Sergey Nivens - Fotolia

Get started Bring yourself up to speed with our introductory content.

Supply chain security: Controlling third-party risks

Third-party contractors and business partners can create risks for enterprises. Expert Eric Cole offers guidance on improving supply chain security and controlling third-party risks.

Thanks to cloud services, it's easy to set up and run a business by allowing third parties to perform much of the enterprise functionality that is required. While the use of third parties can provide significant cost benefits, it also creates a huge exposure. Organizations are inadvertently turning over and/or providing access to very sensitive information, in some cases even client information, to a third party that may or may not have a proper level of security. Negotiating the financial terms of a third-party contract are important, but in many cases identifying the proper security components is even more important, yet too often supply chain security and third-party risks are overlooked.

Adversaries are realizing that, in many cases, it is better to compromise supply chain security downstream than target an organization directly. If an adversary targets an organization, they will get access to the data from one entity, but if they target a downstream provider that has thousands of organizations' information, they get a much higher value from the attack. Therefore, it is critical that an organization understands the downstream supply chain security and verifies that third parties are properly protecting their information and, more importantly, their clients' information.

In addition to having proper third-party security, it is also important to verify that a third party has proper domain separation, which means one organization's information is kept separate from another organization's information. This is especially important with hosting providers: if one client's site is compromised, it should not be any easier to compromise another client's information.

In dealing with third parties, it is critical to remember that an organization can transfer responsibility, but it cannot transfer liability. It is ultimately up to an organization to make sure a third party is properly implementing security.

The first questions an organization must ask about its supply chain security are:

  • Does the organization work with any third parties, including contractors, business partners, service providers, individuals or anyone who is not an employee?
  • Does any third party have access to systems on the organization's network?
  • Does any third party receive emails or data transfers that contain organizational or sensitive information?
  • Are all contracts made with third parties that provide any services to the organization available?
In dealing with third parties, it is critical to remember that an organization can transfer responsibility, but it cannot transfer liability.

In dealing with third parties, it is also important to take into account the type of information that is being transferred and whether there are any regulations associated with it. Payment card data, PII and PHI have specific sets of regulations that control and manage how an organization should deal with third parties.

In the case of financial operations covered under PCI standards, PCI requirements clearly state that "… organizations that outsource their CDE or payment operations to third parties are responsible for ensuring that the account data is protected … ."

Once an organization identifies third parties in its supply chain, it needs to ask each third party the following questions:

  • Does sensitive information reside on computers that do not belong to the third party? If so, what information and where is it stored?
  • What data classification and protection mechanisms are in place?
  • Do security policies exist and are there specific sections related to third-party information?
  • Does the third party perform logging of all access to company information?  How long are the logs preserved and where are the logs stored?
  • Is information about the third-party business segmented from that of other clients? What level of security is implemented to protect this information?
  • How does the third-party monitor and detect potential breaches and how would the third party be notified in the event of a breach?

Ultimately to win in security, an organization must take a data-centric perspective. All critical data within an organization must be identified with the overall risk to the organization determined, and that includes third-party risks. Based on the risk, appropriate countermeasures must be applied to the data. Once the countermeasures have been identified, whether the data is on an organization's computer or that of a third party, the same level of security must be in place. In dealing with third parties it is critical that supply chain security is involved with all contracts and verifies that proper security SLAs are written into all contracts.

In summary, third-party security best practices must be followed to ensure all information is properly protected. These practices include identifying what access is required; creating clear control gates for access and implementing strict access control; monitoring and verifying all access; inserting security SLAs in the contract, and requiring security reports and validation from the third-party vendor.

Next Steps

Find out what Huawei said about supply chain security at RSA Conference 2015

Read about third-party risk management horror stories and what you can do to prevent them

What does a smart contract have to do with curbing third-party risks?

This was last published in November 2015

Dig Deeper on Information security policies, procedures and guidelines