A good overview of running a Vulnerability Management program for third party risk. One driver for your business to do this is that it may be a pre-requisite for you to win and keep business from your own customers…:
[…] What is to be done if your company is part of someone’s supply chain? Ask yourself, “What are the chinks in my armor?” Maybe the armor imagery isn’t your thing, but what will help your program is making it personal. Maybe you like basketball or football and want to think of it as setting up a defensive move. Or you’re in finance and think of Red Flag warnings. In looking for how to better protect your company’s network, it may help to start calling it “your” network and see, as objectively as possible, where your network has holes.
Depending on a company’s criticality in the chain, customers may ask for your vulnerability assessment results. These are typically considered “for internal use only.” By not sharing them, you’re not avoiding being honest or vulnerable (see what I did there), but there are many ways that those reports can be misunderstood. An example of misunderstanding can occur when internal corporate vulnerability scans assess both Prod and Test servers. If the reports reflect both, then the Test environment is likely filled with holes on purpose. Internal staff will understand the results, but external parties will not and may well consider the team lax in their duties – even if they are on top of the situations. If vulnerability assessments aren’t shareable, at minimum have a professional response ready for those inquiries and provide some metrics by which prospects and risk assessors can measure the internal security of the product or service to which they’re uploading their data.
Here’s a recently developed tool from NIST that can help as you develop and mature your C-SCRM.