Understand the Risks
Identify what needs protection and why.
You should be aware of:
- The degree of caution that should be taken with contracts you sign.
- The worth of the information or assets your suppliers handle as part of their contracts with you.
- The consequences for your organisation of losing or damaging information or assets that suppliers hold, access, or manage.
Consider the level of protection your suppliers must provide for your assets and information as part of the contract, in addition to the products or services they will deliver.
Keep in mind that, your organisation is still responsible for managing and protecting official records regardless of where they are stored.
Know who your suppliers are and understand their security measures
You should be aware of your suppliers, and those that support them. Consider how deep your supply chain goes to gain insight into who your suppliers are and have trust in them. You may need to depend on your direct suppliers for details about subcontractors, which could take time to uncover the full scope of your supply chain.
Answer the following queries to gain a better understanding:
- How efficient are the security protocols that your suppliers currently have in place and how long have they been in effect?
- What security measures have you requested from your direct suppliers, and what measures have they asked subcontractors to provide?
- Have your suppliers and subcontractors met the security requirements you requested?
- What access (physical and digital) do your suppliers have to your systems, premises, and information? How will you regulate access?
- When suppliers are on your premises, what other information (aside from what you have explicitly granted them access to) may they view or access?
- How will your direct suppliers control the access and usage of your information and assets (including your systems and premises) by their subcontractors?
Focus on the parts of your suppliers’ business or systems that handle your contractual information or provide the contracted product or service.
Recognize the risks posed by your supply chain
Evaluate the risks associated with your contracts, such as the potential loss of information or assets, the quality of the products or services to be provided, and the implications for the wider supply chain.
Supply chain risks can be varied. For instance, a supplier may:
- Not provide sufficient security
- Have an employee with malicious intent
- Outsource to a party who mishandles your data
- Engage in malicious acts (if national security is involved, it could be supported by a hostile government)
- Have poor communication about security needs, leading to incorrect actions.
Use the best available information to comprehend potential security risks.