Security Reports | The Centauri Step, Governance and IT Security
Reporting risks: A key aspect of information security management
The security report must always be sent to the business unit
In your organizational environment, supplier security reviews should be a systematic thing. In other words, for every contract, prior verifications should be made (otherwise known as due diligence) with respect to compliance, CSR, financial aspects, personal data and security.
The person responsible for approving the security report should always be the business unit project manager concerned by the contract or, if this is not possible, a Procurement manager who takes the responsibility for signing a framework contract with a supplier.
Why? Because in an ISO 27001 “risk management approach” (see Theme 1 ARTICLE 3), the main point of this entire process is identifying risks and letting the organization know about them. (And also to achieve the certification of your own organization, but if that is your only motivation, then you are barking up the wrong tree).
The return of the “Risk-based” approach
The checks that you spend time performing on each supplier are not simply designed to tell you whether “yes” or “no” the supplier is in compliance with standards
The main aim of a security review is to assess the relevance and existence of your supplier’s security systems and controls, and their compliance with your own security standards. By following the advice given on this website (see Theme 3 Article 1), you will be able to assess the systems in place, in order to establish an overall security maturity score for your supplier while still focusing on the controls concerning the service for which the contract is being agreed.
MY ADVICE: Here are a few key points for your future security reports (a security report is less formal and more flexible than a security audit):
1) State the context/contract/criticality of the service being contracted.
2) State the basis for the questionnaire (whether it is modelled on the ISO 27001 standard, for example).
3) Assess your supplier’s level of compliance with all the controls which are important for you (this should result in a real score which should be made visible on your document, for example, a rating from A to F, or score out of 100).
4) Highlight the key points to remember for each part of the Supplier Security Policy.
5) List the evidence provided by the supplier – and its pertinence.
6) Devote at least a quarter of the document to risk assessment. By listing the identified risks, the risk scenarios concerning the project/contract, the residual risks and the solutions implemented to mitigate them.
7) Name the person approving the report and the approval date.
Don’t forget the remediation plans!
The security review has brought you answers to a number of questions:
1. Are their weaknesses and vulnerabilities in your supplier’s current security system?
2. Is your supplier capable of responding to security threats in the event of a system breakdown, security breach or the theft of data?
3. If you have discovered security flaws, what concrete actions can the supplier take to remedy them?
THE OUTCOME OF THE SECURITY REPORT: If the supplier has answered all your questions, and in your opinion has implemented adequate security systems and controls for the risks identified and the services proposed, then you can communicate the result of your assessment and update it 12 to 24 months down the line (according to the criticality of the supplier).
But if you ask your supplier to remediate certain vulnerabilities (and it’s important to negotiate this in the contract!), a crucial question remains: who will follow up on this remediation? Can your company arrange for regular progress updates with the identified suppliers?
WHAT TO AVOID: Sending out a fancy security report which will gather dust in in-boxes without every being followed up by action.
MUST-DOS: Set a deadline by which your supplier must review and re-submit his answers to the security questionnaire to show that the action plan has been implemented. This is a real necessity and will give credibility to your entire supplier review process.