Most companies sit in the middle of a supply chain. You provide a service or product to your customers, but you also use third-parties who enable your business operations. To secure data, you need to engage in increasingly stringent due diligence to mitigate supply chain risk.
What is Supply Chain Compliance & How to Achieve It
What is “supply chain risk”?
Traditional supply chain risk management focuses on strategy, market, implementation, and performance risks. For example, a procurement organization might look at labor laws and working conditions when determining strategy and performance risks inherent in choosing a manufacturing company.
However, with the increased use of Software-as-a-Service (SaaS), Infrastructure-as-a-Service (IaaS), and Platform-as-a-Service (PaaS) information technology use, the risk management strategies more recently focus on cybersecurity controls and data breach risk mitigation.
Thus, creating an effective vendor risk management program becomes a way to mitigate supply chain risk in an integrated IT environment.
Where supply chain compliance sits as part of compliance risk
Compliance risk is the potential financial loss arising out of legal penalties, financial forfeiture, or material loss arising from noncompliance with regulatory requirements, industry standards, or internal policies.
Supply chain risk sits at the intersection of organizational compliance risk for two reasons.
- Organizations increasingly use third-party technologies as part of critical business operations.
- Regulations and industry standards increasingly hold organizations accountable for data breaches arising from vendor security weaknesses.
Thus, your company’s vendor risk management oversight is not only related to your own cybersecurity posture but also you compliance risk.
What are the standards and regulations governing supply chain management?
While most standards and regulations incorporate supply chain compliance management directly or indirectly, some carry more weight than others. A few major regulations that incorporate supply chain management as part of compliance management include the Healthcare Portability and Availability Act (HIPAA) and European Union General Data Protection Regulation (GDPR)
Failure to enter into a business associate agreement that covers the way third-parties manage Personal Health Information (PHI) or electronic PHI (ePHI) can lead to fines for both entities.
The GDPR incorporates a 72-hour breach notification requirement for all data controllers, even for breaches arising from their data processors. In non-GDPR language, this means that you are responsible for notifying your customers if a vendor has a data breach. You also need to ensure that you only work with vendors who comply with GDPR or you risk penalties.
What are the challenges of supplier management?
Supplier management, also called vendor management, often proves challenging because you cannot control your third-party business partners. You engage in due diligence, but the ability to continuously monitor them lies outside your purview. The long list of challenges aligns with many of the challenges you face within your organization. However, some supply chain risks are particularly invisible.
Regardless of an audit’s outcome, that point-in-time review can be nullified at any moment. Cybercriminals continuously update their threat methodologies which means that yesterday’s effective control can be moot tomorrow.
Single vendor device lacking the appropriate security update can put everyone at risk. If your supplier isn’t maintaining a strict patch management program, then one device on their network that accesses your data can lead to financially fatal data breach.
Your supplier may have password policies in place, but a single employee using “123456” can give malicious actors unauthorized access to systems, networks, software, and data. Equally concerning, a single vendor employee using the same password for their social media accounts or accessing their social media accounts using their work email and password can impact your data and systems.
Employee Training Effectiveness
You can review your supplier training documentation. However, just as within your own organization, those scores may be meaningless. Phishing still remains a primary attack vector, meaning that pieces of training aren’t always effective.
How to create an effective supply chain risk management program
As your organization incorporates more technology suppliers, you need to integrate vendor management as part of your overarching compliance program. Quality management systems (QMS) document the processes, procedures, and responsibilities over quality and control objectives, including managing vendor relationships. Focusing on the most business critical vendors first allows you to maintain business continuity and further protect your customers.
Establish Control Requirements in Service Level Agreements
Your service level agreements (SLAs) legally require your suppliers to align with your security stance. By clearly defining the controls you expect, you can more effectively manage the vendor’s compliance with your risk tolerance. Using these requirements, you can determine whether to maintain or terminate vendor relationships. For example, you may want to incorporate a level of at-rest or in-transit data encryption to ensure appropriate data protection.
Create Key Performance Indicators
As part of your continuous monitoring over your supplier information security controls, you need to set key performance indicators within the SLAs. For example, you may want to incorporate a baseline for restoring critical business operations in the event of a service outage. This allows you to determine the vendor’s resiliency as well as their monitoring and incident response program.
Without real-time insight, supplier relationships need to incorporate ongoing communication between stakeholders. Thus, you need to ensure that you internally assign responsibility for managing the relationship. For example, the annual SOC audit only measures a period in time. Thus, monthly or quarterly communications may enable you to maintain greater oversight.
How ZenGRC Enables Supply Chain Risk Management
By streamlining the workflow, organizations can eliminate emails while tracing outstanding tasks. Additionally, the unified control management feature allows organizations to map controls across multiple frameworks, standards, and regulations to determine whether compliance gaps exist. This mapping capability enables you to manage the mundane tasks associated with vendor risk management and ensure a robust program.
ZenGRC’s streamlined workflow shows task managers the date on which a vendor provided a response and a status. These details mean that compliance managers no longer need to spend time following up with the organization’s multitudinous vendors.
For more information about creating a vendor risk management program, read our ebook “Vendor Risk Management: The Basic Need for It. The Basic Principle of It.”