This week, I had a conversation with a new client who revealed that they are eager to solve various internal problems relating to their IT systems. They explained how their company has been negatively impacted by service failures and delays over the previous 12 months.
I inquired further about this, looked into their dealings with the provider, and discovered what research they had done on the supplier before hiring them. Their response was both pretty frightening and fairly normal.
Well, we’ve worked with them since we originally launched the company a few years ago, so we’ve basically grown up together.
I wholeheartedly agree that we shouldn’t change only for the sake of changing; nevertheless, we also need to build stronger relationships with our suppliers, particularly when they offer such vital services.
Knowing you, knowing me.
Supplier relationships have always been one of the main tenets of ISO27001, and they are now even more so. The controls for ISO27002:2022 have also been updated to include new requirements in the new Annex A. Thus, ISO27001:2022 demands that
- Information security in supplier relationships.
- Addressing information security within supplier agreements.
- Managing information security in the ICT supply chain.
- Monitoring, reviewing, and change management of supplier services.
The standard has been updated to incorporate a new requirement for “Information Security for the use of Cloud Services” in recognition of the fact that the cloud has grown to be a major supplier for many organizations (A5.23).
You should be aware that the tenth criterion of the PCI DSS payment card standard mandates that you “Log and monitor all access to system components and cardholder data.” If the PCI DSS standard is of greater relevance to you. This entails more than merely keeping an eye on your personal use of network resources and cardholder information.
Because I want to understand the extent of access that the organization has allowed to that third party, I frequently want to examine the service agreements for companies that have support contracts with IT providers.
For instance, does the IT service provider have unrestricted access to the networks of its customers at all times for support needs? Or do they need to ask for permission? In the majority of cases, giving the IT provider total authority over the network in order to help the client makes perfect sense. However, this also exposes the client to further risks due to the potential for problems impacting the supplier to damage their systems.
Not Just IT
To be clear, whatever your important suppliers are, you need to evaluate their security capabilities based on the danger to your organization. This is not just an attack on IT vendors.
The IT Managed Service Provider (MSP) is frequently the main focus for obvious reasons. But on whom do you also rely on to run your company? How much access to your data do they have, and may this endanger your brand or business?
It’s getting hot in here!
The world’s largest computer manufacturer at the time, Dell Corporation, was forced to recall millions of laptops in 2006 over concerns that they would catch fire. More than 4 million batteries were deemed potential risks, making it the greatest product recall in the consumer electronics sector.
Since then, numerous incidents involving Dell laptops catching fire have been reported. Whatever the reason, it is clear that a different manufacturer provided the batteries to Dell. This is a prime illustration of how a supplier can affect a client’s reputation in the real world (Dell).
Cyber Due Diligence
When it comes to information security, it’s important to always go back to the beginning and keep in mind that the main goal of the field is to:
- Confidentiality of data.
- The integrity of data.
- Availability of data.
In light of this, when was the last time you finished evaluating your suppliers in light of these three principles?
When you let a supplier into your company, you are putting your trust in the reliability of their operations. How do you know, though? Have you done your homework thoroughly?
This is crucial whether you’re selecting a cleaning service or a supplier of goods or services, such as cybersecurity and outsourced IT.
Have you enquired about their employee screening procedures? How do they evaluate effectiveness? What actions do they take in terms of security? How is your data protected by them? Your data is accessible to whom? Who is the person you can reach? What do any concerns’ Service Level Agreements say? How are data breaches handled there?
All of these are reasonable inquiries to make of any supplier. It would be best if you also asked more in-depth inquiries about your data centers and cybersecurity firms.
Here are some queries you should put to your data center hosting provider right now:
- What certificates of information do they possess?
- Are they ISO27001 certified by UKAS? What is the scope if so?
- Are they completely accredited to the 12 PCI-DSS requirements?
- Are they 20000, 45001, or ISO 9001 certified?
- What more credentials do they possess? (You may need SOC if you work with the USA.)
- When was the most recent penetration test performed, and were all issues resolved?
- In the past year, were there any data breaches?
These are your opening inquiries to get you going. Even if you utilize one of the well-known commercial services, it is simple to find their certifications of conformity online or by asking your account representative.
No such thing as 100% secure
Some of the privacy laws also take into account third-party security. For instance, the GDPR and the California Consumer Privacy Protection Act (CCPA) both mandate third-party security. This is what GDPR Article 24 states:
“Where the processing is to be carried out on a controller’s behalf, the controller shall use only processors (suppliers) providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will comply with the provisions of this Regulation and ensure the protection of the rights of the data subject.”
If your company depends on suppliers for help, you need to be certain that they will be there when you need them and that they are doing everything they can to protect the environment.
There is never a 100% safe system, according to information security experts. The more we depend on outside suppliers, the more accurate this assertion may be. Security applies to more than just your company. It encompasses the entirety of your supply chain. Checking carefully to make sure the links are as firmly linked as possible is the greatest approach to protect it.