Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
Central to a supplier risk management program is understanding, measuring and managing the level of risk exposure in the relationship between the supplier and enterprise from a resiliency and continuity perspective. To achieve this, enterprises should
identify their most critical suppliers and then verify their continuity capabilities. This piece explains how this verification process must go beyond supplier security reviews to include an independent validation of the supplier’s continuity
plans, combined with ongoing exercises to ensure the enterprise and supplier resilience efforts are coordinated effectively.
Many organizations identify key high-risk suppliers to conduct periodic exercises to test their business continuity (BC) best practice plans (something that must be agreed on by contract). Figure 1 below provides a framework that can help support the execution of supplier continuity exercises.
It is organized by plan objective, purpose and scope, and the components of the plan cover BC, cybersecurity implications and communications.
Organizations should consider developing and deploying detailed procedures across the enterprise in support of each of these plans.
Once procedures are defined and documented, enterprises should conduct exercises with suppliers according to their criticality to the enterprise and its core business operations.
Factors to be considered include:
Successful supplier tabletops require strong processes and upfront planning. Key preliminary steps to take include:
Running supplier tabletops is a lot like running internal tabletops. The main differences are the external coordination with the supplier and touchpoints with internal resources. Consider these key steps:
The contract should embed language that articulates the supplier’s participation in the ongoing exercises and addresses material areas of exposure. Consider using the following sample contract language:
A wide range of services and consultants can assist in the coordination of supplier/enterprise exercises. Any provider you choose should offer a discussion-based incident scenario tailored to your unique environment and operational needs. When selecting
a provider, consider:
It is critical to ensure the scenarios provided are relevant to your internal business processes and the supplier’s services. Moreover, contract language should state an agreed-on cadence of exercises and the necessity of addressing material findings.
Organizations can’t properly manage supplier risk unless they understand, measure and proactively manage the level of risk exposure from a resiliency and continuity perspective. To be successful with supplier BC exercises:
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
September 21, 2023
By IANS Faculty
Learn why CISOs Need D&O Liability Insurance Coverage now more than ever along with guidance to help minimize potential cyber liability risk.
September 19, 2023
Discover the diversity of IANS Faculty's real-world expertise. Learn how our faculty members can help you solve your most challenging security issues.
September 14, 2023
Learn how to use a three-step approach to defending and managing public and private APIs while avoiding common mistakes.