It was just over a year ago that US retailer HomeDepot suffered the world’s second largest theft of credit card data. A staggering 56 million card details together with 53 million email details were stolen. The attack was traced back to a compromised supplier.
And, more recently, JD Wetherspoon’s had customer details hacked in an attack reported in December last year. It took them almost 6 months to discover the problem due to the being stored with a company that used to host their website.
Of course, when we think of information security we often think of customer records and the financial risk of personal data leaks. These, after all, are the headline makers. But what about intellectual property? Just how much information do you share with your key suppliers, trusting that your collaborative relationship will continue, unchanged, long into the future?
I came across this great article by Robert C. Covington that includes practical advice on dealing with suppliers on information security and some of the things to watch out for when assessing their information security management.
Taking Covington’s recommendations one step further, what are the processes needed to ensure we close the gap that can lead to vulnerabilities?
As an ISO 27001:2013 accredited organisation, we thought it would be useful to take a look at some of the controls included in the standard.
Risk assessment – If you are allowing a supplier to access your business information then you need to assess the risk to confidentiality, integrity and accessibility. Not all suppliers are created equal, but what is important is that information security is consistently considered in terms of potential consequences and likelihood of occurrence. This will enable you to establish your level of tolerance and, of course, treatment of the risk.
Supplier evaluation – How you choose to evaluate your suppliers will depend on their criticality and your appetite for the risk. For high risk and high importance suppliers, their own accreditations in, for example, PCI: DSS and/or ISO 27001:2013, may be satisfactory evidence or you may choose to audit their information security systems, possibly doing site visits or gaining external references to ensure they meet your standards.
Supplier agreement – As an organisation we apply standard agreements that encompass information security requirements. Dependent on the type of supplier and the results of the risk assessment we can consider whether additional clauses are needed in the agreement to mitigate risk or whether other actions need to be taken to achieve the overall goal of working with the supplier. In some instances, this may include sharing more risk with the supplier.
Compliance monitoring – As Covington points out, things change. A supplier who passes scrutiny today may not necessarily remain secure, and sadly they may not always comply with the security clauses in your agreement. For this reason, the ISO controls cover monitoring performance, regular reviews and, if necessary, regular audits to ensure they continue to comply.
Termination of agreement – If it’s the end of the line, for good or bad reasons, then make sure you have procedures in place for the return or destruction of all your business information or assets and, of course, the removal of any access rights granted.
Managing your supply chain, and the necessary policies and controls surrounding it, can seem overwhelming. How do you keep track of everything?
Help is on hand in the form of a cloud software solution that manages not just your policies and controls, but also your suppliers in relation to their role within your information management system.
With collaboration functionality built-in, including discussions, tasking and alerting, it ensures your important supplier relationships are set-up, owned, monitored and reviewed to protect your business information and other assets from the modern day Ronnie Biggs!
ISMS.online can help you manage your supply chain information security
Julia Heron is the ISMS Solutions Specialist for ISMS.online.