InfoSec-Specific Executive Development for
CISOs and Aspiring Security Leaders.
Live Faculty-led instruction and interactive
labs to build you and your team's InfoSec skills
Central to a supplier risk management program is understanding, measuring and managing the level of risk exposure in the relationship between the supplier and enterprise from a resiliency and continuity perspective. To achieve this, enterprises should
identify their most critical suppliers and then verify their continuity capabilities. This piece explains how this verification process must go beyond supplier security reviews to include an independent validation of the supplier’s continuity
plans, combined with ongoing exercises to ensure the enterprise and supplier resilience efforts are coordinated effectively.
Many organizations identify key high-risk suppliers to conduct periodic exercises to test their business continuity (BC) best practice plans (something that must be agreed on by contract). Figure 1 below provides a framework that can help support the execution of supplier continuity exercises.
It is organized by plan objective, purpose and scope, and the components of the plan cover BC, cybersecurity implications and communications.
Organizations should consider developing and deploying detailed procedures across the enterprise in support of each of these plans.
Once procedures are defined and documented, enterprises should conduct exercises with suppliers according to their criticality to the enterprise and its core business operations.
Factors to be considered include:
Successful supplier tabletops require strong processes and upfront planning. Key preliminary steps to take include:
Running supplier tabletops is a lot like running internal tabletops. The main differences are the external coordination with the supplier and touchpoints with internal resources. Consider these key steps:
The contract should embed language that articulates the supplier’s participation in the ongoing exercises and addresses material areas of exposure. Consider using the following sample contract language:
A wide range of services and consultants can assist in the coordination of supplier/enterprise exercises. Any provider you choose should offer a discussion-based incident scenario tailored to your unique environment and operational needs. When selecting
a provider, consider:
It is critical to ensure the scenarios provided are relevant to your internal business processes and the supplier’s services. Moreover, contract language should state an agreed-on cadence of exercises and the necessity of addressing material findings.
Organizations can’t properly manage supplier risk unless they understand, measure and proactively manage the level of risk exposure from a resiliency and continuity perspective. To be successful with supplier BC exercises:
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
December 6, 2022
By IANS Research
Improve your attack surface management plan using 9 steps to mitigate risk and strengthen enterprise security posture.
December 1, 2022
By IANS Faculty
Improve your vendor management program using six focus areas to benchmark program maturity and identify key pitfalls to avoid.
November 29, 2022
Learn how to integrate IT, OT and physical security programs to reduce risk, improve efficiency and streamline processes across the organization.