Third-Party Vendor Risks Flashcards
■ Products like routers and switches are composed of many components from various suppliers
■ Component tampering or untrustworthy vendors can introduce vulnerabilities
■ Rigorous supply chain assessments needed to trace origins and component integrity
■ Trusted foundry programs ensure secure manufacturing
Hardware Manufacturers
■ An attack that targets a weaker link in the supply chain to gain access to a primary target
■ Exploit vulnerabilities in suppliers or service providers to access more secure systems
Supply Chain Attacks
■ U.S. federal statute providing funding to boost semiconductor research and manufacturing in the U.S.
■ Aims to reduce reliance on foreign-made semiconductors, strengthen the domestic supply chain, and enhance security
CHIPS Act of 2022
● Essential components in a wide range of products, from smartphones and cars to medical devices and defense systems
Semiconductors
■ Process to evaluate the security, reliability, and performance of external entities
■ Crucial due to interconnectivity and potential impact on multiple businesses
Vendor Assessments
Entities in Vendor Assessment
Vendors - provide goods or services
Suppliers - involved in production and delivery of products or parts
Managed Service Providers (MSPs) - Manage IT services on behalf of organizations
● Simulated cyberattacks to identify vulnerabilities in supplier systems
■ Validates supplier’s cybersecurity practices and potential risks to your organization
Penetration Testing
■ Contract provision allowing organizations to evaluate vendor’s internal processes for compliance
■ Ensures transparency and adherence to standards
Right-to-Audit Clause
■ Vendor’s self-assessment of practices against industry or organizational requirements
■ Demonstrates commitment to security and quality
Internal Audits
■ Evaluations conducted by third-party entities without a stake in the organization or vendor
■ Provides a neutral perspective on adherence to security or performance standards
Independent Assessments
■ Assessment of an entire vendor supply chain for security and reliability
■ Ensures integrity of the vendor’s entire supply chain, including sources of parts or products
Supply Chain Analysis
■ Guidelines for interaction between organization and vendors
■ Cover communication protocols, data sharing, and negotiation boundaries
■ Ensure productive and compliant interactions
Rules of Engagement
■ Comprehensive documents filled out by potential vendors
■ Vendor questionnaires provide insights into operations, capabilities, and compliance
■ Standardized criteria for fair and informed decision-making
Vendor Questionnaires
■ Mechanism used to ensure that the chosen vendor still aligns with organizational needs and standards
■ Performance reviews assess deliverables against agreed-upon standards and objectives
■ Feedback loops
Vendor Monitoring
● Versatile tool that formally establishes a relationship between two parties
● Defines roles, responsibilities, and consequences for non-compliance
● Specifies terms like payment structure, delivery timelines, and product specifications
Basic Contract
