Supplier Information Security Risk Assessment

By February 14, 2020 No Comments

* Marcos Paulo Freitas

THE risk assessment at suppliers it is a process in which companies seek to identify and manage existing risks in services provided by suppliers and which may directly impact their operations, productivity and even the satisfaction of their customers. It is a process that involves several areas such as financial, legal, controllership, purchasing and information technology / security.

Data is considered a company's main assets and is kept under constant surveillance and control. In this way, companies must monitor their suppliers rigorously, in order to ensure that they have a good level of maturity in Information Security processes in order to mitigate risks and avoid data leak incidents that can cause negative impacts on their operations and in the company's reputation.

Supplier Homologation Process

Before establishing a commercial relationship with any supplier, companies check a series of information in order to certify the situation of assets, liabilities and their ability to provide quality services. In this way, they seek to mitigate the risk of relating to suppliers that have a negative history and that may compromise the business reputation.  

During this phase, it is interesting for the company to assess whether the supplier has mechanisms and processes related to Information Security. In addition, it is important to be aware of relevant incidents that have occurred such as information leakage or cases of unavailability of systems and services.

At this time of choice, the company should choose suppliers that have good mechanisms and processes in place regarding Information Security in order to seek the guarantee of confidentiality, integrity and availability of their information and operations.

 Supplier Evaluation Process (Legacy)

If the company already has active suppliers, to start an information security risk assessment process, it is necessary to determine which suppliers are most critical to the business and which will be evaluated based on the services provided.

The next step is to build on good market practices and standards such as ISO / IEC 27001, NIST, COBIT, to elaborate a risk matrix with the controls that the company wants suppliers to have to mitigate these risks. It is also necessary to determine what the criteria will be and how the evaluation will be (through questionnaires, in person or with the support of specialized consultants). When establishing the criteria, it is important for the company to indicate which are most critical and must be met by suppliers. These, in turn, must be constantly communicated during the evaluation process, must have access to the results and have the opportunity to develop action plans aimed at increasing their level of maturity and continuity in the provision of services.

The assessment must be carried out periodically so that new risks are always identified and to maintain control over the maturity level of each supplier. In addition to the assessment itself, it is necessary to monitor the status of the action plans prepared by the suppliers and define feasible terms according to the reality and the possibility for each supplier to meet them. Only in this way, everyone will benefit from the execution of this process.

 Final considerations

 Assessing the Information Security of its suppliers is a fundamental activity for companies that wish to provide quality services, to ensure the security of their information and that of their customers. By carrying out a periodic evaluation process, it is possible to determine whether suppliers are engaged and are careful enough to continue to provide services. It is a process where both parties benefit, as the company minimizes risks such as unavailability in the provision of services or leakage of its information, while the supplier has the opportunity to improve its level of maturity, stand out in the market and even have a competitive advantage to win new customers.

* Marcos Paulo Freitas is GRC and Information Security Manager at [SAFEWAY]



 SAFEWAY is an information security consulting company, recognized by its customers for offering high value-added solutions, through projects that fully meet the needs of the business. We can support the information security assessment process in suppliers in defining the assessment criteria and methodology, in carrying out the assessment itself (remotely or in person) in the preparation of recommendations so that suppliers can improve maturity and care with the information of your company, minimizing the associated risks.