IT Supplier Risk Management

General Objective: To effectively manage IT Supplier Risks through the end-to-end lifecycle of a supplier’s delivery of a product or service.

Acronyms:

  • CO – Client Organisation – the organization CASKIA Consulting Ltd will work with to achieve the agreed objective.
  • Supplier – Outsourced Company that will provide an IT product or service to the CO
  • DR/BCP – Disaster Recovery/Business Continuity Plans
  • SLA – Service Level Agreement or Schedules
  • RTL – Risk Tolerance Level is value established by the CO that the supplier must deliver their product or service within.

Scope: Client dependent but typically based on one or all of the following key areas:

  1. Supplier criticality or material value – Typically suppliers are ranked in order of their criticality or material value  to an organization. This could be based on the corporate value or classification of the information, DR/BCP requirements and/or the legal/regulatory requirements that the CO must comply with.
  2. Supplier selection – Typically the steps where the CO needs to evaluate whether or not a Supplier has the technical, operational and management capability to process the CO’s data securely.
  3. Contract and SLA/Schedules – After choosing a Supplier typically where the client draws up a contract with the terms and conditions and outlines a schedule of activities through the duration of the outsourced contract
  4. Transition – Typically where the client transfers data and/or IT components to the outsourced company and the contract begins
  5. Contract lifecycle – typically where the outsourced company delivers the agreed product or service in accordance with the contract and SLA or schedule(s).
  6. Termination of Contract – typically where the contract ends, either through a predetermined and agreed date or through performance issues with the OC.
  7. Existing contract and schedules – Client Organisations may have long-term contracts that may not include key elements of security and controls.

Approach:

CASKIA Consulting Ltd will work with clients through each of the scoping areas as follows;

  1. Identify the Client Organisation RTL: It is important CASKIA Consulting Ltd understand the organization Risk Management process and the tolerance level afforded to Suppliers.  Where none exists, CASKIA Consulting Ltd will work with the Client Organisation to establish a RTL for each criticality level of supplier.
  2. Supplier criticality: If not already established, work with the client to determine the criticality or material value of each client. This will be accomplished based on the value of information the outsourced company will be processing in terms of the client’s Disaster Recovery/Business Continuity requirements, corporate value of the information, legal/regulatory and/or anticipated spend.
  3. Supplier Selection – Develop and distribute a questionnaire for the supplier to complete. Or, conduct an on-site risk and controls assessment of the supplier IT environment. Typically both approaches will cover the following key areas: DR/BCP, Data Protection, Information Security and Physical Security.
  4. Contract and Schedules: Work with the CO legal to include the right to audit, criteria for DR/BCP, Data Protection, Information Security, Physical security, controls associated with contract termination. Other criteria can be established based on CO needs, policies and standards.
  5. Transition: Where applicable we will work with CO to identify appropriate security and operational controls are in place and effective for the transition of information and/or systems to the supplier for the commencement of the contract.
  6. Contract Lifecycle: Conduct on-site compliance, risk and/or security assessments at predefined and agreed schedules. This would include follow-ups to any issues found.
  7. Contract Termination: Work with CO to ensure controls are in place for a transition back to CO operations or to another Supplier.
  8. Contract reviews: Working with the CO legal group review existing contracts to determine gaps in DR/BCP, security and Data Protection, making recommendations relative to criticality of Supplier and data.

Outcomes – Will be specific to the CO requirements and agreed scope of activities, but may typically include the following:

  1. End-to-end Supplier Risk and Assessment framework, including policies, standards, questionnaires and assessment programs. CASKIA Consulting will look to imbed the Supplier Risk and Assessment framework into the existing procurement methodology.
  2. Risk profile for suppliers.
  3. An agreed critically rating for suppliers.
  4. “Standard” Security schedules/SLAs relative to delivery of service, material value of information or product
  5. On-site assessment programs. Training of existing CO staff, if applicable
  6. Assessment reports on each supplier and conduct follow-ups to ensure issues are adequately resolved and effective
  7. MIS reports on suppliers, if multiple, by criticality and their tolerance levels relative to the CO acceptable RTL.

Assessment and management of Suppliers with the ISO 27001 certification, PCI DSS certification and ISAE 3402 Type 2 and SSAE 16 Type II Reports.