Security Improvement in Action
Security Health Check
Control Weakness Identified
Example: Third-Party Supplier Management
High-Level Domain Risk Description – The risk that an attacker could compromise services provided by a third-party supplier due to the supplier having inadequate security controls in place, resulting in data disclosure, corruption, or service interruption.
In the example below, we use a single security domain from the Risk Reduction Equaliser to demonstrate our improvement approach.
Risk
Based on the control weaknesses identified in the Security Health Check, a detailed risk description is documented and then scored using a risk matrix.
No inventory of suppliers
No profiling to inform
inherent risk
Assurance reviews not
conducted
Based on weaknesses risk assessed at:
-
Probability Likely
-
Impact High
Security Improvement Plan (SIP)
This consists of three core components to inform your approach:
-
Activities
-
Cost
-
Priority
Extract from Risk Reduction Equaliser
Establish supplier inventory detailing what they do and how they access data.
Calculate suppliers’ inherent risk ‘score’ based on the risk they pose.
Conduct regular security assurance activity based on suppliers’ inherent risk.
This depicts the Third-Party Supplier Management domain in our Risk Reduction Equaliser. It summarises the current risk position together with proposed financial investment and the corresponding risk-reduction aims.