InfoSec-Specific Executive Development for
CISOs and Aspiring Security Leaders.
Live Faculty-led instruction and interactive
labs to build you and your team's InfoSec skills
Central to a supplier risk management program is understanding, measuring and managing the level of risk exposure in the relationship between the supplier and enterprise from a resiliency and continuity perspective. To achieve this, enterprises should
identify their most critical suppliers and then verify their continuity capabilities. This piece explains how this verification process must go beyond supplier security reviews to include an independent validation of the supplier’s continuity
plans, combined with ongoing exercises to ensure the enterprise and supplier resilience efforts are coordinated effectively.
Many organizations identify key high-risk suppliers to conduct periodic exercises to test their business continuity (BC) best practice plans (something that must be agreed on by contract). Figure 1 below provides a framework that can help support the execution of supplier continuity exercises.
It is organized by plan objective, purpose and scope, and the components of the plan cover BC, cybersecurity implications and communications.
Organizations should consider developing and deploying detailed procedures across the enterprise in support of each of these plans.
Once procedures are defined and documented, enterprises should conduct exercises with suppliers according to their criticality to the enterprise and its core business operations.
Factors to be considered include:
Successful supplier tabletops require strong processes and upfront planning. Key preliminary steps to take include:
Running supplier tabletops is a lot like running internal tabletops. The main differences are the external coordination with the supplier and touchpoints with internal resources. Consider these key steps:
The contract should embed language that articulates the supplier’s participation in the ongoing exercises and addresses material areas of exposure. Consider using the following sample contract language:
A wide range of services and consultants can assist in the coordination of supplier/enterprise exercises. Any provider you choose should offer a discussion-based incident scenario tailored to your unique environment and operational needs. When selecting
a provider, consider:
It is critical to ensure the scenarios provided are relevant to your internal business processes and the supplier’s services. Moreover, contract language should state an agreed-on cadence of exercises and the necessity of addressing material findings.
Organizations can’t properly manage supplier risk unless they understand, measure and proactively manage the level of risk exposure from a resiliency and continuity perspective. To be successful with supplier BC exercises:
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
May 19, 2022
By IANS Faculty
Understand potential security risks for executives on social media. Find information on attack trends and guidelines to help identify potential attacks and keep both social media accounts and the organization secure.
May 17, 2022
Learn how to make progress with zero trust, including common zero trust use cases, success stories, tooling guidance and tips for effectiveness.
May 12, 2022
Gain an understanding of the role executives play in incident response (IR). Find guidance on key actions to take before, during and after a security incident.