Building a SCRM ProgramThere are 3 main areas in an SCRM program: managing the vendors, mitigating the risks, and maturing the program.
Management of the VendorsThe typical vendor management (VM) program, which is part of the whole SCRM process, should contain at least the following items:
- Policies and procedures for vendor management
- This is to ensure that your vendor management person can take a vacation and that consistent action can be taken when the primary person is absent.
- A vendor attestation review process
- A repository for keeping all of the documents on a year-by-year basis
- A schedule for when to request the latest security attestation, financial, et al. documents
- A rating system for determining the criticality of the vendor and determining which classification needs attestation review
- A vendor performance rating or scoring system
- Contacts for each vendor
- Someone, perhaps even a department, that is responsible for requesting, reviewing, classifying and coordinating this process
Mitigation of the RisksBeyond just technical cybersecurity risks (which will be covered in another article), a few other types of risks exist.
Financial RisksHow would your company be affected if your vendor or one of their vendors became insolvent? What if your storage vendor in the chain was acquired? What would happen to your privacy and security agreements? Keep an eye out for vendors that would be able to provide the same service in case of emergency. Providers like PaaS and IaaS are plainly not as volatile or easily switched as something like your snack vendor, so the risk will be determined by what you provide along with any other considerations you might need to switch service providers.
Operational RisksWhat happens to the contracted services or products if there’s a service disruption at one or more of the suppliers? Business continuity and disaster recovery are important here. At a minimum, a TTX should be performed to think through and communicate what needs to happen in case of extended outages. Procurement is part of this risk. Have a holistic process that includes knowledge of intent to purchase (by someone in a management or director positions), knowledge by security (so they can vet the proposed purchase) and involvement of IT Operations (so they know what tech might be needed or impacted).
Privacy and Regulatory RisksWhat is the course of action for a customer's data getting viewed/taken while held at a vendor? It’s important to know the requirements for reporting and notifying if there’s a breach at a vendor. A Mutual Non-Disclosure Agreement (MNDA), while not impervious, is a good baseline contractual agreement between the customer and supplier. These agreements can be complex, but they should at least cover the need to keep shared information confidential and to lay out the repercussions for a breach of contract. Expect to sign or receive many of these.
Software RisksWhat if the software that’s used, even if it’s approved, has bugs? What kind of Software Development Life Cycle (SDLC) does the vendor or their suppliers use? Are software contractors properly vetted? Does the supplier have an MDM or BYOD policy? Do you need to compare the hashes of the programs downloaded on corporate computers?
Reputational RisksThis is arguably the largest risk because it directly affects the long-term viability of your company. Who wants to do business with a company that doesn’t have the security foundations done correctly? Consider how much revenue could be lost if your company’s reputation took a hit because of poor security practices. This loss isn't just how a brand is initially impacted; it’s also about how longevity and stability are measured (e.g., how many people were let go and how much the stock dropped in value). How does one figure out the reputational risk rating? Fortunately, searching for “reputational risk assessment template” will uncover plenty of resources. For security professionals, the ability to demonstrate reasonable security measures and/or SANS Institute industry certifications can go a long way toward increasing the company’s reputation. Being able to produce appropriate publicly accessible reports, policies and processes will greatly increase trust.
Maturity of the ProgramAn old adage is, “You get better at what you do.” The excitement of getting any program together often provides enough energy to complete the program and get it started. But it’s the long haul, the growing up phase, that becomes tough and requires staying power. Maintaining the SCRM requires good project management skills as well as cooperation and communication between many departments. Business, regulatory, compliance and legal risks determine to what extent companies require attestation and what certifications are needed. Consider your company’s reputational requirements. This is about increasing your reputation. Because customers are aware of third-party risks, your reputation will increase if you are known to review current and potential vendors and can prove that you’ve reviewed the risks and responded accordingly. These actions, in addition to having set up an SCRM program, also set up a company for a successful audit whether required (e.g., because you're in the financial industry) or self-imposed (e.g., voluntarily seeking SOC 2 or ISO 27001). Be open, honest, and organized. A great help to maturing one’s SCRM program is letting others know where the security posture stands, what’s being done to refine it and what the future plans are. “How do I know what to do to improve our program, and what customers are looking for?” Role-play as if you're one of those vendors. You may not have regulatory requirements, and you may not be a SaaS, but you will benefit from acting as a top-notch company that protects your customers’ data. Also, think about what assurances you want from those who hold your data. What guarantees do you want from the bank or your children's primary care provider? What protections are expected from social media platforms? When you think about what you would like personally, you can then expand those things to what your customers would expect from you. And then you can extrapolate from those expectations what you need to receive from your vendors. Make a note to consider potential litigation. Look ahead and imagine the scenario of you sitting in a courtroom and being questioned by an attorney. "Did you know about this risk? Did you do anything about it? Do you have regular reports of risk and threats? Are you aware of how your team is managing and monitoring vendors? Do you have processes and projects in place to locate, manage and mitigate vulnerabilities?" The questions will go on and on. Crimes and accidents happen. They always have, and they always will. But that doesn’t make it any less important to ensure you have done all that can be reasonably performed to anticipate and mitigate bad possibilities. This process is called “duty of care” or “due diligence.” The concept is about making sure you have done your best to secure what you know you need secured in an appropriate manner. The last aspect that I’ll mention and one of the first things to accomplish is developing an Incident Response Plan (IRP). Be ready to respond. While preparing, implementing and growing your program, things can go wrong. Having a plan for how to respond to incidents in general (and more specific as time goes on) is a critical piece of maturing your program.
The Value of a SCRM ProgramManage your vendors, mitigate the risks and mature the program. As your company becomes better able to demonstrate diligence to protecting your customers' data, trust will increase. And a good name is worth its weight in gold. A good resource for further perusal about creating a SCRM program is NIST's SP 800-161, “Supply Chain Risk Management Practices for Federal Information Systems and Organizations.” This publication is located here: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161.pdf.