Vendor Risk Management

Vendor Risk Management and NIST

The National Institute of Standards and Technology (NIST) developed the Cybersecurity Framework (CSF) because of Presidential Executive Order 13636, which was signed in 2013. This voluntary guidance is based on existing standards, guidelines, and practices to help organizations better manage and reduce Information Security risk. Another benefit is an increased level of communication around information security with both internal and external organizational stakeholders.

Posted by

Security Studio Tempy

on

Feb 21, 2019

What is NIST CSF?

NIST CSF is voluntary guidance based on existing standards, guidelines, and practices to help organizations better manage and reduce information security risk. Another benefit is an increased level of communication around information security with both internal and external organizational stakeholders. The National Institute of Standards and Technology (NIST) developed the Cybersecurity Framework (CSF) because of Presidential Executive Order 13636, which was signed in 2013.

NIST CSF 1.0 vs. NIST 1.1

The first version of the NIST CSF has served us well since its adoption in 2014. 5 years have passed, and the threat landscape has not been stagnant. Because of this a new version, v1.1, was adopted in 2018. Much of the framework still resembles the original v1.0 framework with changes to language that more clearly states the control(s) intent.

There are some additional categories added to v1.1 that are a result of the current emerging threats facing many organizations. Supply Chain Risk Management ID.SC (Vendor Risk Management) is an area that certainly deserves to be formally addressed by the new framework.

There are 5 sub-categories that fall under ID.SC. Let’s dig a little into each category and look at what this means from a practical standpoint.

Supply Chain Risk Management (ID.SC)

“The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support risk decisions associated with managing supply chain risk. The organization has established and implemented the processes to identify, assess and manage supply chain risks."

https://www.nist.gov/cyberframework/identify

Translation - Your organization formally addresses the risks associated with using 3^rd party vendors to support your business initiatives. The process is formal and has structure to ensure you evaluate all vendors, not just the ones you feel are important.

ID.SC Subsection NIST Language Explained ID.SC-1 Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed toby organizational stakeholders. Executive management requires that Vendor Risk Management processes be established. They support this with resources (money and staff) needed to properly manage. They communicate this requirement through governance (policies). ID.SC-2 Suppliers and third-party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment process. Every vendor has been identified and classified (based on potential risk to you) regardless of the goods\services supplied. They should be evaluated with the same criteria initially with more scrutiny applied based on risk levels introduced. ID.SC-3 Contracts with suppliers and third-party partners are used to implement appropriate measures designed to
meet the objectives of an organization’s cybersecurity program and Cyber Supply Chain Risk Management Plan. You can use contracts to ensure 3^rd party suppliers meet your information security requirements which might be more stringent than their own internal requirements. ID.SC-4 Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations. In ID.SC-2 above, you initially evaluate 3^rd party vendors and assign a risk level. That process should be repeated on a regular (annual) basis. You can focus on the higher risk vendors but you need to consider ALL vendors, even the low-risk ones. ID.SC-5 Response and recovery planning and testing are conducted with suppliers and third-party providers High-risk vendors, ones that could cause grave harm to your organization, should be tested for response and recovery assurances. You don’t want their lack of planning and preparedness to negatively affect your organization.

OK, Now what?

Once you determine that you will follow these sound information security principals, you will need a way to do so. Traditionally, questionnaire forms and spreadsheets were used to track vendor risk. Because of the explosion of 3^rd party vendor use, this process is no longer a viable solution.

SecurityStudio allows you to address the new NIST cybersecurity framework - Supply Chain Risk Management (ID.SC) guidelines. The once cumbersome process is greatly simplified, efficient and thorough, which puts you in a defensible position.

If you need help, contact us! If you would like a SecurityStudio demo, schedule a demo today!