作者: Michalis Kamprianis, CRISC, CCSK, CISSP, ISO 27001 LA
发表日期: 二零二三年十一月二十八日

One of the most frequently debated topics in the disciplines of risk management and cybersecurity is how to effectively manage the risk posed by untrusted third parties in the supply chain. 这是有充分理由的,因为最近涉及第三方的引人注目的事件.g.卡塞亚人;1 SolarWinds,2 Okta3 和微软4 incidents) have impacted numerous enterprises and made it clear that the risk associated with third parties is substantial.

尽管如此, 许多组织继续依赖无效的解决方案来管理第三方风险, 例如第三方风险分析服务或臭名昭著的客户安全调查问卷. 这些已经不够了, 因此, 有必要探索实现有效风险管理的替代解决方案.


The inefficiency of third-party risk analysis solutions is due to their reliance on inaccurate data. 在很多情况下, these solutions attempt to assess an enterprise's security posture using information readily available on the Internet. 通常, 这些信息来自公共网站等来源, 电子邮件服务器设置和泄露的凭证, 所有这些都可能与组织提供的产品和服务无关.

除了某些软件即服务(SaaS)澳门赌场官方下载, software development teams often have little to do with an organization’s email servers or online presence. 相反,大多数组织外包或外部托管这些服务. There is no relationship between the vulnerabilities of a website or the settings of a mail server and the quality of the products produced and distributed by the enterprise. 这一差距也存在于其他假定的安全态势指标(如.g., exposed credentials) which are often not associated with internal security processes and policies, 而是, 不相关的网站数据被泄露.

换句话说, what enterprises consider to be security posture indicators provided by third-party risk analysis platforms and solutions may not accurately reflect the true security posture of the organization.


The use of security questionnaires is also an ineffective method of analyzing an organization's security posture. 有几个因素导致它们缺乏功效,但最重要的是:

  • 有些问卷过于笼统. 例如, a customer inquiring about an organization’s cloud practices when they only consume on-premises software provides no insight into the presumed risk, 但是为供应商和客户都带来了更多的工作.
  • Some questionnaires resemble the International Organization for Standardization (ISO) standard ISO 270015 距离太近. Those who believe that certification implies security should simply request that certificate rather than relying on a questionnaire. Earning an ISO certification is more effective than having untrained analysts review sections of ISO 27001.
  • 有些问卷太详细了. 而不是解决风险本身, 它们需要诸如访问控制技术之类的技术保障, 密码复杂度设置和反病毒签名更新.

除了, at no moment in the process is there any assurance that the answers on the questionnaire are provided by a knowledgeable individual and not an overzealous sales department. 最后, a significant number of questionnaires request notification within 24 to 48 hours if a security breach occurs. Expecting such a quick turn-around from small startups and organizations without a security department is an indication that questionnaires function as a checklist exercise and not genuine risk management.

这些固有的缺陷, 对组织安全状况的歪曲并不罕见, 成熟度和控制, similar to when a salesperson is exceedingly eager to close a deal or when a vendor views cybersecurity as merely a box to be ticked before the transaction can be finalized.

Adding the results of the questionnaires as addendums to the contract to contractually bind the supplier regarding their security practices and commitments may be feasible, but only if the contracts did not have the typical limitation of liability clauses with a cap that is quite low for a cybersecurity incident.


鉴于大多数组织目前的安全状况,连续的数据泄露证明了这一点, 很明显,这个问题没有简单的解决办法. 然而, 口语一般, 澳门赌场官方下载应该从单独评估与每个第三方相关的风险开始.

Because not every outsourced service or product exposes the organization to the same level of risk, it is important to assess the likelihood that the outsourced service or product will become unavailable, 否则敏感信息就会泄露. 换句话说,组织必须进行标准的风险评估. 大多数时候, 第三方风险不能证明耗时完成安全调查问卷是合理的, 合同谈判和其他类似的任务. If the risk assessment does not reveal any significant risk and the organization’s security certifications are acceptable, 它们的存在和范围可以作为保证控制进行验证.

A customer understanding their own capabilities is another method to avoid the burden and the theatrics that come along with the security questionnaires. 问大型安全澳门赌场官方下载有意义吗, 例如, 当自己的能力和成熟程度有限时,填写问卷?

The last option is to conduct an audit or discussion of the specific business processes that are risk-vulnerable or contribute to risk. 这需要在供应商和客户双方都有风险意识的人员, 这个练习, 类似于任何其他风险管理活动, 最终是否应该建立一个补救计划. 第三方合同可以将此计划纳入其中.

Although there is no universally recognized criterion that specifies what level of security is considered adequate, 欧盟通用数据保护条例(GDPR)6 载有制裁的规定, which can be paraphrased as "You will be fined if you did not do what you needed to do to have an appropriate security posture for the services you provide." This regulation allows data protection authorities (DPAs) to determine what is appropriate in each individual case. GDPR仅适用于私人数据, 然而, 不包括违反非个人资料或其他安全事件. 尽管如此, 它仍然是最好的可用模型,并为未来的扩展提供了坚实的基础.

The US Securities and Exchange Commission (SEC) made the correct choice when it updated and enacted new rules in July 2023 related to cybersecurity. 比如美国的萨班斯-奥克斯利(SOX)法案7 这表明,向美国证券交易委员会做虚假陈述不是一件漫不经心的事情. 鉴于此, the industry should grasp the opportunity to address the ineffective third-party risk management practices that are presently in place, 美国证券交易委员会应该对这些新规定施加一些压力.


Is a cybersecurity executive currently serving as the director of cybersecurity at Hexagon Manufacturing Intelligence. 在超过25年的职业生涯中,他在各个行业担任过重要职务. 他的专长是网络安全, 特别是在数字化和数字化转型计划方面. Recognized as a dynamic change catalyst, Kamprianis assembles high-performing, multinational teams. He also actively mentors and educates emerging talent in the realms of risk management and cybersecurity.