NIST SP 800-161-Based - Supply Chain Risk Management (SCRM) Program
Using vendors or service providers is a common practice - this may range from bookkeeping, to IT support, to janitorial services, to website hosting and even temporary staffing. What all of these outsourced services have in common is that they expose your company to certain levels of risk that could therefore affect your customers' sensitive data. This "soft underbelly" for companies is well known to hackers and identity thieves as a way to get into companies and steal valuable data.
It is well documented that the lack of standards and lack of employee awareness are the leading causes of security breaches, malware infections (e.g. viruses & spyware), and identity theft. It is well known that vendors and service providers are weak spots when it comes to network security. Managing risk associated with vendors and service providers is simple due care and due diligence. Our comprehensive Supply Chain Risk Management (SCRM) removes the time constraints and errors associated with trying to generate the documentation by yourself and our product is a fraction of the cost associated with hiring a consultant to write similar documentation for you.
Use cases for the SCRM include managing Third-Party Service Providers (TSP) to align with:
- ISO/IEC 27001 & 27002
- NIST Cybersecurity Framework
- NIST SP 800-53 R5
- NIST SP 800-171 / CMMC / DFARS
- EU GDPR / CCPA
Product Example - Supply Chain Risk Management (SCRM)
Our customers choose the Supply Chain Risk Management (SCRM) because they:
Don't take our word for it - take a look at the example below to see for yourself the level of professionalism and detail that went into it.
Cost Savings Estimate - Supply Chain Risk Management (SCRM)
When you look at the costs associated with either (1) hiring an external consultant to write cybersecurity documentation for you or (2) tasking your internal staff to write it, the cost comparisons paint a clear picture that buying from ComplianceForge is the logical option. Compared to hiring a consultant, you can save months of wait time and tens of thousands of dollars. Whereas, compared to writing your own documentation, you can potentially save hundreds of work hours and the associated cost of lost productivity. Purchasing the SCRM from ComplianceForge offers these fundamental advantages when compared to the other options for obtaining quality cybersecurity documentation:
- For your internal staff to generate comparable documentation, it would take them an estimated 80 internal staff work hours, which equates to a cost of approximately $6,000 in staff-related expenses. This is about 1-2 months of development time where your staff would be diverted from other work.
- If you hire a consultant to generate this documentation, it would take them an estimated 60 consultant work hours, which equates to a cost of approximately $18,000. This is about 2-4 weeks of development time for a contractor to provide you with the deliverable.
- The SCRM is approximately 6% of the cost for a consultant or 18% of the cost of your internal staff to generate equivalent documentation.
- We process most orders the same business day so you can potentially start working with the SCRM the same day you place your order.
The process of writing cybersecurity documentation can take an internal team many months and it involves pulling your most senior and experienced cybersecurity experts away from operational duties to assist in the process, which is generally not the most efficient use of their time. In addition to the immense cost of hiring a cybersecurity consultant at $300/hr+ to write this documentation for you, the time to schedule a consultant, provide guidance and get the deliverable product can take months. Even when you bring in a consultant, this also requires involvement from your internal team for quality control and answering questions, so the impact is not limited to just the consultant's time being consumed.
Vendor Cybersecurity Compliance Program
The first step to address that risk is to let your vendors know what is required from them - this addresses due care. The next step is to hold your vendors accountable to meet your requirements - that is due diligence. You owe it to your clients to ensure your risks are addressed across your organization and that is where our Supply Chain Risk Management (SCRM) helps.
With requirements like the Payment Card Industry Data Security Standard (PCI DSS) requiring all companies that accept debit or credit cards to manage the information security risks associated with their own vendors, there is a need for a simple way for a company to inform its service providers of expectations when it comes to managing information security risks. It is a common-sense requirement that businesses should have in place, so that is why there is a push to reduce risk with service providers.
In light of the recent breaches at major corporations, it is likely that a crackdown will follow for businesses to follow better cybersecurity. One of the most important points to remember when it comes to compliance is that if you cannot prove you are compliant (e.g., documented policies & standards) then your business will be unlikely to count on business insurance to cover the expense of a breach.
The SCRM can serve as a foundational element in your organization's cybersecurity program. It can stand alone or be paired with other specialized products we offer.
What Is The Supply Chain Risk Management (SCRM)?
The SCRM is an editable Microsoft Word document that is intended to be shared with third parties (e.g., service providers, vendors, contractors, etc.). This is essentially concise version of your policies, but tailored to dictate your requirements to third parties.
- The SCRM offers coverage for NIST 800-53, ISO 27001/27002, NIST Cybersecurity Framework, CMMC and other "flow down" requirements, since these are the most common cybersecurity frameworks that companies use.
- The text for specific flow-down requirements identified in the SCRM can be used in contract a addendum.
- This product addresses the “how?” questions for how your company manages risk with third parties.
- Managing third-party risk is now a common requirement in statutory, regulatory and contractual obligations.
- The SCRM helps provide evidence of due care in how your company informs third parties about their cybersecurity obligations.
What Problems Does The SCRM Solve?
- Lack of In House Security Experience - Writing security documentation is a skill that many good cybersecurity professionals simple are not proficient at and avoid the task at all cost. Tasking your security analysts and engineers to write comprehensive documentation means you are actively taking them away from protecting and defending your network, which is not a wise use of their time. The NIST-based WISP is an efficient method to obtain comprehensive NIST 800-53 based security policies and standards for your organization!
- Compliance Requirements - Nearly every organization, regardless of industry, is required to have formally-documented security policies and standards. Requirements range from PCI DSS to HIPAA to NIST 800-171. It is a reasonable expectation for companies to manage the security aspects of their 3rd party relationships.
- Audit Failures - Many organizations run into trouble in audits when asked HOW third-party or supply chain risk is managed, since they cannot provide documentation beyond policies and standards. The SCRM addresses the HOW for you!
- Vendor Requirements - It is very common for clients and partners to request evidence of third-party cybersecurity governance. The SCRM provides this evidence!
How Does The SCRM Solve It?
- Clear Documentation - The SCRM provides the documentation to prove that your vendor compliance program exists.
- Time Savings - The SCRM can provide your organization with a semi-customized solution that requires minimal resources to fine tune for your organization's specific needs.
- Alignment With Leading Practices - The SCRM comes in two versions, ISO 27002 or NIST 800-53, so it is written to support the most common security frameworks!
Reducing Risk Is Central To The Supply Chain Risk Management
Having a Supply Chain Risk Management (SCRM) is focused on minimizing risk to your company, your partners and your customers. There is traditionally low level-risk (tactical) that is focused on weaknesses pertaining to routine systems and data. There is mid-level risk (operational) that is focused on weaknesses pertaining to business process. There is also high-level (strategic) risk that impacts at an organizational level. Having a secure vendor relationship can address risk at all three of these levels.
How do you manage requirements with your vendors to ensure that you stay compliant?
We listened to our customers and created the Supply Chain Risk Management (SCRM) that addresses cybersecurity requirements for vendors and service providers. This is a Microsoft Word document that allows you to make whatever edits that you need to suit your specific requirements - we built this based on what best practices are and you just make finishing edits to complete it. Once it is done, you can publish these requirements to your vendors to let them know what is expected of them and how you may ask for evidence of their compliance with your requirements.
Our Supply Chain Risk Management (SCRM) includes due care and due diligence requirements that vendors need to ensure they follow, based on ISO 27002, NIST CSF, NIST 800-53, DFARS, FAR and other compliance obligations.