Management of the third parties

Our time is increasingly characterised by being constantly online and interconnected. Even companies are not exempt from this trend, as they increasingly see their boundaries expanding and blurring through collaboration with their partners, customers, and suppliers. In this context, the perimeter to be protected becomes more and more articulated, difficult to define and protect. 

Here the typical security adage that “you are only as strong as the weakest link in the chain” applies more than ever”. The problem is that at this point the ‘chain’ disreggards and goes beyond the company boundary where the possibility of control becomes, if not non-existent, less strong. 

 

INTRODUCTION 

By now, even very small companies have partnerships with third parties with whom they share administrative, economic/financial and business data, making the third party an integral component of business processes. 

It is therefore evident that it is necessary to carefully choose one’s suppliers, even – and above all – the non-technological ones: a supplier with little attention to information and system security could put at risk what is commonly referred to as a company’s ‘security posture’ when connected to its systems. 

There are now many companies (even large ones that make important investments in information security) that have suffered serious attacks due to a partner’s vulnerability. Even though it is now dated, the attack on Target has been the pioneer, a chain of department stores in the US, which lost hundreds of millions of dollars due to a vulnerability introduced by a refrigerator maintenance technician! 

Unfortunately, we cannot even rely on the ‘reality’ proposed by TV series and dramas: it is in fact quite rare that – facing cyber attacks – red skulls appear on the screens of the unfortunate persons…. A recent study by IBM Security estimates the average time needed to identify and contain a data breach at 287 days! It is therefore more likely to detect a problem when it has already reached alarming dimensions. 

 

Considering that the trend of cyber attacks is constantly increasing, in order not to frustrate investments in security and to maintain control of one’s security posture, it is appropriate to define a new paradigm of choice and collaboration with third parties. 

 

To address this issue, we have developed a comprehensive framework for third-party management, which is structured into the following three phases: 

 

PHASE 1: SUPPLIER SELECTION 

The selection phase is used to qualify the supplier regarding security aspects. 

Qualifying a supplier means evaluating him or her properly so as to be able to make informed decisions with respect to collaboration, which may range from rejection to a particularly controlled collaboration (see Phase 2 – contract management) or finally to a monitored collaboration according to rather relaxed process schedules. 

The qualification therefore helps to define the level of control to be formalised in the security-specific contractual clauses. 

 

This phase includes two steps that can be summarised as follows: 

1. Assessment of the supplier’s security posture: this is a very important phase that leads and directs the implementation of the entire framework. According to the type(s) of planned collaboration, self-assessment of security controls adopted from reference frameworks and standards is required. For this purpose, Riskout was developed, a system that manages the entire assessment process in an online modality (www.riskout.it)
2. Contractualized: The result of the security posture assessment must give the necessary awareness in the choice. In this case, the cases are countless and are dictated by multiple factors that may influence the final decision. For example, a supplier may result to be weak from a security point of view but to be strategic or not easily replaced by better ones. For this reason, according to the results obtained with Riskout, specific contractual clauses are formulated to protect the company’s information assets, which must be defined according to the level of risk introduced by the supplier.

 

PHASE 2: CONTRACT MANAGEMENT 

The contract management phase is carried out throughout the duration of the contract and its purpose is to identify the supplier’s access perimeter, to regulate it, and to verify that the supplier is acting in accordance with the contractual agreement. 

 

It is then divided in the following points: 

1. Perimeter identification: systems and information to which the third party needs access are identified
2. Access control: access profiles are defined for all the staff (who must be known) who need access and control methods are defined.
3. Audit: with defined periodicity according to the Phase 1 assessments, a supplier audit plan is defined which can be later adjusted according to the collected evidences.

 

PHASE 3: END OF CONTRACT 

Aside from the aspects regarding possible handovers or migrations of data/systems, this is the conceptually simplest part of managing the relationship. It concerns the prompt removal of the access rights of all the supplier’s personnel to the company’s systems. 

The process described up to this point can also be applied to collaborations already in action, if necessary modifying some implementation schedules. 

For example, the phase of supplier selection can be carried out by submitting the supplier’s self-assessment with RiskOut; the contractualisation phase can possibly be postponed to the contract renewal (if foreseen and desired) or can be managed by means of appropriate contract addenda. 

The phases of contract management, if not already addressed, can (and must) be carried out immediately regarding the identification of the perimeter and access control, with the timing determined by the acceptance of the clauses for the control/audit part. 

 

CONCLUSIONS 

The correct management of the relationship with one’s own third parties is part of the wider and more general topic of information security risk management, a topic that is increasingly central to national and international regulations (e.g. in DORA or NIS2) to which a large part of the industrial and service sector will have to adapt. it is therefore recommended that companies also activate this control as soon as possible, with the combined aim of increasing their ‘security posture’ and starting the process of compliance with the imminent regulations in good time.