From SolarWinds to Accellion and most recently Microsoft Exchange, supply chain cyberattacks are continuing to make headlines, putting the pressure on all businesses – including channel partners – to fortify their supply chain security defenses.With so many links in the chain, supply chain security can quickly become a very complex problem to tackle. To make it simpler, channel partners can start with two primary approaches: assessing the security of their own suppliers and business partners, and implementing controls around high-risk interactions.Let’s take a closer look at what each of these approaches entail.
For example, any payment processor will be subject to compliance with PCI DSS. If they are subject to PCI DSS level 1 or 2, it is best practice to request the RoCs (reports on compliance) issued by their Qualified Security Assessor (QSA) or Internal Security Assessor (ISA). These RoCs should be reviewed regularly, at least on a quarterly basis, to ensure they are meeting your expectations.Cloud providers, on the other hand, are subject to SOC 2 and SOC 3 audits that assess security controls and mitigations covering five Trust Service Principles: privacy, security, availability, processing integrity and confidentiality.While audits and certifications don’t guarantee security, they can be a good indicator of which suppliers are using best security practice. Other assessments to consider include things like penetration test reports, GDPR compliance, or the supplier’s history of previous flaws or data breaches. At the same time, channel partners should not lose sight of any external human resources, legal, accounting or tax preparation functions. Many of these organizations themselves outsource during peak seasons and could introduce additional supply chain risks.
Guest blog courtesy of Sophos. Read more guest blogs from Sophos here.
Assessing your suppliers’ security posture
The first step in assessing a supplier’s security posture is to determine the level of risk they present. If a supplier doesn’t have remote access to your network or process sensitive data, you might determine that they present minimal risk. On the other hand, if a supplier is entrusted with access, or manages or processes data on your behalf, they likely present a larger risk, and therefore may require a higher degree of scrutiny.Channel partners can also assess their suppliers’ security by examining the certifications and audits they are subject to – particularly for cloud providers and payment processors.For example, any payment processor will be subject to compliance with PCI DSS. If they are subject to PCI DSS level 1 or 2, it is best practice to request the RoCs (reports on compliance) issued by their Qualified Security Assessor (QSA) or Internal Security Assessor (ISA). These RoCs should be reviewed regularly, at least on a quarterly basis, to ensure they are meeting your expectations.Cloud providers, on the other hand, are subject to SOC 2 and SOC 3 audits that assess security controls and mitigations covering five Trust Service Principles: privacy, security, availability, processing integrity and confidentiality.While audits and certifications don’t guarantee security, they can be a good indicator of which suppliers are using best security practice. Other assessments to consider include things like penetration test reports, GDPR compliance, or the supplier’s history of previous flaws or data breaches. At the same time, channel partners should not lose sight of any external human resources, legal, accounting or tax preparation functions. Many of these organizations themselves outsource during peak seasons and could introduce additional supply chain risks.
