What do air conditioners and credit card information have in common? They were both involved in third-party hacks. Target stores, unfortunately, suffered a point-of-sales attack in early 2014, which was a result of the third-party supplier vulnerability, specifically a vulnerability in the building’s air conditioning units. Even more unfortunately – NIST third-party risk management framework was unknown.
In recent years the cybersecurity community has been cautiously observing the cybersecurity implications on ever-increasing third-party supplier networks. As part of the National Institute of Standards and Technology (NIST) 800 special series publication, the organization has developed the NIST third-party risk management framework to mitigate possible risks associated with vendor or supplier networks.
What is the NIST Third-Party Risk Management Framework
In the business context, a third-party is an entity or individual with some involvement in the transaction but is not one of the principals and not the last day of a long weekend. In the example of Target given above, the air-conditioning supplier was a third-party involved in Target stores but not directly with Target’s customers. But a vulnerability within the supplier’s information systems gave access to Target’s customers’ personal information.
Third-party risk management is a risk management framework that strategizes methods to mitigate risk associated in engaging with suppliers or vendors. It is sometimes referred to as; vendor or supplier risk management.
NIST 800-161, NIST Third-Party Risk Management
The NIST 800 -161 is a special publication that lays out the industry-standard best practice model for third-party risk management. It is a series of guidelines and controls that organizations should implement as part of their broader risk-management strategy. In the coming sections, this article will outline some key steps to implementing NIST third-party risk management.
Schedule a Free Consultation
Implementing and Assessing Security Controls Within The Organization
The first step, other than possibly reading the NIST publication , is to implement the framework’s security controls. You might be wondering what this has to do with third-parties; well, if your organization has no cybersecurity resilience of its own, it can’t possibly know what to look for in the supplier’s information system or their cybersecurity architecture.
The security controls are a way of covering the technical vulnerabilities associated with cyberattacks, with a bit of staff awareness training just for good measure. Without going into great detail listing all security controls, the framework’s security controls look at:
- Malware mitigation
- Access controls (like admin privileges)
- Inventories of software and hardware assets
- Configuration policy
- And many more (about 21).
For a deeper insight into the NIST third-party risk management framework and the following security controls, check out this article on our blog!
We always recommend enlisting the aid of an expert when dealing with the technical side of security. Background and experience can significantly reduce the costs and time of implementing it on your own back; consider employing our skills today, and assess your organization’s cyber health.
Once the organization has a better understanding of the controls and implementation, future acquisitions should be based on security control implementation. For example, acquiring new software ensures that appropriate security controls have been implemented before purchase, installation, and execution.
This goes for any acquisition, whether it be a whole department, hardware, etc.
Not necessarily a function of the security controls, there are still some principles that the organization must review, assess, and implement prior to the next steps. Below you will find a brief description of those outlined in the NIST third-party risk management framework.
- Governance: ensure there is a governance structure in place that integrates the ICT supply chain risk strategy.
- Quality Assurance: utilize a quality and reliability program when acquiring new products or services.
- Roles and Responsibilities: within the governance structure, ensure that correct roles and responsibilities are assigned so that decisions can be made quickly and effectively in the case of a security event.
- Incident Response Plan (IRP): implement an IRP to ensure the identification, mitigation, and response to a security event that also integrate the ICT supply chain risk strategy.
- Documentation and Practices: implement well-documented engineering and coding practices so that acquisitions (of hardware and software) can undergo practical assessment and revision based on the organization’s best practice models.
- Supplier Management Program: establish a management system for the acquisition of new products.
Rules of Engagement
The next step for the organization would be to draft contracts requiring suppliers to implement cybersecurity controls. These contracts would create an ecosystem of cybersecurity along the Information and Communication Technology (ICT) supply chain. It would contractually oblige all vendors and suppliers to implement some sort of cybersecurity best practice.
The control implementation does not necessarily have to be taken from the NIST 800-161 framework, but it would make it easier for all parties involved if one framework is selected for criteria assessment. As stated in the previous step, it is of paramount importance that your organization gains full control over the cybersecurity environment
Implementation within the organization also gives more bargaining power of contract obligations as you can leverage best-practice methods in negotiations. The bargaining power is especially effective if the foundational principles are in place.
Finally, this step would bring new and existing third-parties under one risk management strategy.
Assessments and Audits
When controls have been implemented across the board and business engagement contacts are in order, the next step would be to assess the risk ecosystem. There are a number of ways assessments can be conducted the two primary ones are dynamic continuous assessments and static questionnaires (traditional).
In both cases, the assessment is evaluating the effectiveness of the security controls implementation and whether the proper controls are implemented.
For example, an office supplies vendor might not need to implement the full list of controls, as they might not be dealing with business-sensitive information or personal information. Compared to an HR outsourcing company that deals with massive amounts of personal data, it would require a full security control implementation with continuous assessment of the risk environment.
The audits would work in the same way but would only be required prior to any contract signing, ensuring all parties have implemented the appropriate security controls.
In the form of questionnaires, the traditional methods are used as an assessment method where suppliers will answer a series of questions, and the organization assesses the potential risk of each area. In which it will create a third-party risk management strategy based on the questionnaire.
Although still in use, the questionnaire method might be lacking in the ever-evolving threat landscape. This is where dynamic continuous assessment methods come in. In this assessment method, it is best to employ the skills of a specialist. The third-party specialist will use data-driven techniques and technology to assess the risk continuously and threat the environment in as close to real-time as possible.
Consider employing the skills at RSI Security for all your third-party risk management needs.
Silence Isn’t Golden, It’s Deadly
Communication is the key to a project’s failure or success. Third-party risk management frameworks are built on communication, and the organization must ensure that needs are communicated frequently and effectively.
Attackers will give no quarter if any vulnerabilities are found. The onus is on both the supplier and the organization to do the same. It is essential that any change in the threat landscape is communicated immediately to the supplier, and as a supplier, these factors should not be kept secret. It would be more damaging to the reputation of the organization if vulnerabilities are found and exploited by attackers due to negligence in communication than if organizations work together to fix the problem.
It is vital that changes are also communicated to the entire third-party population (or at least the relevant affected parties). These changes could include updates to software, changes in data management policies, etc.
Essentially, the more is communicated the fewer problems the organization will face down the line.
Draft the Strategy
The final step is to draft the strategy. With all the information from the previous steps, finalizing the implementation means having a tangible strategy that all parties involved have access to. Keep in mind that the strategy at this stage is a living document and should be open to changes.
The strategy should include all the foundational principles and a means to continuously assess the effectiveness of the security controls within your organization and that of suppliers and vendors.
The third-party risk strategy should form part of the overall risk management framework of the organization. It may be necessary to break the risk responsibilities to separate departments as a
part of the governance structure of the organization.
Third-party risk management has become an area of concern for many industries. It is very likely that future regulations in cybersecurity will revolve around third-party networks. Now is the time to reassess and evaluate the cyber resilience of your organization’s suppliers and vendors.
From the various cybersecurity frameworks, the NIST special publication series 800-161 suggests a method of best practice for implementing a supply chain cyber risk strategy. The implementation requires the integration of third-party risk management into the broader organization’s risk management framework.
This article discussed some key steps to implementing and evaluating an effective third-party risk management strategy. These steps included:
- Implementing security controls – given the security controls outlined by the NIST 800-161 the organization must ensure that appropriate cyber maturity levels are reached by implementing the security controls.
- Foundational principles – ensure that the risk management groundwork is laid beforehand. These principles include governance and responsibility of different departments in known, there are internal policies in place regarding IRP, coding and engineering best practice is well documented, etc.
- Contractual Obligations – ensure that engaging in business with the organization means all suppliers and vendors adhere to security control requirements laid out by the NIST 800-161 framework.
- Assessing effectiveness – using vendor and supplier audits, the organization can ensure that not only security controls are in place (dependent on the cyber maturity level of the supplier), but there is continuous assessment of the effectiveness of the supplier’s cyber capabilities.
- Communication – ensure that the entire third-party network is in constant contact in case there is a change in the threat landscape, limiting the possibility for vulnerabilities to be exploited.
With all the above steps it is then possible to implement the NIST third-party risk management framework.
Closing Remarks and How RSI Security Can Help
It used to be unthinkable that your business reputation could be put in jeopardy by some air conditioning units, but this is the reality that many organizations must face today. Third-party networks are reaching levels of complexity that are easily exploitable by bad actors.
It is clear that the new trends in cyber regulations will heavily involve securing third-party networks. We say be ahead of the curve and get your network in order today. NIST third-party risk management is an essential.
RSI Security has the experience that your organization is looking for, whether it be third-party risk management, compliance services, full cybersecurity architecture implementation, etc.
We have the skill and experience to make it happen so that you are left to do what you do best.
Leave the security to us and book a free consultation today!