Supplier Profiling and Assurance
External auditors had identified that a major insurance and pensions client was failing to meet key requirements in relation to third-party supplier security. This exposed the client to a high risk of compromise from third-party suppliers with access to their most sensitive information. Regulators and auditors hold organisations fully accountable, for controls operated on their behalf, by suppliers.
The client had an incomplete picture of its suppliers, particularly in relation to their inherent security risk classification. This exacerbated the situation, as without a clear understanding it was impossible to target assurance review activity. Assurance reviews are designed to determine how controls around the transfer, storage, and processing of sensitive data are operated.
i-confidential’s Supplier Profiling solution was first deployed to determine the supplier’s inherent security risk classification.
i-confidential coordinated with IT Security to acquire details of suppliers to be profiled and their associated relationship manager. Using the profiling tool, a simple questionnaire was sent to the relationship managers, and within three weeks the returns were collected, validated and rated in the tool to identify the client’s highest risk suppliers. These details were loaded into a supplier repository.
The output of the supplier profiling activity directly informs the scope of supplier assurance. The highest risk suppliers received an assurance review and were then sent a questionnaire to identify the scope and operation of their security controls. On the basis of the response, a site visit was then undertaken and a ‘findings’ report, identifying non-compliances and rating these against the organisation’s risk appetite and suggesting remedial actions, was then produced. Lower risk suppliers can also be evaluated off site using a similar method.
Management MI, graphically describing the status and activity in each supplier, was delivered to the client throughout the assurance activity.
i-confidential’s Supplier Profiling tool and approach reduced the client’s risk of compromise from a third-party supplier with access to their sensitive data, by providing an updated view of supplier inherent security risk information. i-confidential’s assurance moved on to identify non-compliance control gaps and remediation steps for the highest risk suppliers.
Central repository to store all supplier’s key information
Classified the highest risk suppliers to determine future assurance activity
Identified non-compliance and suggested remedial actions