Information Security in Supplier Relationships
5 Methods to protect your IT environment from your suppliers
Developing a long-term relationship with suppliers has been addressed by Dr. Deming 14 points of management in 1982, specifically in the fourth point. While today’s business norms confirm Deming findings; in security perspectives, suppliers can form a source of threat to an organization’s security, and organizations have to implement particular security measures to protect their assets. Especially assets that are directly exposed and accessible by suppliers or by suppliers’ systems and services.
To decide between outsourcing and in-house development, more in this article: Outsourcing vs. Inhouse Development | by Suhail Hammad | Nov, 2021 | Medium
In this article, I will discuss 5 methods to help organizations protecting their assets when dealing with suppliers and external systems, which are:
- Having a policy to organize your relation with your suppliers
- Prepare a test environment for IT systems
- Arrange an open periodic review of systems and contracts
- Develop your suppliers rating system
- Mitigating weaknesses that you can’t change.
There are three types of sourcing, Sole, Multiple, and Single. for additional information check this artcle: https://suhail-hammad.medium.com/sourcing-2b96c6bab8ab
1. Have a Policy
Your organization shall have a clear IT policy to organize your relationship with suppliers, I am not talking here about organization’s general procurement documentation. This IT policy must include specific guidelines regarding the procurement process when it comes to deploy external systems or services. This policy shall include:
I. Relationship between IT and procurement teams:
Usually IT staff put procurement items specifications, evaluate the bids, and accept/reject the procured items. The policy shall include paragraphs to explain the perimeters of IT technical work and procurement process. The policy is also expected to include paragraphs about the post-delivery feedback on supplier’s service, as I’ll discuss later in this article.
II. Connectivity limitations:
How are your suppliers asked to provide their service? When and where?
Do you allow remote access or not, and which means of connectivity are fine for your organization, and do you limit remote access to specific time within the day (for example work hours), do you allow remote access on weekends?
Can suppliers connect directly and make changes on live systems?
All these questions must be answered and clearly explained to suppliers.
III. Physical security:
Supplier badges on reception desk, calls before sending technical support. Do you allow suppliers to enter your organization off work hours or on holidays? Is your supplier allowed to enter your Data Center?
2. Staging Environment
Prepare a staging environment, you may also call it a test environment or sand box for your live system. Suppliers deploy changes on this staging environment, then to be tested and approved by your working staff before applying it on your live environment.
Developing new requirements directly on the working system may threaten the stability of running systems.
3. Periodic Review
Be open, share suppliers’ agreements with your staff. A staff working on the organization’s website -for example- must know the contract details, what the obligations of the implementing company are, and what the official way to contact the service provider is, and so on.
An annual / periodic review of agreements must be conducted. Staff participation is essential to raise current problems and suggest edits to new contracts or to include new demands in contract renewal, like adding new reports or troubleshooting current bugs or even few improvements.
4. Maintain Suppliers Rating System
The relationship with procurement officers does not end after one of the potential vendors wins the tender and deliver the items. The IT staff must continue providing the procurement unit with feedback on the supplier’s performance.
Procurement officers shall record those notes for coming tenders; and consequently, there must be a special rating system for the suppliers.
To initiate the rating system, you have to include a specific weight for different supplier’s service attributes like on-time delivery, work quality, after-sale service, experience, technical support, staffing, responsiveness, technical capability, commitment, company evaluation, and so on. And then you record the marks of all attributes for each supplier.
Example of supplier rating system:
Or simply you can use a similar method to embed the weight of each attribute as a maximum points for that attribute:
If it is too complicated to your firm to maintain a rating system, a simple classification scheme can help, as shown below:
Classification sample 1: Black listed, White listed, or Not classified.
Classification sample 2: A discrete classification system like : “A”, “B”, and “C”; where “A” is the best, “C” is the worst.
Just use the rating or classifications system that serves your needs, and continue improving that system to keep up with your increasing demands.
5. Mitigate Supplies Weakness
In real world business, sometimes you don’t control some aspects of delivered supplies; and you have to come up with a workaround to protect your IT environment. You may add additional layers to protect an IT service within your organization by deploying this service behind a firewall or installing a WAF (Web Application Firewall) to a website, or use the skills you master to set up workarounds in doing business.
I would like here to mention a specific example just to explain this idea; assume you have a Human Resources Management System (HRMS) used by the main office (within your LAN) and you need remote offices to save documents within that system, but you don’t trust this system enough to be published on the web. Then you may transfer your documents by another trusted way, like FTP or within another correspondence system (like email, or archiving system), and then let the headquarter staff save those documents within the HRMS. Another way is to establish a VPN connection, and securely allow remote offices to access the HRMS.
To read my recommendations for in-house develpment process, check this article: In-house Software Development. My recommendations for in-house… | by Suhail Hammad | Nov, 2021 | Medium
The Bottom Line
An organization must treat suppliers as partners and as a potential threat at the same time. So, developing security measures can definitely reduce suppliers’ risk on organization assets.
Organizations are required to involve employees of different levels and across departments in developing the right security requirements and to periodically review the procurement process and documentation, and to suggest improvements.
Thanks for reading… Please, do not hesitate to drop your comment on this topic
