Managing the cybersecurity and privacy risk that is associated with third-party service providers is the "new normal" and is found in most modern statutory and regulatory requirements, as well as private-party contracts. The news is littered with stories of incidents and data breaches associated with third-party providers and that always reflects badly on the company that hired the vendor. People remember the name of the company they entrusted their data to, not the name of the outsourced service provider that actually made the mistakes that lead to the incident.
Can You Honestly Answer How Vendor Cybersecurity Requirements Are Management At Your Organization?
When you "peel back the onion" and prepare for an audit, there is a need to address "the how" for certain topics, such as vendor management. While policies and standards are designed to describe WHY something is required and WHAT needs to be done, many companies fail to create documentation to address HOW the policies and standards are actually implemented. We did the heavy lifting and created several program-level documents to address this need and the Supply Chain Risk Management (SCRM) is one of those products.
The Supply Chain Risk Management (SCRM) is focused on Third-Party Service Providers (TSP) and suppliers. Using vendors or service providers is a common practice - this may range from bookkeeping, to IT support, to janitorial services, to website hosting and even temporary staffing. What all of these outsourced services have in common is that they expose your company to certain levels of risk that could therefore affect your customers' sensitive data. This "soft underbelly" for companies is well known to hackers and identity thieves as a way to get into companies and steal valuable data.
NIST SP 800-161 Rev 1 - Cybersecurity Supply Chain Risk Management Strategy & Implementation Plan (C-SCRM SIP)
ComplianceForge developed an editable template for a C-SCRM strategy and implementation plan. This is fully-editable...