Latest Analyst Report: The 2023 Gartner® Market Guide for Supplier Risk Management Solutions

Hero compliance cis controls

Center for Internet Security (CIS) Critical Security Controls Compliance

The CIS Controls and Third-Party Risk Management

The Center for Internet Security® (CIS) Critical Security Controls is a set of 18 recommended controls and 153 sub-controls (aka “Safeguards”) designed to help IT security teams reduce the impact of cybersecurity incidents.

The 18 CIS Controls and 153 Safeguards are prioritized into three Implementation Groups (IGs):

  • IG1 includes Safeguards considered “essential cyber hygiene” by CIS and “should be implementable with limited cybersecurity expertise and aimed to thwart general, non-targeted attacks”
  • IG2 includes Safeguards aimed at teams dealing with increased operational complexity
  • IG3 includes Safeguards meant to address sophisticated cyberattacks

CIS classifies each Safeguard by NIST security function to simplify cross-mapping with each core NIST function: Identify, Detect, Protect, Respond and Recover.

There are two primary controls related to third-party risk management (TPRM) – Control 15: Service Provider Management and Control 17: Incident Response Management. The Prevalent TPRM Platform makes it easy to speed and simplify the implementation of the Safeguards for each control.

Relevant Requirements

  • Develop a process to evaluate service providers who hold sensitive data, or are responsible for an enterprise’s critical IT platforms or processes, to ensure these providers are protecting those platforms and data appropriately

  • Establish a program to develop and maintain an incident response capability (e.g., policies, plans, procedures, defined roles, training, and communications) to prepare, detect, and quickly respond to an attack

Align Your TPRM Program with CIS Critical Security Controls

Learn about the third-party risk management Safeguards in CIS Controls 15 and 17, and uncover best practices for speeding and simplifying their implementation.

Read Now
Featured resource cis controls checklist

Addressing CIS Control 15: Service Provider Management

Control 15 Overview: “Develop a process to evaluate service providers who hold sensitive data, or are responsible for an enterprise’s critical IT platforms or processes, to ensure these providers are protecting those platforms and data appropriately.”

Safeguard How We Help

15.1 Establish and Maintain an Inventory of Service Providers

Security function: Identify
IG1,2,3

“Establish and maintain an inventory of service providers. The inventory is to list all known service providers, include classification(s), and designate an enterprise contact for each service provider. Review and update the inventory annually, or when significant enterprise changes occur that could impact this Safeguard.”

Prevalent enables organizations to build a centralized service provider inventory by importing vendors via a spreadsheet template or through an API connection to an existing procurement solution. Teams throughout the enterprise can populate key supplier details with a centralized and customizable intake form and associated workflow. This is available to everyone via email invitation, without requiring any training or solution expertise.

As all service providers are being centralized, teams can create comprehensive vendor profiles that contain insight into a vendor’s demographic information, 4th-party technologies, ESG scores, recent business and reputational insights, data breach history, and recent financial performance.

15.2 Establish and Maintain a Service Provider Management Policy

Security function: Identify
IG2,3

“Establish and maintain a service provider management policy. Ensure the policy addresses the classification, inventory, assessment, monitoring, and decommissioning of service providers. Review and update the policy annually, or when significant enterprise changes occur that could impact this Safeguard.”

Prevalent partners with you to build a comprehensive third-party risk management (TPRM) program based on proven best practices and extensive real-world experience.

Our experts collaborate with your team on defining and implementing TPRM processes and solutions; selecting risk assessment questionnaires and frameworks; and optimizing your program to address the entire third-party risk lifecycle – from sourcing and due diligence, to termination and offboarding.

As part of this process, Prevalent can help you define:

  • Clear roles and responsibilities (e.g., RACI)
  • Third-party inventories
  • Vendor classification and categorization
  • Risk scoring and thresholds based on your organization’s risk tolerance
  • Assessment and monitoring methodologies based on third-party criticality
  • Fourth-party mapping
  • Sources of continuous monitoring data (cyber, business, reputational, financial)
  • Key performance indicators (KPIs) and key risk indicators (KRIs)
  • Governing policies, standards, systems and processes to protect data
  • Compliance and contractual reporting requirements against service levels
  • Incident response requirements
  • Risk and internal stakeholder reporting
  • Risk mitigation and remediation strategies

15.3 Classify Service Providers

Security function: Identify
IG1,2,3

“Classify service providers. Classification consideration may include one or more characteristics, such as data sensitivity, data volume, availability requirements, applicable regulations, inherent risk, and mitigated risk. Update and review classifications annually, or when significant enterprise changes occur that could impact this Safeguard.”

Prevalent offers a pre-contract due diligence assessment with clear scoring based on eight criteria to capture, track and quantify inherent risks for all third parties. Criteria includes:

  • Type of content required to validate controls
  • Criticality to business performance and operations
  • Location(s) and related legal or regulatory considerations
  • Level of reliance on fourth parties (to avoid concentration risk)
  • Exposure to operational or client-facing processes
  • Interaction with protected data
  • Financial status and health
  • Reputation

From this inherent risk assessment, your team can automatically classify and tier suppliers; set appropriate levels of further diligence; and determine the scope of ongoing assessments.
Rule-based tiering logic enables vendor categorization using a range of data interaction, financial, regulatory and reputational considerations.

15.4 Ensure Service Provider Contracts Include Security Requirements

Security function: Protect
IG1,2,3

“Ensure service provider contracts include security requirements. Example requirements may include minimum security program requirements, security incident and/or data breach notification and response, data encryption requirements, and data disposal commitments. These security requirements must be consistent with the enterprise’s service provider management policy. Review service provider contracts annually to ensure contracts are not missing security requirements.”

Prevalent centralizes the distribution, discussion, retention and review of vendor contracts and offers workflow capabilities to automate the contract lifecycle from onboarding to offboarding. This ensures that key security requirements are built into the vendor contract, agreed upon, and enforced throughout the relationship with key performance indicators (KPIs).

Key capabilities include:

  • Centralized tracking of all contracts and contract attributes such as type, key dates, value, reminders and status – with customized, role-based views
  • Workflow capabilities (based on user or contract type) to automate the contract management lifecycle
  • Automated reminders and overdue notices to streamline contract reviews
  • Centralized contract discussion and comment tracking
  • Contract and document storage with role-based permissions and audit trails of all access
  • Version control tracking that supports offline contract and document edits
  • Role-based permissions that enable allocation of duties, access to contracts, and read/write/modify access

15.5 Assess Service Providers

Security function: Identify
IG3

“Assess service providers consistent with the enterprise’s service provider management policy. Assessment scope may vary based on classification(s), and may include review of standardized assessment reports, such as Service Organization Control 2 (SOC 2) and Payment Card Industry (PCI) Attestation of Compliance (AoC), customized questionnaires, or other appropriately rigorous processes. Reassess service providers annually, at a minimum, or with new and renewed contracts.”

Prevalent automates risk assessments to extend the visibility, efficiency and scale of your third-party risk management program across every stage of the third-party lifecycle.

With a library of 200+ standardized assessments – including for PCI – customization capabilities, and built-in workflow and remediation, the solution automates everything from survey collection and analysis to risk rating and reporting.

With Prevalent, you can easily gather and correlate intelligence on a wide range of vendor controls to determine threats to information management, based on the criticality of the third party as determined by the inherent risk assessment.

Results of assessments and continuous monitoring are collated in a single risk register with heat map reporting that measures and categorizes risks based on likelihood and impact. With this insight, teams can easily see the consequences of a risk and have ready-made remediation recommendations for third parties to mitigate the risks.

For third parties that submit a SOC 2 report instead of a completed vendor risk assessment, Prevalent reviews the list of control gaps identified within the SOC 2 report, creates risk items against the third party within the Platform, and tracks and reports against deficiencies.

15.6 Monitor Service Providers Data

Security function: Detect
IG3

“Monitor service providers consistent with the enterprise’s service provider management policy. Monitoring may include periodic reassessment of service provider compliance, monitoring service provider release notes, and dark web monitoring.”

Prevalent continuously tracks and analyzes external threats to third parties. The solution monitors the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information.

Monitoring sources include:

  • 1,500+ criminal forums; thousands of onion pages; 80+ dark web special access forums; 65+ threat feeds; and 50+ paste sites for leaked credentials — as well as several security communities, code repositories, and vulnerability databases covering 550,000 companies
  • A database containing 10+ years of data breach history for thousands of companies around the world

Because not all threats are direct cyberattacks, Prevalent also incorporates data from the following sources to add context into cyber findings:

  • 550,000 public and private sources of reputational information, including M&A activity, business news, negative news, regulatory and legal information, operational updates, and more
  • A global network of 2 million businesses with 5 years of organizational changes and financial performance, including turnover, profit and loss, shareholder funds, etc.
  • 30,000 global news sources
  • A database containing over 1.8 million politically exposed person profiles
  • Global sanctions lists and over 1,000 global enforcement lists and court filings

All monitoring data is correlated with assessment results and centralized in a unified risk register for each vendor, streamlining risk review, reporting and response initiatives.

15.7 Securely Decommission Service Providers Data

Security function: Protect
IG3

“Securely decommission service providers. Example considerations include user and service account deactivation, termination of data flows, and secure disposal of enterprise data within service provider systems.”

The Prevalent Platform automates contract assessments and offboarding procedures to reduce your organization’s risk of post-contract exposure.

  • Schedule tasks to review contracts to ensure all obligations have been met. Issue customizable contract assessments to evaluate status.
  • Leverage customizable surveys and workflows report on system access, data destruction, access management, compliance with all relevant laws, final payments, and more.
  • Centrally store and manage documents and certifications, such as NDAs, SLAs, SOWs and contracts. Leverage built-in automated document analysis based on AWS natural language processing and machine learning analytics to confirm key criteria are addressed.
  • Take actionable steps to reduce vendor risk with built-in remediation recommendations and guidance.
  • Visualize and address compliance requirements by automatically mapping assessment results to any regulation or framework.

Align Your TPRM Program with ISO, NIST, SOC 2 and More

Download this guide to review specific requirements from 11 different cybersecurity authorities, identify TPRM capabilities that map to each requirement, and uncover best practices for ensuring compliance.

Read Now
Featured resource compliance handbook cybersecurity

Addressing CIS Control 15: Service Provider Management

Control 15 Overview “Establish a program to develop and maintain an incident response capability (e.g., policies, plans, procedures, defined roles, training, and communications) to prepare, detect, and quickly respond to an attack."

Safeguard How We Help

17.1 Designate Personnel to Manage Incident Handing

Security function: Respond
IG1,2,3

“Designate one key person, and at least one backup, who will manage the enterprise’s incident handling process. Management personnel are responsible for the coordination and documentation of incident response and recovery efforts and can consist of employees internal to the enterprise, third-party vendors, or a hybrid approach. If using a third-party vendor, designate at least one person internal to the enterprise to oversee any third-party work. Review annually, or when significant enterprise changes occur that could impact this Safeguard.”

17.2 Establish and Maintain Contact Information for Reporting Security Incidents

Security function: Respond
IG1,2,3

“Establish and maintain contact information for parties that need to be informed of security incidents. Contacts may include internal staff, third-party vendors, law enforcement, cyber insurance providers, relevant government agencies, Information Sharing and Analysis Center (ISAC) partners, or other stakeholders. Verify contacts annually to ensure that information is up-to-date.”

17.3 Establish and Maintain an Enterprise Process for Reporting Incidents

Security function: Respond
IG1,2,3

“Establish and maintain an enterprise process for the workforce to report security incidents. The process includes reporting timeframe, personnel to report to, mechanism for reporting, and the minimum information to be reported. Ensure the process is publicly available to all of the workforce. Review annually, or when significant enterprise changes occur that could impact this Safeguard.”

17.4 Establish and Maintain an Incident Response Process

Security function: Respond
IG2,3

“Establish and maintain an incident response process that addresses roles and responsibilities, compliance requirements, and a communication plan. Review annually, or when significant enterprise changes occur that could impact this Safeguard.”

17.5 Assign Key Roles and Responsibilities

Security function: Respond
IG2,3

“Assign key roles and responsibilities for incident response, including staff from legal, IT, information security, facilities, public relations, human resources, incident responders, and analysts, as applicable. Review annually, or when significant enterprise changes occur that could impact this Safeguard.”

17.6 Define Mechanisms for Communicating During Incident Response

Security function: Respond
IG2,3

“Determine which primary and secondary mechanisms will be used to communicate and report during a security incident. Mechanisms can include phone calls, emails, or letters. Keep in mind that certain mechanisms, such as emails, can be affected during a security incident. Review annually, or when significant enterprise changes occur that could impact this Safeguard.”

Prevalent enables your team to rapidly identify, respond to, report on, and mitigate the impact of third-party vendor incidents by centrally managing vendors, conducting event assessments, scoring identified risks, correlating against continuous cyber monitoring, and accessing remediation guidance. Key capabilities include:

  • Continuously updated and customizable event and incident management questionnaires
  • Real-time questionnaire completion progress tracking
  • Defined risk owners with automated chasing reminders to keep surveys on schedule
  • Proactively vendor reporting
  • Consolidated views of risk ratings, counts, scores, and flagged responses for each vendor
  • Workflow rules to trigger automated playbooks to act on risks according to their potential impact to the business
  • Guidance from built-in remediation recommendations to reduce risk
  • Built-in report templates
  • Data and relationship mapping to identify relationships between your organization and third parties to visualize information paths and determine at-risk data

By centralizing third-party incident response in a single system guided by a single enterprise incident management process, IT, security, legal, privacy, and compliance teams can work in unison to mitigate risks.

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo