We begin the engagement by establishing the definition of a “Supplier,” as this is often misunderstood across the business and can result in unidentified third party services and connections going unaddressed. Next, we draft a C-SCRM plan for your business’ governance framework that meets your risk appetite and tolerance objectives.
Risk Crew will then assess and align your current information asset classification scheme to appropriate the service level agreement language and include it in all applicable supplier agreements so that security requirements are understood and contractually agreed upon during on-boarding.
Cyber Risk Triage
Risk Crew designs and deploys a supply chain risk triage portal based on the volume and sensitivity of the business’ information assets that the supplier processes, stores or transmits on your behalf – along with specific connectivity and compliance requirements such as DPA, GDPR or the PCI DSS.
Once deployed, the model will segment your suppliers into risk categories of Low, Medium or High to accordingly prioritise the risk management process – giving a clear risk-driven view of your supply chain.
Automated Risk Assessment
Once triaged into applicable cyber risk categories (Low, Medium or High), suppliers are directed to complete a risk assessment questionnaire suitable to their risk profile.
After questionnaires have been completed, specific risk assessment criteria will be expertly aligned to each supplier across the chain based on their potential risk to your systems and business information assets. The questionnaire is designed to identify and document the existing “inherent” risks associated with each supplier's current security controls. This tailored approach is important because when it comes to risk, one size does not fit all.
Prioritised Risk Remediation
Now that explicit, “inherent” risks are identified for each supplier, you can assign specific actions to supplement or enhance existing security controls and reduce those risks to a level within your business’ risk appetite and tolerance.
Supplier-specific risk-reduction activities are tracked through remediation and their “residual” risk status is logged for annual review.
Key performance indicators (KPIs) are identified and collected throughout the process to verify overall risk reduction.
Throughout the engagement, Risk Crew conducts routine security testing to ensure the effectiveness of controls the supplier has implemented to secure your information assets and connectivity to your systems.
Risk Crew will scope and conduct routine security testing of the supplier’s systems applicable to their residual risk profile and the technology platform processing, storing or transmitting your information assets such as web application, network, API, cloud or IoT. Bespoke control testing = bespoke cyber risk management.
Monitoring & Mentoring
Once the process is implemented, there is still work to be done. Risk Crew strongly believes that suppliers need continual monitoring and mentoring to ensure their understanding and correct implementation of the controls required to protect your information assets and their connectivity to your systems.
The Risk Crew C-SCRM solution includes a supplier “helpline“ to answer any specific questions that may arise and provide best practice advice when needed. It also includes daily CERT alerts and monthly cyber security bulletins to keep suppliers apprised of current threats and vulnerabilities. We do this because we believe that education is the silver bullet.
Finally, it's not over until it's over. One of the most important (and overlooked) steps in any supply chain risk management lifecycle is the “goodbye”. The Risk Crew C-SCRM process includes detailed contract close requirements from data retrieval or destruction to verifying termination of supplier connectivity to business systems.
Requirements will be mapped to the existing business process to ensure their execution and the secure off-boarding of your supplier. This simple follow-through will dramatically decrease the chances of an accidental breach.