Third Party Risk Management - Industrial Sector

Background

An industrial organization with operations in over 20 countries and a large number of third party vendors. A centralization project was underway (and is still ongoing) to reduce the number of third parties utilized to under the many thousands originally in use. Third parties in use ranged from technical organizations (cloud providers, hardware suppliers etc..) to organizations involved in ongoing maintenance of physical facilities.

"“How does a network diagram prove that they actually have a firewall???”"
OccamSec team member upon reviewing an initial reponse to an assessment

The Challenge

Vendor management is either extremely time and resource intensive, or is handled by systems which do not consider the operational context and the nature of risk presented by a third party.

The Solution

Several years ago, the OccamSec team was presented with the task of performing a large number of vendor assessments. These were being conducted manually and utilizing considerable resources, which was amounting to a large cost to the client. Our team created a portal (The Vendor Assessment Portal, or VAP) for handling the bulk of the work.  The portal provides an effective way to assess the risk posed by vendors, and is based on feedback from our clients and our own experiences. The system is also flexible and is able to accommodate different risk tolerances across organizations.

In the case of this industrial client a formalized assessment approach was agreed upon and the importance of various aspects to the client identified.  VAP was configured to take account of this ranking and then assessments began. Each assessment required some human analysis, primarily around determining if the security controls in use by the vendor were actually effective.

VAP sits within the larger ecosystem of OccamSec services so benefits from work done elsewhere. For example in the case of the industrial client, some vendors would not respond to the assessment. In these instances the Identify team would collect data on the vendor and perform an assessment based on known data/intelligence.