The CIS Critical Security Controls: Best Practices for Third-Party Risk Management

CIS Critical Security Control 15: Service Provider Management

CIS Control 15 recommends that organizations develop a process to evaluate the ability of their service providers to protect any sensitive data, critical IT platforms and/or key processes that they have access to or responsibility for.

Following are best practices for addressing each of the seven Safeguards under Control 15:

15.1 Establish and Maintain an Inventory of Service Providers

Build a centralized service provider inventory by importing vendors via a spreadsheet template or through an API connection to an existing procurement solution. Teams throughout the enterprise should be able to populate key supplier details with a centralized and customizable intake form and associated workflow. This capability should be available to everyone via email invitation, without requiring any training or solution expertise.

As all service providers are being centralized, teams should create comprehensive vendor profiles that contain insight into a vendor’s demographic information, 4th-party technologies, ESG scores, recent business and reputational insights, data breach history, and recent financial performance.

15.2 Establish and Maintain a Service Provider Management Policy

Key provisions in a service provider management policy should include:

• Governing policies, standards, systems and processes to protect data
• Clear roles and responsibilities (e.g., RACI)
• Vendor classification and categorization logic
• Risk scoring thresholds based on your organization’s risk tolerance levels
• Mapping of fourth and Nth parties to understand where your organization’s data flows
• Scoping the right assessments and sources of continuous monitoring data (cyber, business, reputational, financial)
• Key performance indicators (KPIs) and key risk indicators (KRIs)
• Compliance and contractual reporting requirements against service levels
• Incident response requirements
• Risk and internal stakeholder reporting
• Risk mitigation and remediation strategies

15.3 Classify Service Providers

Conduct a pre-contract due diligence assessment with scoring based on the following criteria to capture, track and quantify inherent risks for all third parties:

• Criticality to business performance and operations
• Location(s) and related legal or regulatory considerations
• Level of reliance on fourth parties (to avoid concentration risk)
• Exposure to operational or client-facing processes
• Interaction with protected data
• Financial status and health
• Reputation

From this inherent risk assessment, your team can automatically classify and tier suppliers; set appropriate levels of further diligence; and determine the scope of ongoing assessments.

15.4 Ensure Service Provider Contracts Include Security Requirements

Centralize the distribution, discussion, retention and review of vendor contracts to ensure that key security requirements are built into the vendor contract, agreed upon, and enforced throughout the relationship with key performance indicators (KPIs). Key capabilities should include:

• Centralized tracking of all contracts and contract attributes such as type, key dates, value, reminders and status – with customized, role-based views
• Workflow capabilities (based on user or contract type) to automate the contract management lifecycle
• Automated reminders and overdue notices to streamline contract reviews
• Centralized contract discussion and comment tracking
• Contract and document storage with role-based permissions and audit trails of all access
• Version control tracking that supports offline contract and document edits
• Role-based permissions that enable allocation of duties, access to contracts, and read/write/modify access

15.5 Assess Service Providers

Gather and correlate intelligence on a wide range of vendor controls to determine threats to information management, based on the criticality of the third party as determined by the inherent risk assessment. For third parties that submit a SOC 2 report instead of a completed vendor risk assessment, review the list of control gaps identified within the SOC 2 report, create risk items against the third party, and track and report against deficiencies.

Avoid the use of spreadsheets to collect and analyze vendor controls information as this approach is highly manual and does not scale beyond a handful of suppliers.

15.6 Monitor Service Providers Data

Continuously track and analyze external threats to third parties by monitoring the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information.

Monitoring sources should include:

• Cyber: Criminal forums; of onion pages; dark web special access forums; threat feeds; and paste sites for leaked credentials; breach databases — as well as several security communities, code repositories, and vulnerability databases
• Operational: Public and private sources of M&A activity, business news, and operational updates
• Reputational: Negative news, regulatory and legal information, politically exposed person profiles, sanctions lists and global enforcement lists and court filings
• Financial: Databases of businesses with financial performance, including turnover, profit and loss, shareholder funds, etc.

Results of assessments and continuous monitoring should be collated in a single risk register with heat map reporting that measures and categorizes risks based on likelihood and impact. With this insight, teams can easily see the consequences of a risk and have ready-made remediation recommendations for third parties to mitigate the risks.

15.7 Securely Decommission Service Providers Data

Conduct contract assessments and offboarding procedures to reduce your organization’s risk of post-contract exposure, including:

• Scheduling tasks to review contracts to ensure all obligations have been met. Issue customizable contract assessments to evaluate status.
• Leveraging customizable surveys and workflows report on system access, data destruction, access management, compliance with all relevant laws, final payments, and more.
• Centrally storing and managing documents and certifications, such as NDAs, SLAs, SOWs and contracts. Leverage built-in automated document analysis based on AWS natural language processing and machine learning analytics to confirm key criteria are addressed.
• Taking actionable steps to reduce vendor risk with built-in remediation recommendations and guidance.

CIS Critical Security Control 17: Incident Response Management

CIS Control 17 recommends that organizations establish a program to develop and maintain an incident response capability (e.g., policies, plans, procedures, defined roles, training and communications) to prepare, detect and quickly respond to an attack. There are six specific Safeguards aligned to Control 17:

17.1 Designate Personnel to Manage Incident Handling

17.2 Establish and Maintain Contact Information for Reporting Security Incidents

17.3 Establish and Maintain an Enterprise Process for Reporting Incidents

17.4 Establish and Maintain an Incident Response Process

17.5 Assign Key Roles and Responsibilities

17.6 Define Mechanisms for Communicating During Incident Response

For Control 17, Prevalent recommends best practices focused on centrally managing vendors, conducting event assessments, scoring identified risks, correlating against continuous cyber monitoring, and accessing remediation guidance. These include:

• Leverage a centralized customizable event and incident management questionnaire
• Track questionnaire completion progress in real time
• Define risk owners and issue chasing reminders to keep surveys on schedule
• Enable vendors to proactively report on incidents to add context and speed response
• Use workflow rules to trigger automated playbooks to act on risks according to their potential impact to the business
• Issue remediation guidance
• Map third-, fourth-, and Nth-party relationships to visualize information paths and determine at-risk data

By centralizing third-party incident response

into a single enterprise incident management process, your IT, security, legal, privacy and compliance teams can effectively work together to mitigate risks.

Next Steps: Download the Comprehensive CIS Controls Checklist

CIS Critical Controls provide structure and best practices for mitigating the risk of supply chain cybersecurity attacks. Prevalent offers a central, automated platform for addressing CIS Controls 15 and 17 and scaling your third-party risk management initiatives as part of your broader cybersecurity risk management program. Learn more by downloading the comprehensive CIS Controls Checklist, reading about our solutions for CIS Controls, or scheduling a personalized demonstration today.