NIST Update: Managing Supply Chain Cybersecurity Risks
Every organization faces risks when outsourcing their processes to third parties. Inadequate security practices frequently leave vendors vulnerable, which can have devastating effects on an organization’s supply chain.
These risks are associated with an organization’s lack of visibility and understanding of how the acquired technology or services are developed, integrated, and deployed, as well as the quality of third party processes and procedures in managing their cybersecurity.
Understanding, evaluating and monitoring the security practices of suppliers is not a simple endeavor. Not only is it time-consuming, but it also requires a comprehensive understanding of cybersecurity, data privacy, and resilience, in addition to audit methodologies.
This responsibility is typically assigned to procurement or compliance departments that lack the expertise to ensure a sufficient level of investigation. These departments often struggle when evaluating RFC candidates or technical suppliers.
NIST has recently published the Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (NIST SP 800 161r1) describing the steps to establish a program to manage third parties risks.
Some of the key elements described by the NIST are:
The establishment of a dedicated multidisciplinary team for Supply Chain Risk Management (SCRM)
Establishing an enterprise governance structure that integrates C-SCRM requirements and incorporates these requirements into the enterprise policies.
Developing a process for identifying and measuring the criticality of the enterprise’s suppliers, products, and services.
Implement an appropriate and tailored set of baseline information security controls
The NIST also recommends the usage of third-party assessment surveys and on-site visits to assess critical supplier security capabilities and practices.
Having enough certainty about your suppliers’ level of security and compliance can be quite challenging.
This is why Supplier Shield™ was born.
It is the brainchild of a group of security, data privacy and resilience expert auditors, fully aware of the complexity and the effort required to implement an adequate level of third party monitoring.
A complete outsourcing service developed to support your organization with third-party security management.
Beyond evaluating your suppliers, it also provides you with a comfortable monitoring interface and eases communication and follow-up with third parties, whether you need an instant overview of your supply chain or want to take a deep dive into any supplier.
Secure the integrity of your supply chain. Contact us for a demo!