Welcome to Cash in the Cyber Sheets. I'm your host, James Bowers, and together we'll work with business leaders and industry experts to dive into the misunderstood business of cybersecurity and compliance to learn how to start making money from being secure and compliant. Welcome to Cash in the Cyber Sheets.
Hey everybody, welcome back to Cash in the Cyber Sheets. I'm your host, James Bowers, Chief Security and Compliance Architect here at Input Output. Very happy to have you back here with us today and today we're continuing our deep dive into our FTC Safeguards Rule Checklist for Compliance.
It's our whole little series which we have all the podcasts, all the blog articles, and today we'll be going into the sixth area, 'Managing Our Service Providers.' It's a huge aspect definitely coming out of especially COVID era. Just a lot of issues there with supply chain, with I'm sure you remember all the different issues with suppliers, just everything that happened and not only with FTC, but really with every compliance standard, ISO, NIST, suppliers and the supply chain got a much bigger focus than they had had even previously. So it's a pretty important part of the FTC Safeguards and we're going to dive into that today.
Before we do, please check out our online, the links, check out the description. It does have the link to the FTC Safeguards Rule Checklist right there. It's a handy little infographic, has all the different checklist items and we're just going straight down that list. It couldn't be easier to use the infographic, follow along in the blogs and in the podcast series, and you'll be able to make sure you're hitting all the different bases with the FTC Safeguards. Also, before we dive in, click that like, click that subscribe. If you like what you're hearing, if you like the content, please let us know and we'll make sure to get more of it your way.
So with all of that said, let's jump into our managing our suppliers. Like I said, this has always been a pretty big thing.
Obviously your supplier relationships, not just service providers, but products, any type of solution that you get, if you're not getting what they're providing, basically the inputs to your business, the inputs for your products, you're not going to be able to do what you need to do to deliver to your customers. So your suppliers, those relationships, their ability to provide and deliver is really going to make or break your company. So super important to make sure that we've got the right suppliers, the right vendors, and that we've got the continuity plans, that we've got the backup procedures. That's all on another section of FTC. But even just as we talk about the suppliers, you always need to keep it in mind, how could this go sideways? And if it does, what are we going to do to remain viable?
And I may edit this out. I definitely don't want to turn this into a political discussion because it's not, but there with everything going on with the tariffs, that's hitting a lot of companies in a lot of different ways. And if there is no plan, if there was no alternative to some of the suppliers that they're using, some companies are in a very bad position because of the inability to pivot. And that's not a stab at any company saying that if you're having trouble, you just didn't prepare. That's just a statement of fact. If you don't have any other option and that only option you have goes sideways, you're in a bad spot. So again, I'm not shaming anybody. I'm not making it political, not taking any side there, just very close to home right now, I think for a lot of people listening.
So to manage our suppliers appropriately, the things that we need to do is we need to select and retain appropriate service providers that are going to apply appropriate safeguards, appropriate security controls. We need to require those in our contracts and we need to periodically assess. It's not a one and done.
So we're going to dive into each of those kind of three pillars of supplier management, with the first being selecting and retaining the right suppliers. Now, this all goes back to what we've talked about a lot of times, a lot of times on this podcast is your risk management process. This all needs to be risk based.
It needs to align with your risk process that we talked about a few episodes ago. So if you didn't review that, you can actually just jump back at the podcast and dive right into the risk based approach. But what you want to look at is where are the risks in our businesses? Easiest way to do that is what are our primary inputs? What are the things we need to pull in to provide our outputs, our deliverables? So what services, what products, what utilities, what infrastructure do we need to be able to do what we do to provide our product and solution to our customers? Once you've identified that, then you can just start going down and saying, well, what if we didn't have this input or what if this supplier went sideways or what if they didn't provide us the solution or the product on time or to the right quantity or to the right quality? There's a lot of different questions to ask there, but you can really narrow it down to your primary inputs, primary outputs. I say that a lot, but it's really where all the focus needs to be.
Some reasonable steps, what this actually really looks like is having vendor questionnaires, security risk surveys, making sure that if you've got a supplier that's going to manage, say, your tax data or your customer email list or other information that you have, you need to make sure that they've got appropriate security controls so that no unauthorized personnel are getting it, so that if there's some sort of data incident, you're notified, you can get brought in, you can take appropriate notification actions. And long story short there, that they've got everything buttoned up.
Now that's very difficult to do even in our own organization. It's doing an entire gap assessment, which isn't really feasible for every single one of our suppliers, and it's not even available, not even possible with a lot of the bigger fish, Microsoft, Cisco, some, I'm trying to name off some like big companies and now I'm just going blank right here in front of the microphone and the camera. But Fox.com and all the other different solution providers, Google, CrowdStrike, yada, yada, yada.
I'm going to stop there so I don't sound like a fool. But they're not going to let you perform an audit on their infrastructure, so what you can rely there is getting their SOC 2 report or ISO 27001 certificate or any other related security certificate or third party audit report. If you're getting these, what you want to make sure is that the scope of those audits relates to the service that you're utilizing with that provider.
If you're utilizing U.S. based data centers and their SOC 2 report or ISO 27001 is only scoped for India based data centers, that's not going to, that doesn't cover you at all. It's not going to relate to your company, your risk and your security requirements under FTC Safeguards. So that's kind of a devil in the details that gets overlooked many, many times.
But check the scope statements. With the SOC 2, you've got to do a little bit more reading to make sure that it aligns. It's all in there though. And just as an FYI, what you're looking for with SOC 2 is a SOC 2 type 2. That may be provided in the form of a SOC 3 report. A SOC 3 report is just a SOC 2 type 2, but redacted. It's not all of the behind the scenes and kind of secret sauce of the company.
Just identifies what was audited and basically was it acceptable or was it not. So if you get one of those, don't, don't try to beat up your supplier, probably perfectly okay. You can also review privacy policies, data handling procedures.
This is normally provided. It's normally a lot of this is in your contract. We'll talk about that in the next section, but you want to make sure that all of that information is documented, that it's actually in writing.
If you can, check their breach history, a quick Google search goes a long way. You can look on some dark websites. There's a lot of services out there that provide this.
This is not to say if a company had a data breach that you shouldn't work with them, but get context from it. Can you see how it is that they responded? Can you see any other details? Is their security controls tighter now than they were before? Or do they have things in place that would address what happened? So again, all in context, but good things to dig into when looking for one of your suppliers. And regularly monitoring. This is actually going to be the last section, but definitely worth talking about a few times.
Another kind of little pro tip here is you can use a vendor intake form. We have in our policy pack a whole acquisition analysis form, and it's just a scorecard. It lets you identify all the different things you need with different suppliers, and you give those a weight saying how important it is if you're storing data, encryption would be like a 10, super important. And then that way, as you look at a few different providers, you can see who has what help compare apples to apples and help you make a really good informed decision, not only from a risk base, but also operationally and financially to the best supplier.
All right, next step is actually goes in line with. With selecting your supplier suppliers, but this all needs to be in writing, it has to be in the contract, there needs to be clear language in your contract about who is responsible for what, what laws they're being governed by. So if you're going to be working with them for your sensitive client data, they've got to fall under those FTC Safeguards Rule requirements.
They need to make sure that they're doing the things so that you can be. You also need to have in their data privacy, data security obligations, what's specifically are they required to do? And this is where we were starting to talk about it in the last section. But with the privacy, with the incident response, there should be very clear language about how they manage data, how they share data, how they delete it when it's no longer use, how you can request it to be deleted. And if there's any suspicion of a data breach, how they're going to notify you and keep you informed, because if they have a data breach with your client's information, you're obligated to notify your clients. You have all those notification requirements different for each of the different states and for different jurisdictions, even outside of the U.S., like GOBA.
There should be some sort of a right to audit clause. Larger companies don't really have this, but they will provide language that gives you the right to see their audits. So like those SOC 2 reports, the ISO certificates, things like that. Termination clauses for security noncompliance, you definitely want to have that in there. If they're not doing what they're supposed to do, there needs to be a way that you can cut ties. Nondisclosure, confidentiality, that also needs to extend past your relationship. So typically what we'll see in a lot of contracts is that if we're ending a relationship with a supplier, that they'll delete all of our data and they won't share anything that was confidential past that relationship.
Also need to be the supplier responsibilities in maintaining and safeguarding the customer information. That kind of covers everything that we were talking about there. But what's important about this is that it's in the contract, that it's documented and fully executed by both parties.
Finally, the third pillar here is all of this isn't a one and done. We don't do it when we're selecting our supplier and then never look at it again. We have to periodically review all of our suppliers.
So this is going to look like an annual or biannual security assessment, typically more often for high risk vendors. Some low risk vendors you can do every two or three years, especially if there's a lot of other vendors that supply the same thing. You don't necessarily need to continually audit Office Depot or Staples.
You could go to one or the other. But say Microsoft 365 or Google Suite, those you want to make sure that they have everything tight every year and perhaps even more than that, depending on what type of information you're storing. You want to continue to make sure that you've got up to date SOC 2 or ISO reports certificates in the file. So that's a good way to show that you're continually doing these assessments, that you're getting the updated reports.
If you can, scan for any news of data breaches. That's a very good thing to do because if you're getting the information and they haven't notified you, that's where you should be having a discussion.
Now, that may be completely benign and that you look at it with them and they say, "None of your information was compromised, there wasn't even a risk of it so we didn't notify you." That could be okay, but again, that all fits into your risk assessment. And just for business sake, you want to make sure that they're hitting your metrics, that they're still hitting all of your contractual and operational requirements. This is really the best vendor for us. And are we getting the best price? So each year when you're looking at your suppliers, can we get another one? Just throw that security assessment in there as well.
Now, without going too much farther and as we kind of wrap up. There's a few ways that you can do things, a few ways that we can help. One, we obviously have the Input Output, our entire compliance program. We have an entire module just on supplier management and all the risk assessment forms, all the risk assessment process that make that a lot easier.
If you're going at this alone, you can do this a couple of ways. One, you can definitely assess every single supplier separately. And that's a very thorough way to do it.
Realistically, that can get a bit arduous. And what I would recommend is creating supplier risk profiles. The way we typically look at it is like:
Product suppliers - we're just ordering products from them. Those that provide a service, but they're not interacting with our data as part of their service so that could be like office cleaners or that could be some other type of service provider.
Then there's service providers that we provide information to on an unneeded basis, but they don't have direct access to our systems.
And then finally, those interconnected systems, those are like Microsoft. Those are other vendors that we're giving access into our environment.And those we want to really scrutinize because, God forbid, they have a data breach that could be a nice little bridge right into our systems.
So you can break those risk profiles up however you want. You can also look at those to where you have critical and non-critical suppliers because those risks are going to be different.
But that way, a lot of the risk for certain types of suppliers, those kind of umbrellas, those risk profiles, it's going to be basically the same considerations. So where you can, don't duplicate work, don't make things harder for yourself. That's a way that we've been able to tremendously reduce the amount of time that goes into those supplier assessments.
With that, we are always happy to connect, always happy to help because it can be a very daunting and very time consuming process. So if you would like any help with your supplier process, if you would like some guidance just on how to set it up or make sure you're on the right track, please don't hesitate to reach out to us. Definitely links in the description and we'll be more than happy to connect any time.
So that is today's episode on our FTC Safeguards Rule Checklist for Compliance: Managing Service Providers. Remember, you want to make sure you're selecting the right ones with a risk assessment up front. You want to have all of those requirements documented in the executed contract and you want to continue to assess those suppliers throughout your engagement with them and how often that is depends on how critical they are for your business. With all of that, thank you very much for listening today and until next time.
Thanks for joining us today. Don't forget, click that subscribe button, leave us a review and share it with your network. Remember, security and compliance aren't just about avoiding risk. They're about unlocking your business's full potential. So stay secure, stay compliant, and we'll catch you next week on Cash in the Cyber Sheets. Goodbye for now.