercriminals don’t directly steal data when they exploit a company’s email accounts or networks. Instead, they sell compromised usernames and passwords on the dark web for Bitcoin or other cryptocurrency. This reduces risk for the criminal since they can immediately monetize the stolen credentials without the work of breaking into individual accounts.

Recently, ransomware groups operating on the dark web have begun posting information about their victims publicly to pressure the victim organization to pay a ransom. Monitoring these forums and blogs can provide early warning of potential data breaches that may affect data shared throughout your supply chain.

Compliance Violations

According to a recent Prevalent study, 55% of organizations reported a compliance violation related to a lack of third-party oversight. Organizations are increasingly expected to not only secure personally identifiable information (PII) within their own organization, but also proactively ensure that third parties are securing customer data and other sensitive information. Applicable regulations include CCPA, GDPR, CMMC, PCI DSS and several others.

The Supply Chain Resilience Toolkit

Based on ISO 22301 standard practices, the Supply Chain Resilience Toolkit provides instant access to expert guidance, customizable templates, and structured worksheets.

Access Now
Toolkit supply chain 0922

Cyber Supply Chain Risk Management (C-SCRM) Best Practices

It’s time-consuming enough to source solutions that fit your organization’s functional and business requirements. Evaluating a potential supplier’s cybersecurity posture introduces additional complexity and uncertainty into the sourcing and selection process.

That’s why it’s essential to start your relationship with a potential supplier by conducting pre-contract due diligence in line with your RFIs, RFPs and other RFx processes. Cybersecurity insights to seek at this early stage of the supplier relationship should include:

  • Data breach history and disclosures, to help determine whether the vendor is vulnerable to cyber attacks
  • Fourth-party technologies in use, to gain visibility into technology concentration risk and uncover peripheral technologies that could provide backchannels to your organization

Incorporating these insights into your RFx process will ensure not only that a selected solution is fit for purpose, but also that the supplier behind the solution doesn’t expose your organization to unnecessary risk.

Build Security Requirements into Supplier Contracts

Many organizations fail to consider that they may be able to mandate cybersecurity controls in contracts. SLAs and other contractual agreements can require third and fourth parties to implement or maintain cybersecurity controls to protect your organization's sensitive data.

Understand Profiled, Inherent and Residual Vendor Risk

Understanding the different types of supplier risk can enable you to make data-based decisions on how to apply vendor risk questionnaires, as well as to accurately compare suppliers based on measurable risk. At Prevalent, we categorize supplier risk into three types:

  • Profiled Risk: Profiled risk applies to the category of product or service a supplier provides to your organization. For instance, a managed service providers (MSP) with access to your IT environment poses far more profiled risk than a cleaning contractor would.
  • Inherent Risk: Inherent risk is the amount of risk a supplier poses prior to implementing security controls required by your organization. Inherent risk is calculated for specific companies based on risk assessments and risk monitoring data.
  • Residual Risk: Residual risk is the risk that remains after a supplier has taken remediation or mitigation actions. Your risk management team will need to determine whether residual risks are acceptable or not.

Utilize Vendor Risk Questionnaires & Repositories

Vendor risk questionnaires can provide visibility into a supplier’s cyber security controls and help to avoid compliance violations. You can dramatically speed the supplier due diligence process by tailoring your questionnaires according to inherent risk and mapping answers to cybersecurity regulations applicable to your organization.

You should also consider segmenting questionnaires based on industry, service level, and/or level of system access. For instance, a software vendor might require a substantially different questionnaire than an onsite HVAC contractor. Effective use of vendor risk questionnaires can simplify compliance, streamline vendor onboarding, and provide visibility into the extended supply chain.

Using a third-party risk management platform can help to automate the process and reduce the time required to assess suppliers. In addition, subscribing to a vendor risk intelligence network is a cost-effective way to gain access to thousands of already-completed assessments and add scale to sourcing, selection, onboarding and inherent risk scoring.

Bonus Tip: When designing your vendor risk assessment questionnaires, include questions about fourth and Nth parties to gain visibility into risks deeper into the supply chain. Even if your third party has sound cybersecurity controls, one of its vendors could still trigger a data breach that ultimately impacts your organization.

Practice Continuous Monitoring Throughout Your Cyber Supply Chain

Practicing continuous third-party monitoring can help you to identify new vulnerabilities, data breaches and other security exposures affecting suppliers. Monitoring enables you to stay on top of risks that may emerge between periodic, questionnaire-based assessments. A strong cyber risk monitoring solution can provide intelligence from criminal forums, onion pages, dark web special access forums, threat feeds, paste sites, security communities, code repositories, vulnerability databases, and other sources.

In addition to providing early warning of potential incidents that could impact your organization, continuous monitoring can validate whether the controls reported in a supplier’s assessment responses are in place and functioning as intended.

Don’t Forget Fourth and Nth Parties

Unlike with physical goods, it can be difficult to track how your organization's information is stored and shared throughout your extended supply chain. Each organization in your cyber supply chain likely works with dozens, or even hundreds of software companies, outsourced IT contractors, and other third parties – several of which could have access to your company's information. The last thing that a CISO or CIO wants to hear is that the organization has been exposed to a data breach because of an Nth-party vendor's negligence.

Below are a few best practices you can use when evaluating and mitigating the fourth-party risk.

Identify Mission-Critical Vendors in Your Cyber Supply Chain

Building an effective C-SCRM program requires prioritizing which vendor risk to focus on. The average organization works with innumerable third, fourth and Nth parties. Finding every risk in the extended supply chain of each vendor is impossible. When working to get visibility into your fourth- and Nth-party cyber supply chain, start by focusing on the most important vendors based on their inherent risk scores. When prioritizing, consider:

  • What level of access does the vendor have to regulated data such as PII, PFI, PHI and, where applicable, classified or controlled unclassified information?
  • Is the vendor a software provider? If so, where are they hosting the organization's data and what security controls does the data center have?
  • Does the vendor have its own cyber supply chain risk management program in place? If so, are they able to produce a report on their cyber supply chain risk?
  • Does the organization base its information security and third-party risk management programs on widely accepted frameworks?

Map Your Extended Cyber Supply Chain

Building a comprehensive map of your supply chain, complete with dependencies and risk tiering, can enable you to get the visibility you need to make effective risk mitigation decisions. First, you need to ensure that you are gathering the necessary data. Questions regarding fourth and Nth parties in your extended supply chain should be standard on all vendor risk assessment questionnaires.

Once you have a good understanding of your third- and fourth-party ecosystem, you can identify vendors that may present single points of failure or unacceptable levels of information security risk. Here are some remediation suggestions if a fourth or Nth party is deemed to be high-risk:

  • Request to update your contract with the relevant third party to limit data sharing or access to IT infrastructure with the high-risk fourth party
  • Request additional information about the fourth party’s security controls and infrastructure
  • Consider alternative third-party suppliers when contracts are up for renewal
  • Work with the internal department associated with the third party to implement safeguards and limit sensitive data sharing
  • Conduct continuous monitoring of the fourth party to reduce the risk of a compromise that could ultimately affect your organization

Periodically Reassess Supplier Risk

Risks are constantly emerging and evolving, so limiting critical suppliers to a single, point-in-time risk assessment is not enough. Be sure to reassess risk at multiple points throughout the lifecycle of the contract to ensure that residual risk hasn’t risen beyond acceptable levels. Here are some questions to consider:

  • Does your C-SCRM program conduct risk assessments throughout the lifecycle of the contract or just once at the beginning?
  • Are the scope and cadence of risk assessments determined based on risk findings from the vendor onboarding process?
  • Are you able to effectively integrate changes in the vendors' residual risk profile into your broader third-party risk management workflow?
  • Do you evaluate fourth- and Nth-party risk as part of your standard risk assessments?

Implement a Supplier Incident Response Plan

Premeditatio malorum – Latin for “the premeditation of evils and troubles that might lie ahead.” Or, to put it more plainly – plan for the worst! Unwanted supplier cyber events will happen. However, your organization’s level of preparation for those events can mean the difference between a severe disruption and a mild disturbance.

Effective incident management (IM) and C-SCRM go hand-in-hand. For example, identifying your third, fourth and Nth parties enables effective incident management – considering as many as half of all incidents originate with vendors. Supplier and subcontractor contracts need to include IM/breach notification requirements within a fixed timeframe (e.g., 24 hours) after a major incident is identified. Validating your supplier IM processes and contacts, along with periodic testing, can help to ensure operational readiness to respond to and resolve incidents.

Maintain Diligence During Offboarding

Many companies spend significant time on vendor due diligence, risk questionnaires, and mapping compliance requirements but fail to plan for the end of the relationship – when many security exposures occur. That’s why vendor offboarding is just as important as vendor onboarding. Failure to successfully offboard vendors and ensure that sensitive data has been destroyed and that IT access has been revoked can result in:

  • Compliance issues if a contract has expired and the vendor still has access to IT systems
  • Potential data breaches if a vendor has stored PII or PHI of your employees or customers
  • Insider threats when contractor employees retain access to data and systems

Free Supplier Risk Monitoring Report

Get a complimentary Prevalent Vendor Threat Monitor (VTM) report for your organization or a third party of your choice.

Request Your Report
Feature risk report

C-SCRM Resources

There are several cyber supply chain risk management resources that you can look to when building or evaluating your program. Prominent resources include those published by the National Institute of Standards and Technology (NIST) and other government agencies, regulatory bodies, and private industry groups. Here are a few useful resources:

NIST Special Publication 800-161 r1: Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations

NIST SP 800-161 is a cyber supply chain risk management framework that can help your organization build and mature its C-SCRM program. NIST 800-161provides detailed guidance on how to incorporate a C-SCRM program into your broader enterprise risk management strategy and covers critical success factors for building an effective C-SCRM program. NIST 800-161 controls are broken into 20 families ranging from access control to incident and response.

NIST C-SCRM Risk Exposure Framework

Appendix A of NIST SP 800-161 Rev 1 includes a risk exposure framework with detailed guidance for identifying potential Supply Chain Threat Scenarios. NIST defines a threat scenario as “a set of discrete threat events associated with a specific potential or identified existing threat source or multiple threat sources, partially ordered in time.” NIST’s Risk Exposure Framework enables you to identify and assign risk to various supply chain threat scenarios, and to incorporate these findings in your broader third-party risk assessment approach.

NIST C-SCRM Templates

Appendix D of NIST 800-161 r1 provides several templates for documenting your C-SCRM program, including implementation plans, compliance initiatives, strategic objectives, roles and responsibilities, and implementation milestones. These templates are invaluable for outlining a new C-SCRM program or enhancing your existing program with supporting documentation.

NIST Software Security Supply Chain Guidance

NIST published its Software Security Supply Chain Guidance in response to the requirements of Executive Order (EO) 14028 Section 4E on Improving the Nation’s Cybersecurity. The document is geared towards federal agencies, but many of the same practices can be employed by corporations seeking to mitigate cyber risks in their extended supply chains.

Security Measures for “EO-Critical Software”

Security Measures for EO Critical Software is another NIST document created in response to Executive Order 14028. NIST defines EO critical software as:

… any software that has, or has direct software dependencies upon, one or more components with at least one of these attributes:

  • is designed to run with elevated privilege or manage privileges;
  • has direct or privileged access to networking or computing resources;
  • is designed to control access to data or operational technology;
  • performs a function critical to trust; or,
  • operates outside of normal trust boundaries with privileged access. (Source)

The Security Measures document is intended principally for federal agencies, but it can easily be reused by private-sector entities. The document identifies software categories that should be considered “EO Critical,” which can help you to flag potentially high-risk suppliers during the profiling and tiering stage.

NIST Guidelines on Minimum Standards for Developer Verification of Software

This NIST document lays out specific guidelines for federal agencies to verify the security of software being used. This includes the following verification techniques that should form the basis for identifying risks:

  • Threat modeling to identify design-level security issues
  • Automated testing for consistency and to minimize human effort
  • Static code scanning to reveal bugs
  • Heuristic tools to look for possible hardcoded secrets
  • Use of built-in checks and protections
  • “Black box” test cases
  • Code-based structural test cases
  • Historical test cases
  • Fuzzing
  • Web application scanners, if applicable
  • Address included code (libraries, packages, services)

HHS C-SCRM Guidance

The U.S. Department of Health and Human Services published a presentation on maturing a C-SCRM program. The presentation provides a high-level overview of C-SCRM best practices based on NIST and covers specific controls and control families that should be implemented as part of a holistic C-SCRM program.

Concerned About Cyber Supply Chain Risk Management? Prevalent Can Help.

Third-party cyber risk is growing exponentially. Prevalent provides an easy-to-use platform that enables you to automate supplier risk assessment questionnaires, assign risk scores to suppliers, monitor risk and changes over time, and manage and report on supplier risk. Using a dedicated TPRM platform can automate the supplier risk management lifecycle and enable your team to focus on reducing organizational risk. To see how Prevalent can help you manage supply chain risk, request a demo today.

Tags:
Share:
Leadership alastair parr
Alastair Parr
Senior Vice President, Global Products & Services
Alastair Parr is responsible for ensuring that the demands of the market space are considered and applied innovatively within the Prevalent portfolio. He joined Prevalent from 3GRC, where he served as one of the founders, and was responsible for and instrumental in defining products and services. He comes from a governance, risk and compliance background; developing and driving solutions to the ever-complex risk management space. He brings over 12 years’ experience in product management, consultancy and operations deliverables. Earlier in his career, he served as the Operations Director for a global managed service provider, InteliSecure, where he was responsible for overseeing effective data protection and risk management programs for clients. Alastair holds a university degree in Politics and International Relations, as well as several information security certifications.
  • Ready to get started?
  • Schedule a personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo