2nd July 2014
By Nick Rafferty, COO, SureCloud
Suppliers need to be considered in many different ways and a classification of suppliers is essential if you are going to accurately assess them for risk. It is important not to treat suppliers equally as a single one-size-fits-all group. I am assuming you have already been through a data classification process, which not only classifies data at a high-level (top secret, confidential, personally-identifiable information, and public for example) but also categorises data at a more granular level – for example down to key fields of information within a type of data record. The data classification should also take into account any regulatory or commercial compliance requirements that must be met (Financial Conduct Authority or the Payment Card Industry Data Security Standard for example).
When creating your supplier classification, consider the following questions and potential supplier (S1, S2, and S3) answers:
Q. What does this supplier do for my organisation?
S1. It remotely manages my network infrastructure, hardware and software maintenance
S2. It develops the company website
S3. It provides a service or product to our customers on our behalf
Each of the above answers cover the main types of suppliers you will most likely interact with – those to which you outsource an operational business function (S1), those you engage with occasionally to meet a business need (S2), and those you interact with regularly to deliver a customer requirement (S3).
Now consider these follow-up questions and potential answers:
Q. What data and classification does each supplier access or have shared with it?
S1. Potentially all of my data – top secret, confidential, personally-identifiable information, and public
S2. Minimal data – public supplied via the website
S3. Customer data – confidential and personally-identifiable information
Q. What level of security controls would I expect to be in place to protect this type of information?
I am going to use a very basic high, medium, and low (minimum set of baseline controls) rating for the purposes of this blog but in reality it is important to align with an information security standard/body which covers the breadth of security controls you expect across all types of suppliers (some I have seen used very well include ISO27001, SANS Top 20 and Cloud Security Alliance).
With these answers to hand, you will be in a position to establish a supplier classification and allocate a class to each of your suppliers.
When designing your supplier audit questionnaires – please note I use the plural – each version should take into account the three questions and answers from above, and also the regulatory and commercial compliance requirements from your data classification exercise. This will largely determine the number of versions you need to create. It is important to establish a minimum baseline set of security controls that you would expect all suppliers, regardless of what they provide and to what level of information they have access, to have in place. This baseline set should then have variants covering the different types of suppliers from your classification.
The main benefit of going to this level of detail is two-fold – for you and for your supplier. For you, it is about establishing a clearly defined structure that will enable a high degree of analysis and insight. For the supplier it is about only being asked questions relevant to their relationship with your organisation. It is highly likely your suppliers are completing similar exercises for many of their customers and there is nothing more frustrating than being asked questions about application development security controls when they do not provide the organisation with that type of service.
Creating questions with fixed responses such as ‘yes’ or ‘no’ will enable you to weight each question on level of importance (a simple one, two, three rating is sufficient). This in turn enables a risk score to be calculated across all suppliers submitting a response. Risk score rankings across the baseline set of required controls will enable the organisation to produce a risk register and further analysis can then be applied within each supplier type.
This may all sound like a lot of work, and it is. But if you truly want to weigh up your suppliers for risk, then the guidelines outlined above will help you deliver an effective programme and focus resources where it matters most.