As enterprises grow larger and become more reliant on external vendors, it becomes necessary to establish effective vendor management programs. Vendor management is a fundamentally critical function that impacts an organization's operational success, 效率, 声誉和风险暴露. The internal audit department can promote an effective vendor management program by identifying and assessing risk, 采取尽职调查行动, 定期监控供应商绩效, ensuring compliance and promoting continuous improvement. 至少, 应该对关键供应商进行监控和审查,包括询问最近发生的任何安全事件. 通过实施一个功能性的供应商管理程序, 内部审计员通过防范潜在风险和改善供应商关系,为组织的整体成功做出贡献.
通过实施一个功能性的供应商管理程序, 内部审计员通过防范潜在风险和改善供应商关系,为组织的整体成功做出贡献.
To put the importance of vendor management into perspective, 2013年塔吉特(Target)数据泄露事件的调查结果——这是近年来最臭名昭著的数据泄露事件之一——发现,塔吉特“没有限制其(供应商)访问任何系统的控制措施”, including devices within stores such as point of sale (POS) registers and servers.”1 这意味着加热, 被调查的通风和空调(HVAC)供应商可以不受控制地进入每家塔吉特商店的每台收银机. Target’s network 凭证 were eventually compromised and stolen by malicious actors. 如果塔吉特的领导层能回到过去,对供应商管理计划的有效性进行一次内部审计, 这些风险因素本可以更早暴露出来, 此外,还可以实施控制措施,以降低因使用授权供应商而发生安全事件的风险.
There are several key controls that an organization should implement as part of its vendor management program. 对这些控制进行内部审计有助于降低风险并提高其有效性报告的质量.
控制1:澳门赌场官方下载供应商风险评估
澳门赌场官方下载供应商风险评估 consists of cybersecurity and governance, 风险和合规(GRC)团队与业务单位密切合作,识别和评估与供应商关系相关的潜在风险. 所有关键业务部门,如会计, 法律, 人力资源, 操作, IT, cybersecurity and vendor owners should be considered during an enterprise vendor risk assessment. 有效的供应商风险评估根据供应商对组织的重要程度对其进行分类,并确定谁被认为是关键或高风险的供应商. 澳门赌场官方下载供应商风险评估, 哪些应该至少每年进行一次, serves as the foundation for developing a risk-based approach to a strong vendor management program. 供应商风险评估完成后, 内部审计部门可以使用可交付成果来验证评估是否通过风险排序方法(包括仔细的供应商尽职调查)确定了关键供应商.
所有关键业务部门,如会计, 法律, HR, 操作, IT, cybersecurity and vendor owners should be considered during an enterprise vendor risk assessment.
Control 2: Monitoring Vendor Performance Through Evaluations
Continuous evaluation and monitoring of vendor performance is essential for ensuring service quality, adherence to contractual requirements and compliance with regulations. 网络安全 and GRC teams should establish performance metrics, 以关键绩效指标(kpi)的形式. kpi提供了一个清晰的, objective and efficient way to continuously monitor vendors and determine the frequency of evaluations, thereby ensuring optimal vendor performance and risk management.
定期的供应商评估通常是基于澳门赌场官方下载供应商风险评估对高风险供应商执行的. 评估确认组织通过采取以下尽职调查措施继续维持预期的安全控制:
- 加入 审计权条款 在卖方协议中保留审核的权利, allowing the organization to review official documents reflecting the state of internal systems and controls
- 审核独立鉴证报告(例如.g.,系统和组织控制[SOC] 1或SOC 2)
- 网络安全标准的合规性认证,如支付卡行业数据安全标准(PCI-DSS)和国际标准化组织(ISO)标准ISO 27001
- 供应商完成的网络安全调查问卷
- Agreed-upon procedures (AUP) attestations performed by an accounting firm
- 其他行业认证(如.g.、HITRUST评估)
执行尽职调查的额外资源可能包括来自第三方来源数据和报告的供应商记分卡,或用于扫描面向公众的互联网供应商域以查找可发现的漏洞的工具.
管理层应该进行定期评估,以根据已建立的安全基准衡量供应商的性能, identify any deviations or exceptions and perform corrective remediation as necessary. 内部审核部门可以获得供应商评价结果,并确定管理层是否充分评价了供应商,作为对关键供应商定期监控的一部分. 管理部门应仔细评估和审查现有的独立保证报告,以确定报告部分是否注意到重大例外或发现. 内部审计可以测试独立保证或证明的结果是否被转换为kpi,以确定关键供应商安全控制的当前风险水平,以及供应商关系是否将组织置于高网络安全风险中.
控制3:对新供应商进行尽职调查
降低风险, cybersecurity and GRC teams should ensure that thorough due diligence is conducted prior to new vendor onboarding. 供应商入职应该包括合同的签署,以确定供应商安全计划是否符合组织的期望, specifically regarding cybersecurity and 保密. Effective due diligence of new vendors includes evaluating vendor qualifications, 凭证, 法规遵从性, history of financial stability and assessing the vendor’s available independent assurance reports. 供应商入职的标准化尽职调查流程允许内部审计部门测试由网络安全或GRC团队评估的供应商安全控制. There are various IT and cybersecurity risk factors that must be considered, such as:
- 供应商提供的IT应用程序托管在哪里(e.g., 现场, 在供应商选择的托管数据中心, in the cloud by the vendor (such as via a Software-as-a-Service [SaaS] product)
- How users are authenticating on the system and verification of password requirements
- Application programming interface (API) configurations or other interfaces
控制4:合同和协议管理
网络安全 and GRC teams should review vendor contracts, 工作说明书(sow)或其他协议,以确定它们是否包含适用服务承诺的条款, 系统需求, 数据安全, 保密, 终止权和争议解决机制. 定期审核供应商合同有助于发现差距, noncompliance issues or failure of a vendor to uphold service commitments, 允许及时采取纠正措施. 内部审计可与内部法律顾问合作, 网络安全或GRC团队,以测试协议和合同是否解决了与供应商提供的服务性质相关的网络安全风险.
控制5:持续改进
Vendor management should receive ongoing improvements to adapt to changing business needs and emerging cybersecurity risk. 通常, 网络安全委员会或类似小组按照商定的时间表召开会议,报告正在进行的供应商管理计划的有效性, especially the monitoring of identified critical vendors in the enterprise vendor risk assessment. 内部审核部门可对供应商管理程序的有效性进行定期评审和评价,并考虑每年评审支配该程序的供应商管理政策. 通过进行实施后审查, internal auditors can assess the effectiveness of controls by monitoring vendor KPIs, identifying areas for improvement and proposing recommendations to enhance the overall vendor management program.
结论
网络安全 incidents are constantly evolving as different attack vectors continue to be uncovered every day. It is critical for management teams to focus on the footprint that they can control as third-party risk grows and changes. 上面提到的5个示例控制是任何内部审计部门都可以采取的可操作步骤,它们可以通过供应商管理程序帮助降低风险并提高问责制.
尾注
1 克雷布斯,B.; 《澳门赌场官方下载》.《澳门赌场官方软件》 克雷布斯谈安全,2015年9月21日
约旦内, AWS Certified Cloud Practitioner, HITRUST CCSFP
Is a senior associate of internal controls assurance in Katz, Sapper & 米勒的IT风险咨询和SOC服务集团. 他主要负责通过SOC和HITRUST评估测试和评估IT系统和业务流程控制. Kassing has experience with multiple attestation and consulting services across a variety of industries, but he is especially adept at assessing IT and business process risk, ensuring that enterprises can mitigate threats and deliver effective services to their clients. 在加入KSM之前, he served as a cybersecurity analyst for a large financial services holding company, 他的职责包括通过安全风险评估对供应商进行尽职调查和审查,以及审查可用的独立第三方保证报告(SOC 1, SOC 2)和用于治理的安全问卷, 风险管理和合规.
