by Vivian Tero, Data Center Security & Compliance, Information Security Group, Symantec Corp.
Today, the notion of “supply chain” has gone beyond the traditional physical flow of goods and services to include the flow of data across the business ecosystem. In the digital supply chain, data is the valuable asset that must be protected, shared securely, managed and archived according to corporate, regulatory and legal mandates. In this world of highly digitized services, businesses increasingly realize that one may outsource activities to a third party but they are still held accountable, not only for their own activities, but also for their suppliers and business partners. In regulated industries, a third- or fourth-party vendors’ lack of accountability to regulators may leave a business exposed to civil and even criminal penalties. As the threat landscape continues to evolve, the onus is, therefore, on businesses to practice continuous due diligence on its information supply chain.
Symantec and Prevalent recently hosted an expert online panel discussion on cybersecurity and third-party risks. The key takeaways from this session include the following:
- Businesses have very little visibility into the information that is being shared, with whom the information is being shared, and the security practices and protocols of third and fourth parties that have access to the information.
- Businesses also have very little visibility into the provenance of the data that is entering its networks.
- Businesses make the assumption that security standards are consistently enforced within the organization, in many instances, failing to take into account differences in standards and resource constraints across its geographically dispersed business units and data centers.
- Malicious hackers and data grabbers are increasingly targeting the less secure, smaller third- and fourth-party partners or a business’ regional or field units as backdoors to the parent organization’s data centers.
- Recommended best practices for addressing third-party vendor risks include the following:
- Having strong governance controls in terms of assessing partners.
- Educating the business owners so that risk assessment is incorporated at the beginning of every partner/supplier engagement, instead of having this treated as a “checkbox” assessment.
- Tiering vendor risk assessment standards and practices according to the security profile of the data and systems that is shared.
- Conducting a data mapping exercise to help the business scope the data access and sharing rules with its partners and suppliers.
- Automating the policies and business processes for risk assessment to ensure consistent enforcement and legal defensibility.
- Conducting periodic assessments of one’s vendor risk management maturity will help businesses baseline its strengths, identify its deficiencies, and programmatically plan and execute its remediation activities.
To learn more about third party vendor risk assessment solutions, see Control Compliance Suite – Vendor Risk Manager Data Sheet.
To view a replay of the web panel discussion on cyberscurity and third-party vendor risk management, click here.