Professional Documents
Culture Documents
Third-Party Risk Management Guide
Third-Party Risk Management Guide
2
Cybersecurity Frameworks
Focusing on Third-Party Risk
As businesses continue to diversify and globalize,
organizations looking to focus squarely on core business
functions are turning to third parties to fulfill specialized
services, such as web hosting, payments processing, and
cloud services. Although this provides significant benefits,
this extended ecosystem is nonetheless rife with escalating
threats to data privacy, security, and company reputation.
Data breaches and cybersecurity risks are impacting companies
at an alarming rate, with the software supply chain at the center of
many targeted attacks. In the face of growing threats, regulators
and governing bodies are taking notice. An increase in third-party
regulations, along with the accompanying scrutiny from auditors,
has obligated organizations to develop effective third-party risk
management programs to meet compliance mandates and deepen their
IT security controls.
To comply with regulations, guidelines and standards in this paper, your organization should adopt a third-
party risk management (TPRM) program. This includes a multi-step approach where you:
1. Set the rules of third-party engagement based on your organization’s risk tolerance and data security
and privacy policies
6. Remediate deficiencies
In the following pages, we’ll review key third-party risk management requirements noted in major
cybersecurity frameworks. We’ll then map the capabilities of the Prevalent Third-Party Risk Management
Platform to each relevant requirement. This will illustrate how a unified solution can enable you to achieve
compliance while mitigating third-party cybersecurity risks.
3
The Center for Internet Security (CIS)
Critical Security Controls
The Center for Internet Security® (CIS) Critical Security Controls are a
commonly used set of 18 best practices recommendations supported
by 153 sub-controls (called Safeguards) meant to help IT security
teams reduce the impact of a cybersecurity incident. CIS describes the
controls as a “prescriptive, prioritized, highly focused set of actions
that have a community support network to make them implementable,
usable, scalable, and in alignment with all industry or government
security requirements.”
Currently on version 8, the 18 CIS Controls and 153 supporting Safeguards are further ordered into three
Implementation Groups (IGs) to help organizations prioritize the implementation of key Safeguards:
• IG1 includes Safeguards considered “essential cyber hygiene” by CIS and “should be implementable
with limited cybersecurity expertise and aimed to thwart general, non-targeted attacks”
• IG2 includes Safeguards aimed at teams dealing with increased operational complexity
CIS further classifies each Safeguard by NIST security function to simplify cross-mapping with each core
NIST function: Identify, Detect, Protect, Respond and Recover.
This section examines the third-party risk management Safeguards specified in Control 15: Service Provider
Management and Control 17: Incident Response Management, and includes capabilities available in the
Prevalent Third-Party Risk Management Platform that can speed and simplify their implementation.
Please note: The below table reviews Critical Security Control 15 and applicable Safeguards in Control 17. For a complete
review of all 18 CIS Controls, please contact your auditor or reference the full CIS Critical Security Controls guide.
Numbers of Safeguards in CIS Controls 15 and 17 that applicable to each Implementation Group
Source: https://www.cisecurity.org/controls/implementation-groups/ig3
4
Control 15: Service Provider Management
“Develop a process to evaluate service providers who hold sensitive data, or are responsible for an
enterprise’s critical IT platforms or processes, to ensure these providers are protecting those platforms and
data appropriately.”
15.1 Establish and Maintain an Prevalent enables organizations to build a centralized service
Inventory of Service Providers provider inventory by importing vendors via a spreadsheet
template or through an API connection to an existing
Security function: Identify
procurement solution. Teams throughout the enterprise
IG1,2,3 can populate key supplier details with a centralized and
customizable intake form and associated workflow. This is
“Establish and maintain an inventory available to everyone via email invitation, without requiring any
of service providers. The inventory training or solution expertise.
is to list all known service providers,
include classification(s), and designate As all service providers are being centralized, teams can create
an enterprise contact for each service comprehensive vendor profiles that contain insight into a
provider. Review and update the vendor’s demographic information, 4th-party technologies,
inventory annually, or when significant ESG scores, recent business and reputational insights, data
enterprise changes occur that could breach history, and recent financial performance.
impact this Safeguard.”
15.2 Establish and Maintain a Service Prevalent partners with you to build a comprehensive third-
Provider Management Policy party risk management (TPRM) program based on proven best
practices and extensive real-world experience.
Security function: Identify
Our experts collaborate with your team on defining and
IG2,3
implementing TPRM processes and solutions; selecting risk
“Establish and maintain a service assessment questionnaires and frameworks; and optimizing your
provider management policy. Ensure program to address the entire third-party risk lifecycle – from
the policy addresses the classification, sourcing and due diligence, to termination and offboarding.
inventory, assessment, monitoring, and
As part of this process, Prevalent can help you define:
decommissioning of service providers.
Review and update the policy annually, • Clear roles and responsibilities (e.g., RACI)
or when significant enterprise changes
• Third-party inventories
occur that could impact this Safeguard.”
• Vendor classification and categorization
5
CIS Controls Checklist
• Fourth-party mapping
15.3 Classify Service Providers Prevalent offers a pre-contract due diligence assessment
with clear scoring based on eight criteria to capture, track and
Security function: Identify
quantify inherent risks for all third parties. Criteria includes:
IG1,2,3
• Type of content required to validate controls
“Classify service providers.
• Criticality to business performance and operations
Classification consideration may
include one or more characteristics, • Location(s) and related legal or regulatory considerations
such as data sensitivity, data volume,
• Level of reliance on fourth parties (to avoid concentration risk)
availability requirements, applicable
regulations, inherent risk, and • Exposure to operational or client-facing processes
mitigated risk. Update and review
classifications annually, or when • Interaction with protected data
significant enterprise changes occur
• Financial status and health
that could impact this Safeguard.”
• Reputation
6
CIS Controls Checklist
15.4 Ensure Service Provider Prevalent centralizes the distribution, discussion, retention and
Contracts Include Security review of vendor contracts and offers workflow capabilities to
Requirements automate the contract lifecycle from onboarding to offboarding.
This ensures that key security requirements are built into the
Security function: Protect
vendor contract, agreed upon, and enforced throughout the
IG1,2,3 relationship with key performance indicators (KPIs).
7
CIS Controls Checklist
15.5 Assess Service Providers Prevalent automates risk assessments to extend the visibility,
efficiency and scale of your third-party risk management
Security function: Identify
program across every stage of the third-party lifecycle.
IG3
With a library of 200+ standardized assessments – including
“Assess service providers consistent for PCI – customization capabilities, and built-in workflow and
with the enterprise’s service provider remediation, the solution automates everything from survey
management policy. Assessment scope collection and analysis to risk rating and reporting.
may vary based on classification(s),
With Prevalent, you can easily gather and correlate intelligence
and may include review of standardized
on a wide range of vendor controls to determine threats to
assessment reports, such as Service
information management, based on the criticality of the third
Organization Control 2 (SOC 2)
party as determined by the inherent risk assessment.
and Payment Card Industry (PCI)
Attestation of Compliance (AoC), Results of assessments and continuous monitoring are collated
customized questionnaires, or other in a single risk register with heat map reporting that measures
appropriately rigorous processes. and categorizes risks based on likelihood and impact. With
Reassess service providers annually, this insight, teams can easily see the consequences of a risk
at a minimum, or with new and and have ready-made remediation recommendations for third
renewed contracts.” parties to mitigate the risks.
15.6 Monitor Service Providers Data Prevalent continuously tracks and analyzes external threats
to third parties. The solution monitors the Internet and
Security function: Detect
dark web for cyber threats and vulnerabilities, as well as
IG3 public and private sources of reputational, sanctions and
financial information.
“Monitor service providers consistent
with the enterprise’s service provider Monitoring sources include:
management policy. Monitoring
• 1,500+ criminal forums; thousands of onion pages; 80+
may include periodic reassessment
dark web special access forums; 65+ threat feeds; and
of service provider compliance,
50+ paste sites for leaked credentials — as well as several
monitoring service provider release
security communities, code repositories, and vulnerability
notes, and dark web monitoring.”
databases covering 550,000 companies
8
CIS Controls Checklist
15.7 Securely Decommission Service The Prevalent Platform automates contract assessments and
Providers Data offboarding procedures to reduce your organization’s risk of
post-contract exposure.
Security function: Protect
• Schedule tasks to review contracts to ensure all obligations
IG3
have been met. Issue customizable contract assessments
“Securely decommission service to evaluate status.
providers. Example considerations
• Leverage customizable surveys and workflows report on
include user and service account
system access, data destruction, access management,
deactivation, termination of data
compliance with all relevant laws, final payments, and more.
flows, and secure disposal of
enterprise data within service • Centrally store and manage documents and certifications,
provider systems.” such as NDAs, SLAs, SOWs and contracts. Leverage built-
in automated document analysis based on AWS natural
language processing and machine learning analytics to
confirm key criteria are addressed.
9
CIS Controls Checklist
17.1 Designate Personnel to Manage Prevalent enables your team to rapidly identify, respond
Incident Handing to, report on, and mitigate the impact of third-party vendor
incidents by centrally managing vendors, conducting event
Security function: Respond
assessments, scoring identified risks, correlating against
IG1,2,3 continuous cyber monitoring, and accessing remediation
guidance. Key capabilities include:
“Designate one key person, and at
least one backup, who will manage • Continuously updated and customizable event and incident
the enterprise’s incident handling management questionnaires
process. Management personnel are
• Real-time questionnaire completion progress tracking
responsible for the coordination and
documentation of incident response • Defined risk owners with automated chasing reminders to
and recovery efforts and can consist of keep surveys on schedule
employees internal to the enterprise,
• Proactively vendor reporting
third-party vendors, or a hybrid
approach. If using a third-party vendor, • Consolidated views of risk ratings, counts, scores, and
designate at least one person internal flagged responses for each vendor
to the enterprise to oversee any third-
party work. Review annually, or when • Workflow rules to trigger automated playbooks to act on
significant enterprise changes occur risks according to their potential impact to the business
that could impact this Safeguard.”
• Guidance from built-in remediation recommendations to
reduce risk
10
CIS Controls Checklist
IG1,2,3
11
CIS Controls Checklist
IG2,3
IG2,3
IG2,3
12
The Prevalent Difference
CIS Controls Compliance
The increasing pervasiveness of third-party cyber-attacks is driving organizations to scrutinize their vendors’
and suppliers’ IT and data privacy controls. Security frameworks such as the CIS Critical Controls can help
provide structure and best practices recommendations. However, using spreadsheets and other manual
methods to collect, analyze, remediate and report on controls is labor-intensive and ineffective.
Prevalent offers a central, automated platform for scaling third-party risk management in concert with your
broader cybersecurity risk management program. With Prevalent, your IT security team can:
The Prevalent platform includes built-in CIS Critical Controls questionnaires, backed by managed services and
a network of pre-completed assessments.
To discuss how Prevalent can help you address the requirements in CIS Critical Controls 15 and 17, request
a demo today.
13
The Cloud Security Alliance (CSA) Consensus
Assessments Initiative Questionnaire (CAIQ)
This brief chapter addresses the CSA’s questionnaire for assessing security controls
in infrastructure-as-a-service, platform-as-a-service and software-as-a service
applications. While organizations are not required by law to abide by the results of a CAIQ
audit, the CAIQ assessment is widely utilized by organizations looking for a standard
approach to evaluating the security controls of a cloud provider.
• Simpler reporting: Results of CAIQ assessments are aligned to core security standards, including NIST,
ISO 27001, CoBiT 5, so that by using the Prevalent Platform you can address multiple cloud security
reporting requirements in a single assessment.
• Tiered assessments: Questionnaires are customizable to suit the requirements of each cloud customer,
with CAIQ-Lite beneficial for cloud service providers deemed “low risk” (for example based on
accessibility to sensitive data).
• Faster turnaround: The reduced question set in CAIQ-Lite allows for a quicker turnaround time for
assessment completion, speeding time to resolution and focusing your team on remediating risks.
14
The Prevalent Difference
CAIQ Compliance
CSA standards require robust management and tracking of third-party
risk. Prevalent can help address the requirements in the CAIQ by:
As your organization seeks to migrate more workloads to the cloud, assessing third parties will be essential.
Prevalent can help by centralizing vendor assessments across a range of requirements.
To discuss how Prevalent can help you address the requirements in the CAIQ, request a demo today.
15
US Department of Defense Cybersecurity Maturity
Model Certification (CMMC)
In November 2021, the Office of the Under Secretary of Defense for Acquisition and
Sustainment in the United States Department of Defense (DoD) released v2.0 of the
Cybersecurity Maturity Model Certification (CMMC), a comprehensive framework to protect
the defense industrial base from increasingly frequent and complex cyberattacks. Version
2.0 greatly simplifies the model by streamlining certification levels from five (5) to three (3),
eliminating proprietary maturity layers, and adjusting assessment responsibilities.
CMMC requires companies to achieve certification against cybersecurity and controlled unclassified information
(CUI) handling best practices, with that certification eventually determining whether a company can be awarded
a contract by the DoD. Meant to help small businesses demonstrate cybersecurity protections more easily and
cost-effectively, CMMC aims to ensure that our entire national defense supply chain is secure and resilient.
All DoD suppliers will eventually be required to be certified at one of three levels, from Level 1 (Foundational)
to Level 3 (Expert). This represents a change from version 1.0 that featured five certification levels. Version
2.0 certification levels are derived from the basic safeguarding requirements for Federal Contract Information
(FCI) specified in Federal Acquisition Regulation (FAR) Clause 52.204-21 and the security requirements for
controlled unclassified information (CUI) specified in the National Institute of Standards and Technology (NIST)
Special Publication (SP) 800-171 Rev 2 per Defense Federal Acquisition Regulation Supplement (DFARS)
Clause 252.204-7012 and additional controls from NIST SP 800-172 Enhanced Security Requirements for
Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171.
16
CMMC Checklist
Access Control 3.1.1 Authorized Access 3.1.3 Control CUI Flow Information on
Control Level 3 will be
3.1.4 Separation of Duties released at a
3.1.2 Transaction & later date and will
Function Control 3.1.5 Least Privilege
contain a subset
3.1.6 Non-Privileged Account Use of the security
3.1.20 External
requirements
Connections
3.1.7 Privileged Functions specified in NIST SP
3.1.22 Control Public 800-172.
3.1.8 Unsuccessful Logon Attempts
Information
3.1.9 Privacy & Security Notices
17
CMMC Checklist
Audit and 3.1.1 Authorized Access 3.3.1 System Auditing Information on Level
Accountability Control 3 will be released
3.3.2 User Accountability at a later date and
3.1.2 Transaction & will contain a subset
Function Control 3.3.3 Event Review
of the security
3.3.4 Audit Failure Alerting requirements
3.1.20 External
specified in NIST SP
Connections
3.3.5 Audit Correlation 800-172.
3.1.22 Control Public
3.3.6 Reduction & Reporting
Information
3.3.7 Authoritative Time Source
3.5.10 Cryptographically-Protected
Passwords
18
CMMC Checklist
19
CMMC Checklist
System and 3.14.1 Flaw Remediation 3.14.3 Security Alerts & Advisories
Information
Integrity 3.14.2 Malicious Code 3.14.6 Monitor Communications for
Protection Attacks
20
The Prevalent Difference
CMMC Compliance
The Prevalent Third-Party Risk Management Platform has built-in questionnaires for Level 1 and Level 2, enabling
suppliers to assess themselves and auditors to assess their clients against each level. When Level 3 certification
requirements have been published, Prevalent will add the appropriate questionnaire to the Platform.
• Automate chasing reminders to suppliers • Assess themselves against the 110 controls
or clients to reduce the time required to required to measure Level 2 compliance
complete assessments
• Upload documentation and evidence to support
• Centralize supporting documents submitted answers to questions
as evidence of the presence of controls
• Gain visibility into current compliance status
• View a single register of risks raised
• Leverage built-in remediation guidance to
depending on how the client or supplier
address shortcomings
responds to the questions
• Produce reporting to measure compliance
• Issue remediation recommendations for
for auditors
failed controls
To discuss how Prevalent can help you address the CMMC requirements, request a demo today.
21
Executive Order 14028 on Improving the
Nation’s Cybersecurity
On May 12, 2021, President Biden signed the Executive Order 14028 on Improving the
Nation’s Cybersecurity. Developed in the wake of the highly damaging SolarWinds Orion
software supply chain breach, the Order directs several US Federal Government agencies
to better coordinate in preventing, detecting, responding to and mitigating security
incidents and breaches by:
• Establishing and standardizing the Federal Government’s playbook for vulnerabilities and
incident response
• Improving the detection of cybersecurity vulnerabilities and incidents on Federal Government networks
This Executive Order (EO) builds on previous cybersecurity-related EOs and requires agencies to establish
uniform standards based on NIST, with enforcement beginning in May 2022.
Since this EO introduces several new third-party risk management requirements for Federal agencies to
implement, this post focuses on Section 4. Enhancing Software Supply Chain Security. If software suppliers
are not able to meet these requirements, they will be removed from the Federal Government’s Acquisition
Regulation – meaning they can no longer sell to the government.
The table on the following pages summarizes some of the most important
third-party risk management requirements addressed in the EO, along with
Prevalent’s recommended capabilities to assess supplier practices.
22
Executive Order 14028 Checklist
(C) establishing multi-factor, risk-based authentication Note: Agencies can also take advantage of the
and conditional access across the enterprise; Prevalent Vendor Risk Networks, which contain
completed security risk assessments to accelerate the
(D) documenting and minimizing dependencies on risk identification process.
enterprise products that are part of the environments
used to develop, build, and edit software;
23
Executive Order 14028 Checklist
24
The Prevalent Difference
The Executive Order on Improving the Nation’s Cybersecurity
As the requirements outlined in the Executive Order on Improving
the Nation’s Cybersecurity take shape, now is the time for IT software
companies to build or mature their own third-party risk management
programs. Key considerations should include:
To discuss how Prevalent can help you address requirements in Executive Order 14028,
request a demo today.
25
ISO 27001, 27002 and 27036-2
The International Organization for Standardization (ISO) and the International
Electrotechnical Commission (IEC) assemble experts from 165 countries to share
knowledge and develop voluntary, consensus-based standards to solve global challenges.
Organizations pursue ISO certifications to benefit from best practice guidance, align with
global frameworks, and signal to customers and partners that they adhere to accepted
standards. ISO standards therefore provide the foundation for many compliance regimes.
This section examines supply chain security controls
and guidance in the above ISO standards and identifies
capabilities in the Prevalent Third-Party Risk Management
Platform that can be used to meet ISO requirements for
stronger supply chain security. For simplification, all Several ISO cybersecurity and
standards are abbreviated as ISO [number]. data privacy standards address
third-party risks, including:
• Create an information security policy for supplier relationships that outlines specific policies and
procedures and mandates specific controls be in place to manage risk
• Establish contractual supplier agreements for any third party that may access, process, store,
communicate or provide IT infrastructure to an organization’s data
• Include requirements to address the information security risks associated with information and
communications technology services and product supply chain
26
ISO 27036-2
ISO 27036-2 specifies fundamental information security requirements for defining, implementing, operating,
monitoring, reviewing, maintaining and improving supplier and acquirer relationships. This standard is
particularly relevant for third-party risk management, as the requirements cover the procurement and
supply of products and services.
Clauses 6 and 7 in ISO 27036-2 define fundamental and high-level information security requirements applicable
to managing each stage of the supplier relationship lifecycle.
The next section of this checklist identifies key third-party risk management guidance published in the ISO
standards. It also describes capabilities in the Prevalent Platform that can help address the requirements.
NOTE: This table should not be considered definitive guidance. For a complete list of controls, please review
the complete ISO standards in detail and consult your auditor.
5 Organizational Controls
5.1 Policies for information Prevalent partners with you to build a comprehensive third-party risk
security management (TPRM) program in line with your broader information
security, cybersecurity and privacy protection programs based on
“Information security policy
proven best practices and extensive real-world experience.
and topic-specific policies
shall be defined, approved Our experts collaborate with your team on defining and implementing
by management, published, TPRM processes and solutions; selecting risk assessment
communicated to and questionnaires and frameworks; and optimizing your program to
acknowledged by relevant address the entire third-party risk lifecycle – from sourcing and
personnel and relevant interested due diligence, to termination and offboarding – according to your
parties, and reviewed at planned organization’s risk appetite.
intervals and if significant
changes occur.”
27
ISO 27001 Checklist
5.7 Threat intelligence Prevalent continuously tracks and analyzes external threats to third
parties. The solution monitors the Internet and dark web for cyber
“Information relating to
threats and vulnerabilities, as well as public and private sources of
information security threats shall
reputational, sanctions and financial information.
be collected and analysed to
produce threat intelligence.” Monitoring sources include:
28
ISO 27001 Checklist
5.11 Return of assets When a termination or exit is required for critical services, Prevalent
leverages customizable surveys and workflows to report on system
“Personnel and other interested
access, data destruction, access management, compliance with
parties as appropriate shall return
relevant laws, final payments, and more. The solution also suggests
all the organization’s assets in
actions based on answers to offboarding assessments and routes
their possession upon change or
tasks to reviewers as necessary.
termination of their employment,
contract or agreement.”
5.19 Information security in Prevalent offers a library of more than 200 pre-built templates,
supplier relationships including dedicated ISO questionnaires, for assessing the information
security risks associated with third-parties.
“Processes and procedures shall
be defined and implemented to Assessments are centrally managed in the Prevalent Platform. They are
manage the information security backed by workflow, task management and automated evidence review
risks associated with the use of to enable visibility into risks throughout the supplier relationship.
supplier’s products or services.”
Importantly, Prevalent delivers built-in remediation recommendations
based on risk assessment results to ensure that third parties address
risks in a timely and satisfactory manner.
29
ISO 27001 Checklist
5.21 Managing information Prevalent standardizes assessments against ISO best practices and
security in the information and other information security control frameworks, providing internal
communication technology audit and IT security teams with a central platform for measuring
(ICT) supply chain and demonstrating adherence to secure software development and
software development lifecycle (SDLC) practices.
“Processes and procedures
shall be defined and implemented
to manage the information
security risks associated with
the ICT products and services
supply chain.”
5.22 Monitoring, review Prevalent continuously tracks and analyzes external threats to third
and change management of parties. The solution monitors the Internet and dark web for cyber
supplier services threats and vulnerabilities, as well as public and private sources of
reputational, sanctions and financial information.
“The organization shall regularly
monitor, review, evaluate and Monitoring sources include:
manage change in supplier
• 1,500+ criminal forums; thousands of onion pages; 80+ dark web
information security practices and
special access forums; 65+ threat feeds; and 50+ paste sites for
service delivery.”
leaked credentials — as well as several security communities,
code repositories, and vulnerability databases covering
550,000 companies
5.23 Information security for Prevalent standardizes assessments against SOC 2, Cyber Essentials,
use of cloud services ISO, and other information security control frameworks, providing key
controls assessments against cloud services requirements.
“Processes for acquisition,
use, management and exit These same assessments are also used to assess information security
from cloud services shall be controls when offboarding cloud services.
established in accordance with
the organization’s information
security requirements.”
30
ISO 27001 Checklist
5.24 Information security Prevalent enables your team to rapidly identify, respond to, report on,
incident management planning and mitigate the impact of third-party vendor incidents by centrally
and preparation managing vendors, conducting event assessments, scoring identified
risks, correlating against continuous cyber monitoring, and accessing
“The organization shall plan and
remediation guidance.
prepare for managing information
security incidents by defining, Key capabilities include:
establishing and communicating
• Continuously updated and customizable event and incident
information security incident
management questionnaires
management processes, roles
and responsibilities.” • Real-time questionnaire completion progress tracking
31
ISO 27001 Checklist
5.30 ICT readiness for Prevalent automates the assessment, continuous monitoring,
business continuity analysis, and remediation of third-party business resilience and
continuity – while automatically mapping results to ISO and other
“ICT readiness shall be planned,
control frameworks.
implemented, maintained
and tested based on business To complement business resilience assessments and validate
continuity objectives and ICT results, Prevalent:
continuity requirements.”
• Automates continuous cyber monitoring that may predict
possible third-party business impacts
32
ISO 27001 Checklist
5.31 Legal, statutory, regulatory Prevalent centralizes the distribution, discussion, retention, and
and contractual requirements review of supplier contracts. It also offers workflow capabilities to
automate the contract lifecycle from onboarding to offboarding. Key
“Legal, statutory, regulatory and
capabilities include:
contractual requirements relevant
to information security and the • Centralized tracking of all contracts and contract attributes
organization’s approach to meet such as type, key dates, value, reminders, and status – with
these requirements shall be customized, role-based views
identified, documented and kept • Workflow capabilities (based on user or contract type) to
up to date.” automate the contract management lifecycle
• Automated reminders and overdue notices to speed contract reviews
• Centralized contract discussion and comment tracking
• Contract and document storage with role-based permissions and
audit trails of all access
• Version control tracking that supports offline contract and
document edits
• Role-based permissions that enable allocation of duties, access
to contracts, and read/write/modify access
5.34 Privacy and protection Prevalent delivers a centralized, collaborative platform for
of personal identifiable conducting privacy assessments and mitigating both third-party
information (PII) and internal privacy risks. Key data security and privacy assessment
capabilities include:
“The organization shall identify
and meet the requirements • Scheduled assessments and relationship mapping to reveal where
regarding the preservation of personal data exists, where it is shared, and who has access – all
privacy and protection of PII summarized in a risk register that highlights critical exposures
according to applicable laws • Privacy Impact Assessments to uncover at-risk business data and
and regulations and contractual personally identifiable information (PII)
requirements.”
• Vendor assessments against GDPR and other privacy regulations
via the Prevalent Compliance Framework (PCF) – reveals
potential hot spots by mapping identified risks to specific controls
• GDPR risk and response mapping to controls. Includes percent-
compliance ratings and stakeholder-specific reports.
• A database containing 10+ years of data breach history for
thousands of companies – includes types and quantities of stolen
data; compliance and regulatory issues; and real-time vendor
data breach notifications
• Centralized onboarding, distribution, discussion, retention,
and review of vendor contracts – ensures that data protection
provisions are enforced from the beginning of the relationship
33
ISO 27001 Controls How Prevalent Helps
5.36 Compliance with policies, With Prevalent, auditors can establish a program to efficiently
rules and standards for achieve and demonstrate compliance. The solution automates third-
information security party risk management compliance auditing by collecting vendor
risk information, quantifying risks, recommending remediations,
“Compliance with the
and generating reports for dozens of government regulations and
organization’s information
industry frameworks.
security policy, topic-specific
policies, rules and standards shall Prevalent automatically maps information gathered from control-
be regularly reviewed.” based assessments to ISO 27001, NIST, GDPR, CoBiT 5, SSAE 18, SIG,
SIG Lite, SOX, NYDFS, and other regulatory frameworks, enabling you
to quickly visualize and address important compliance requirements.
“Processes and procedures should be defined and implemented to manage the information security risks
associated with the use of supplier’s products or services.”
5.19 a) “identifying and The Prevalent Platform enables organizations to automatically tier
documenting the types of suppliers according to their inherent risk scores, set appropriate
suppliers (e.g. ICT services, levels of diligence, and determine the scope of ongoing assessments.
logistics, utilities, financial
Organizations can also categorize vendors with rule-based logic
services, ICT infrastructure
based on a range of data interaction, financial, regulatory and
components) which can affect
reputational considerations.
the confidentiality, integrity
and availability of the
organization’s information;”
34
ISO 27002 Checklist
5.19 b) “establishing how to Prevalent centralizes and automates the distribution, comparison,
evaluate and select suppliers and management of requests for proposals (RFPs) and requests for
according to the sensitivity information (RFIs) as part of vendor selection decisions.
of information, products and
Prevalent moves each selected vendor into contracting and/or
services (e.g. with market
onboarding due diligence phases, automatically progressing the
analysis, customer references,
vendor through the third-party lifecycle.
review of documents, onsite
assessments, certifications);” Prevalent features a library of more than 200 pre-built templates
for ongoing third-party risk assessments. These are integrated with
native cyber, business, reputational, and financial risk monitoring
capabilities, which continuously validate assessment findings and fill
gaps between assessments.
5.19 c) “evaluating and selecting The Prevalent Risk Profiling Snapshot enables you to compare
supplier’s products or services and monitor demographics, fourth-party technologies, ESG
that have adequate information scores, recent business and reputational insights, data breach
security controls and reviewing history, and financial performance of potential vendors. With the
them; in particular, accuracy Snapshot, you can see results in line with RFx responses for a holistic
and completeness of controls view of suppliers – their fit for purpose and fit according to your
implemented by the supplier organization’s risk appetite.
that ensure integrity of the
supplier’s information and
information processing and
hence the organization’s
information security;”
5.19 g) “monitoring compliance With Prevalent, auditors can establish a program to efficiently
with established information achieve and demonstrate compliance. The solution automates third-
security requirements for each party risk management compliance auditing by collecting vendor
type of supplier and type of risk information, quantifying risks, recommending remediations,
access, including third-party and generating reports for dozens of government regulations and
review and product validation;” industry frameworks.
35
ISO 27002 Checklist
5.19 i) “handling incidents and The Prevalent Third-Party Incident Response Service enables you
contingencies associated with to rapidly identify and mitigate the impact supply chain breaches by
supplier products and services centrally managing vendors, conducting event assessments, scoring
including responsibilities of both identified risks, and accessing remediation guidance.
the organization and suppliers;”
36
ISO 27002 Checklist
5.19 m) “requirements to ensure a The Prevalent Platform automates contract assessments and
secure termination of the supplier offboarding procedures to reduce your organization’s risk of post-
relationship, including: contract exposure.
1) de-provisioning of access rights; • Schedule tasks to review contracts to ensure all obligations have been
2) information handling; met. Issue customizable contract assessments to evaluate status.
4) information portability in case of • Centrally store and manage documents and certifications, such as
change of supplier or insourcing; NDAs, SLAs, SOWs and contracts. Leverage built-in automated
document analysis based on AWS natural language processing and
6) records management;
machine learning analytics to confirm key criteria are addressed.
7) return of assets;
• Take actionable steps to reduce vendor risk with built-in
8) secure disposal of information remediation recommendations and guidance.
and other associated assets;
• Visualize and address compliance requirements by automatically
9) ongoing confidentiality mapping assessment results to any regulation or framework.
requirements”
“Relevant information security requirements should be established and agreed with each supplier based on
the type of supplier relationship.”
5.20 d) “legal, statutory, Prevalent centralizes the distribution, discussion, retention, and
regulatory and contractual review of vendor contracts, ensuring that key provisions are included
requirements, including data in supplier contracts and continually tracked. Key capabilities include:
protection, handling of personally
• Centralized tracking of all contracts and contract attributes
identifiable information (PII),
such as type, key dates, value, reminders, and status – with
intellectual property rights and
customized, role-based views
copyright and a description of
how it will be ensured that they • Workflow capabilities (based on user or contract type) to
are met;” automate the contract management lifecycle
• Automated reminders and overdue notices to streamline contract reviews
• Centralized contract discussion and comment tracking
• Contract and document storage with role-based permissions and
audit trails of all access
• Version control tracking that supports offline contract and
document edits
• Role-based permissions that enable allocation of duties, access
to contracts, and read/write/modify access
37
ISO 27002 Checklist
5.20 e) “obligation of each The Prevalent solution enables internal, control-based assessments
contractual party to implement an (based on the ISO industry standard framework and/or custom
agreed set of controls, including questionnaires). The platform includes built-in workflow capabilities
access control, performance that enable assessors to interact efficiently with third parties during
review, monitoring, reporting the due diligence collection and review periods. Robust reporting and
and auditing, and the supplier’s audit capabilities give each level of management the information it
obligations to comply with needs to properly review the third party’s performance.
the organization’s information Organizations can assess third parties against cybersecurity, SLA
security requirements;” performance, and other topics, and correlate findings with the results
of continuous outside monitoring for a complete view of risks.
5.20 h) “information security Prevalent provides a framework for centrally measuring third-party
requirements regarding the KPIs and KRIs against your requirements and reducing gaps in
supplier’s ICT infrastructure; in vendor oversight with embedded machine learning (ML) insights and
particular, minimum information customizable, role-based reports.
security requirements for each
The capabilities can help your team to uncover risk and performance
type of information and type of
trends, determine third-party risk status, and identify exceptions to
access to serve as the basis for
common behavior that could warrant further investigation.
individual supplier agreements
based on the organization’s Built-in remediation recommendations ensure that third parties
business needs and risk criteria;” address risks in a timely and satisfactory manner.
5.20 j) “incident management Prevalent enables your team to rapidly identify, respond to, report on,
requirements and procedures and mitigate the impact of third-party vendor security incidents as
(especially notification and part of your broader incident management strategy.
collaboration during incident
Armed with these insights, your team can better understand the
remediation);”
scope and impact of the incident; what data was involved; whether the
third party’s operations were impacted; and when remediations have
been completed – all by leveraging Prevalent experts.
38
ISO 27002 Checklist
5.20 l) “relevant provisions for sub- Prevalent can identify fourth-party and Nth-party
contracting, including the controls subcontracting relationships by conducting a questionnaire-
that need to be implemented, such as based assessment or by passively scanning the third party’s
agreement on the use of sub-suppliers public-facing infrastructure. The resulting relationship map
(e.g. requiring to have them under depicts information paths and dependencies that could expose
the same obligations of the supplier, your environment to risk.
requiring to have a list of sub-suppliers
Suppliers discovered through this process are continuously
and notification before any change);”
monitored to identify financial, ESG, cyber, business, and data
breach risks, as well as for sanctions/PEP screening.
5.20 o) “the evidence and assurance The Prevalent Controls Validation Service reviews third-party
mechanisms of third-party attestations assessment responses and documentation against established
for relevant information security testing protocols to validate that indicated controls are in place.
requirements related to the supplier
Prevalent experts first review assessment responses, whether
processes and an independent report
from custom or standardized questionnaires. We then map
on effectiveness of controls;”
the responses to ISO and/or other control frameworks. Finally,
we work with you to develop remediation plans and track
5.20 q) “supplier’s obligation to them to completion. With remote and onsite options available,
periodically deliver a report on the Prevalent delivers the expertise to help you reduce risk with
effectiveness of controls and agreement your existing resources.
on timely correction of relevant issues
raised in the report;”
5.20 x) “termination clauses upon Prevalent contract lifecycle management capabilities ensure
conclusion of the agreement including that key provisions are included in supplier contracts and
records management, return of assets, continually tracked. Automated contract assessments and
secure disposal of information and other offboarding procedures such as reporting on system access,
associated assets, and any ongoing data destruction, access management, compliance with all
confidentiality obligations;” relevant laws, and final payments reduce your organization’s
risk of post-contract exposure.
39
ISO 27002 Checklist
“Processes and procedures should be defined and implemented to manage the information security risks
associated with the ICT products and services supply chain.”
5.21 b) “requiring that ICT services Prevalent can identify fourth-party and Nth-party
suppliers propagate the organization’s subcontracting relationships by conducting a questionnaire-
security requirements throughout the based assessment or by passively scanning the third party’s
supply chain if they sub-contract for public-facing infrastructure. The resulting relationship map
parts of the ICT service provided to depicts information paths and dependencies that could expose
the organization;” your environment to risk.
5.21 g) “implementing a process for Prevalent enables you to assess and monitor third parties based
identifying and documenting product on criticality or the extent of threats to their information assets by
or service components that are critical capturing, tracking and quantifying inherent risks. Criteria used
for maintaining functionality and to calculate inherent risk for third-party classification includes:
therefore require increased attention,
• Type of content required to validate controls
scrutiny and further follow up required
when built outside of the organization • Criticality to business performance and operations
especially if the supplier outsources
aspects of product or service • Location(s) and related legal or regulatory considerations
components to other suppliers;”
40
ISO 27002 Checklist
(continued)
“The organization should regularly monitor, review, evaluate and manage change in supplier information
security practices and service delivery.”
5.22 a) “monitor service With the Prevalent Platform, organizations can customize
performance levels to verify surveys to make it easy to gather and analyze necessary
compliance with agreements;” performance and contract data in a single risk register. Prevalent
identifies key contract attributes relating to SLAs or performance,
populates those requirements in the Platform, and assigns tasks
to you and your third party for tracking purposes.
5.22 b) “monitor changes made by Prevalent continuously tracks and analyzes external threats to
suppliers including: third parties. The solution monitors the Internet and dark web
for cyber threats and vulnerabilities, as well as public and private
1) enhancements to the current
sources of reputational, sanctions and financial information.
services offered;
All monitoring data is correlated with assessment results
2) development of any new applications
and centralized in a unified risk register for each vendor,
and systems;
streamlining risk review, reporting and response initiatives.
3) modifications or updates of the Monitoring sources include:
supplier’s policies and procedures;
• 1,500+ criminal forums; thousands of onion pages; 80+
4) new or changed controls to resolve dark web special access forums; 65+ threat feeds; and
information security incidents and to 50+ paste sites for leaked credentials — as well as several
improve information security;” security communities, code repositories, and vulnerability
databases covering 550,000 companies
41
ISO 27002 Checklist
5.22 e) “conduct audits of suppliers The Prevalent Controls Validation Service reviews third-party
and sub-suppliers, in conjunction assessment responses and documentation against established
with review of independent auditor’s testing protocols to validate that indicated controls are in place.
reports, if available and follow-up on
Prevalent experts first review assessment responses, whether
issues identified;”
from custom or standardized questionnaires. We then map
the responses to ISO and/or other control frameworks. Finally,
we work with you to develop remediation plans and track
them to completion. With remote and onsite options available,
Prevalent delivers the expertise to help you reduce risk with
your existing resources.
5.22 f) “provide information about Prevalent enables your team to rapidly identify, respond
information security incidents and to, report on, and mitigate the impact of third-party vendor
review this information as required by incidents by centrally managing vendors, conducting event
the agreements and any supporting assessments, scoring identified risks, correlating against
guidelines and procedures;” continuous cyber monitoring, and accessing remediation
guidance. Key capabilities include:
42
ISO 27002 Checklist
5.22 i) “identify information security Prevalent continuously tracks and analyzes external threats to
vulnerabilities and manage them;” third parties. The solution monitors the Internet and dark web
for cyber threats and vulnerabilities, correlating monitoring
data with assessment results and centralized in a unified risk
register for each vendor, streamlining risk review, reporting and
response initiatives. Monitoring sources include:
5.22 j) “review information security Prevalent can identify fourth-party and Nth-party
aspects of the supplier’s relationships subcontracting relationships by conducting a questionnaire-
with its own suppliers” based assessment or by passively scanning the third party’s
public-facing infrastructure. The resulting relationship map
depicts information paths and dependencies that could expose
your environment to risk.
43
ISO 27002 Checklist
5.22 k) “ensure that the supplier Prevalent automates the assessment, continuous monitoring,
maintains sufficient service capability analysis, and remediation of third-party business resilience and
together with workable plans designed continuity – while automatically mapping results to ISO and
to ensure that agreed service continuity other control frameworks.
levels are maintained following major
The Prevalent Platform includes a comprehensive business
service failures or disaster;”
resilience assessment based on ISO 22301 standard practices
that enables organizations to:
5.22 m) “evaluate regularly that Prevalent automates risk assessments to extend the visibility,
the suppliers maintain adequate efficiency and scale of your third-party risk management
information security levels;” program across every stage of the third-party lifecycle.
44
Table 3. Prevalent Mappings to ISO 27036-2 Security Standards
Although the entire ISO 27036-2 standard is applicable for supplier relationships, this table highlights only
the most prominent controls.
6.1.1.1 Agreement processes / Prevalent partners with you to build a comprehensive third-
Acquisition process / Objective party risk management (TPRM) program in line with your
broader information security and governance, risk and
Establish a supplier relationship
compliance programs based on proven best practices and
strategy that:
extensive real-world experience.
• is based on the information security
Our experts collaborate with your team on defining and
risk tolerance of the acquirer;
implementing TPRM processes and solutions; selecting risk
• defines the information security assessment questionnaires and frameworks; and optimizing
foundation to use when planning, your program to address the entire third-party risk lifecycle –
preparing, managing and from sourcing and due diligence, to termination and offboarding
terminating the procurement of a – according to your organization’s risk appetite.
product or service.
As part of this process, Prevalent can help you define:
45
ISO 270036-2 Checklist
6.2.1 Organizational project- Prevalent helps to eliminate the security and compliance
enabling processes / Life cycle model exposures that come from working with vendors, suppliers
management process and other third parties across the entire vendor risk lifecycle
– from sourcing and selection to offboarding and everything
a) The acquirer and the supplier
in between.
shall establish the life cycle model
management process when
managing information security in
supplier relationships.
6.2.2.1 Organizational project- Prevalent provides a central SaaS platform that enables
enabling processes / Infrastructure acquirers and suppliers to collaborate on risk reduction
management process / Objective by automating risk assessments against more than 200
industry standards – including ISO. With the platform acquirers
a) Provide the enabling infrastructure
gain built-in workflow and remediation, automated analysis
to support the organization in
and reporting.
managing information security
within supplier relationships.
46
ISO 270036-2 Checklist
(continued)
6.2.3.2 Project portfolio management Prevalent enables you to assess and monitor third parties
process / Activities based on criticality or the extent of threats to their information
assets by capturing, tracking and quantifying inherent
a) Define, implement, maintain and
risks. Criteria used to calculate inherent risk for third-party
improve a process for identifying and
classification includes:
categorizing suppliers or acquirers
based on the sensitivity of the • Type of content required to validate controls
information shared with them and on
• Criticality to business performance and operations
the access level granted to them to
acquirer’s or supplier’s assets, such as • Location(s) and related legal or regulatory considerations
information and information systems;
• Level of reliance on fourth parties (to avoid concentration risk)
• Reputation
47
ISO 270036-2 Checklist
6.3.4.1 Project processes / Risk Prevalent continuously tracks and analyzes external threats
management process / Objective to third parties. The solution monitors the Internet and
dark web for cyber threats and vulnerabilities, as well as
a) Continuously address information
public and private sources of reputational, sanctions and
security risks in supplier relationships
financial information.
and throughout their life cycle including
re-examining them periodically or when All monitoring data is correlated with assessment results
significant business, legal, regulatory, and centralized in a unified risk register for each vendor,
architectural, policy and contractual streamlining risk review, reporting and response initiatives.
changes occur.
Monitoring sources include:
48
ISO 270036-2 Checklist
6.3.7.1 Project processes / Prevalent automates risk assessments to extend the visibility,
Measurement process / Objective efficiency and scale of your third-party risk management
program across every stage of the third-party lifecycle.
a) Collect, analyze, and report
information security measures related With a library of 200+ standardized assessments,
to the procurement or supply of a customization capabilities, and built-in workflow and
product or service to demonstrate the remediation, the solution automates everything from survey
maturity of information security in a collection and analysis to risk rating and reporting.
supplier relationship and to support
With Prevalent, you can easily gather and correlate intelligence
effective management of processes.
on a wide range of vendor controls to determine threats to
information management, based on the criticality of the third
party as determined by the inherent risk assessment.
7.2.1 Supplier selection process / The Prevalent Risk Profiling Snapshot enables you to compare
Objectives and monitor demographics, fourth-party technologies, ESG
scores, recent business and reputational insights, data breach
a) Select a supplier that provides
history, and financial performance of potential vendors. With the
adequate information security for the
Snapshot, you can see results in line with RFx responses for a
product or service that may be procured.
holistic view of suppliers – their fit for purpose and fit according
to your organization’s risk appetite.
49
ISO 270036-2 Checklist
(continued) (continued)
• security controls required • Delivers the largest library of standardized and custom
across information security, ICT risk assessments with built-in workflow, tasks, and
security, personnel security and evidence management
physical security;
• Integrates native cyber, business, reputational and financial
• a transition process when risk monitoring to correlate risks against assessment
the product or service has results and validate findings
been previously operated
• Includes machine learning analytics to normalize and
or manufactured by a party
correlate findings from multiple sources
different from the supplier;
• Delivers compliance and risk reporting by framework
• information security
or regulation
change management;
• Improves remediation management with built-in guidance
• information security
incident management; • Includes Contract and RFx management to enable more
complete risk management prior to onboarding
• compliance monitoring
and enforcement; • Automates third-party incident response
7.4.1 Supplier relationship With the Prevalent Platform, acquirers can automatically
management process / Objectives map information gathered from control-based assessments
to regulatory frameworks – including ISO and many others
a) Maintain information security during
– to quickly visualize and address important compliance
the execution period of the supplier
requirements at every stage of the supplier lifecycle.
relationship in accordance with the
supplier relationship agreement and by
particularly considering the following:
50
ISO 270036-2 Checklist
7.5.1 Supplier relationship The Prevalent Platform automates contract assessments and
termination process / Objectives offboarding procedures to reduce your organization’s risk of
post-contract exposure.
a) Protect the product or service
supply during termination to avoid • Schedule tasks to review contracts to ensure all obligations
any information security, legal and have been met. Issue customizable contract assessments
regulatory impacts after the notice to evaluate status.
of termination;
• Leverage customizable surveys and workflows report on
b) Terminate the product or system access, data destruction, access management,
service supply in accordance to the compliance with all relevant laws, final payments, and more.
termination plan.
• Centrally store and manage documents and certifications,
such as NDAs, SLAs, SOWs and contracts. Leverage built-
in automated document analysis based on AWS natural
language processing and machine learning analytics to
confirm key criteria are addressed.
51
The Prevalent Difference
ISO 27002, 27002 and 27036-2 Compliance
The ISO standards presented in this section require robust management and tracking of third-party supplier
security and data privacy risk. They specify the following:
Prevalent’s Third-Party Risk Management Platform offers a complete framework for implementing
policy management, auditing and reporting related to the third-party risk and supply chain compliance
requirements of ISO 27001, 27002, and 27036-2 – with dedicated questionnaires and risk registers for
each standard.
Contact Prevalent for a free maturity assessment to determine how your current TPRM policies stack
up to ISO standards, or request a demo of the Prevalent TPRM Platform today.
52
NCSC Supply Chain Cyber Security Guidance
Following a continual increase in high profile cyber-
attacks resulting from supply chain vulnerabilities, the
United Kingdom National Cyber Security Centre (NCSC)
– a part of GCHQ – has published updated guidance to
help organizations effectively assess and gain confidence
in the cyber security of their supply chains.
The latest guidance, issued in October 2022 and broken out into five
stages, is intended to help organizations implement the NCSC’s 12
supply chain security principles originally published in January 2018.
This checklist examines the five stages in the latest NCSC guidance
and identifies best practices steps to implement the guidance.
NOTE: All best practices considerations included in this document are generalized.
Consult with your auditor about what practices are appropriate for your organization.
Source: https://www.ncsc.gov.uk/files/Assess-supply-chain-cyber-security.pdf
53
Stage 1: Before You Start
According to the NCSC guidance, the goal of stage 1 is to, “Gain knowledge about your own organisation’s
approach to cyber security risk management.” This initial planning stage entails understanding:
• Who in the organization should be involved in supply chain cyber security decisions; and
Understand why your According to a recent industry study, 45% of organizations have
organisation should care about experienced a third-party data or privacy breach in the past 12
supply chain cyber security months. Consider some recent examples, and the impact those
security incidents caused:
Russian state actors hacked into the Orion software product which
was then pushed out to SolarWinds customers as part of a series of
regularly planned updates. This effort gave the cybercriminals access
to thousands of company’s systems and data. SolarWinds is facing
lawsuits, fines, congressional testimony and more, and will impact
their customers’ trust in them for years to come.
• Can you identify the most likely attack path for a cyber attacker?
If the answer to any of these questions is “no,” then you must assess
the weak points in your cyber supply chain and build a plan to mitigate
those risks.
54
NCSC Supply Chain Cyber Security Guidance Checklist
Identify the key players in Participants can include representatives from procurement
your organisation and sourcing, risk management, security and IT, legal and
compliance, and data privacy teams. The reason that so many
Having the right people in place to
teams should be engaged as part of the supply chain cyber risk
support supply chain cyber security will
management process is that each department tends to focus on
help drive the changes required.
the risks that matter to them.
• Consulted with
Finally, gain buy-in from senior executives and the board by:
Understand how your organisation A common way to categorize risk is through a “heat map” that
evaluates risk measures risk on two axes: Likelihood of occurrence and impact
to operations. Naturally, risks that rate high on both scales (e.g.,
the upper-right quadrant) should be prioritized higher than
risks that rate lower.
55
Stage 2: Develop an Approach to Assess Supply Chain Cyber Security
Stage 2 guidance says to “Creating a repeatable, consistent approach for assessing the cyber security of
your suppliers.” This stage involves:
• Defining what the ideal security controls should be to protect the asset; and
Prioritise your organisation’s Prior to creating the supplier’s security profile, consider the
“crown jewels” inherent risks they expose the company to. Consider this
framework when calculating inherent risk:
Determine the critical aspects in your
organisation that you need to protect • Criticality to business performance and operations
the most.
• Location(s) and related legal or regulatory considerations
56
Stage 3: Apply the Approach to New Supplier Relationships
At Stage 3, NCSC guidance recommends embedding “new security practices throughout the contract
lifecycle of new suppliers, from procurement and supplier selection through to contract closure.” This
involves monitoring adherence to contractual provisions and maintaining the team’s awareness of their
responsibilities during the process.
Embed cyber security controls This guidance requires organizations to be aware of risks at
throughout the contract’s duration every stage of the supplier lifecycle, including:
57
NCSC Supply Chain Cyber Security Guidance Checklist
Identify existing contracts Centralize the distribution, discussion, retention and review of vendor
contracts so that all applicable teams can participate in contract
reviews to ensure the appropriate security clauses are included. Key
practices to consider in managing supplier contracts include:
• Tracking of all contracts and contract attributes such as type, key dates,
value, reminders and status – with customized, role-based views
Support your suppliers • Workflow capabilities (based on user or contract type) to automate
the contract management lifecycle
58
NCSC Supply Chain Cyber Security Guidance Checklist
Report progress to the board Start by determining the different between key performance
indicators (KPIs) and key risk indicators (KRIs) and how they
are related.
59
Stage 5: Continuously Improve
The final stage of the NCSC guidance says to “Periodically refine your approach as new issues emerge will
reduce the likelihood of risks being introduced into your organisation via the supply chain.”
Evaluate the approach and its Continuously review the organization’s supply chain cybersecurity program
components regularly at every stage of the supplier’s lifecycle. Key areas to review include:
Maintain awareness of Continuously track and analyze external threats to third parties
evolving threats and update by monitoring the Internet and dark web for cyber threats and
practices accordingly vulnerabilities, as well as public and private sources of reputational,
sanctions and financial information.
60
NCSC Guidance Best Practices Considerations
Collaborate with your suppliers Develop remediation plans with recommendations that suppliers can
follow to reduce residual risk. Provide a forum for suppliers to upload
evidence and communicate on specific remediations with a secure
audit trail for tracking remediations to a close.
For more on how Prevalent can help address the requirements set forth
in NCSC guidance, request a demo today.
61
NIST SP 800-53, SP 800-161 and CSF
The National Institute of Standards and Technology
(NIST) is a federal agency within the United States
Department of Commerce. NIST’s responsibilities
include establishing computer and information Several NIST special publications
technology-related standards and guidelines for have specific controls that address
third-party supplier IT security. The
federal agencies. Because NIST publishes and
most applicable are:
maintains key resources for managing cybersecurity
risks applicable to any company, nearly 50% of • SP 800-53 Rev. 5: Security and
private sector organizations have also adopted their Privacy Controls for Information
guidelines, making NIST publications the primary Systems and Organizations
standards for evaluating IT controls.
• SP 800-161 Rev. 1: Cybersecurity
This section examines the applicable supply chain Supply Chain Risk Management
cybersecurity controls and guidance in NIST publications and Practices for Federal Information
identifies capabilities available in the Prevalent Third-Party Systems and Organizations
Risk Management Platform that you can use to meet NIST
• Cybersecurity Framework v1.1:
requirements for stronger supply chain security.
Framework for Improving Critical
Infrastructure Cybersecurity
Supply Chain Risk Management Controls
in SP 800-53 Rev. 5 These guidelines complement one
another, so your organization can
NIST supply chain security and data privacy controls have standardize on one special publication
evolved with each SP 800-53 revision. For example, in SP 800- can cross-map to the others – in effect
53 Rev. 4 Supply Chain Protection was covered under a broader meeting multiple requirements using a
“System & Service Acquisition” control group. This single control single framework.
addressed the need to identify vulnerabilities throughout an
information system’s lifecycle, and to respond through strategy
and controls. It encouraged organizations to procure third-party
solutions to implement security safeguards. It also required
organizations to review and assess suppliers and their products
prior to engagement for broader supply chain visibility.
Acknowledging the increasing number of third-party supplier-related data breaches and other security
events, SP 800-53 Rev. 5 expands and refines the supply chain security and privacy guidelines by
establishing an entirely new control group, “SR-Supply Chain Risk Management.” It also requires
organizations to develop and plan for managing supply chain risks by:
• Emphasizing security and privacy through • Increasing awareness of the need to pre-
collaboration in identifying risks and threats, assess organizations, and to ensure visibility
and through the application of security and into issues and breaches
privacy-based controls
62
How SP 800-161 Rev. 1 Complements Supply Chain Risk Management
NIST SP 800-53 is considered the foundation upon which all other cybersecurity controls are built. With
SP 800-161 Rev. 1, NIST outlines a complementary framework to frame, assess, respond to, and monitor
cybersecurity supply chain risks.
SP 800-161 further identifies the following dimensions that form the framework of cybersecurity supply
chain management:
Together, SP 800-53 and supplemental SP 800-161 control guidance present a comprehensive framework
for assessing and mitigating supplier cybersecurity risks.
• ID.SC-3: Implement appropriate measures in supplier and third-party partner contracts to meet the
objectives of an organization’s cybersecurity program and Cyber Supply Chain Risk Management Plan.
• ID.SC-4: Routinely assess suppliers and third-party partners using audits, test results, or other forms of
evaluations to confirm they are meeting their contractual obligations.
• ID.SC-5: Conduct response and recovery planning and testing with suppliers and third-party providers.
The next section of this checklist cross-maps applicable supplier risk management guidance between
these three NIST publications.
63
Mapping Prevalent Capabilities to NIST Cybersecurity Supply
Chain Risk Management Control Requirements
The summary table below maps capabilities available in the Prevalent Third-Party Risk Management
Platform to select third-party vendor or supplier controls present in SP 800-53, with SP 800-161 and the
Cybersecurity Framework v1.1 control overlays (bolded) applied to the table to illustrate cross-mapping.
NOTE: This table should not be considered definitive guidance. For a complete list of controls, please review
the complete SP 800-53, SP 800-161 and Cybersecurity Framework v1.1 requirements in detail and consult
your auditor.
Supplemental C-SCRM Guidance: Enterprises should use a variety of assessment techniques and
methodologies, such as continuous monitoring, insider threat assessment, and malicious user assessment.
These assessment mechanisms are context-specific and require the enterprise to understand its supply
chain and to define the required set of measures for assessing and verifying that appropriate protections
have been implemented.
Supplemental C-SCRM Guidance: For C-SCRM, enterprises should use external security assessments
for suppliers, developers, system integrators, external system service providers, and other ICT/OT related
service providers. External assessments include certifications, third-party assessments, and – in the
federal context – prior assessments performed by other departments and agencies. Certifications from
the International Enterprise for Standardization (ISO), the National Information Assurance Partnership
(Common Criteria), and the Open Group Trusted Technology Forum (OTTF) may also be used by non-
federal and federal enterprises alike, if such certifications meet agency needs.
64
SP 800-53r5 Control Number and Name Applicable to SP 800-161r1
Cybersecurity Supply Chain Risk Management
65
SP 800-53r5 Control Number and Name Applicable to SP 800-161r1
Cybersecurity Supply Chain Risk Management
ID.RA-1: Asset Vulnerabilities are Prevalent VTM reveals third-party cyber incidents for
identified and documented. 550,000 actively tracked companies by monitoring 1,500+
criminal forums; thousands of onion pages, 80+ dark web
DE.AE-2: Detected events are analyzed to
special access forums; 65+ threat feeds; and 50+ paste
understand attack targets and methods.
sites for leaked credentials — as well as several security
DE.AE-3: Event data are collected and communities, code repositories, and vulnerability databases.
correlated from multiple sources and
Prevalent then normalizes, correlates and analyzes
sensors.
information from across multiple inputs, including inside-
DE.CM-1: The network is monitored to out risk assessments and outside-in monitoring from
detect potential cybersecurity events. Prevalent Vendor Threat Monitor and BitSight. This unified
model provides context, quantification, management and
RS.AN-1: Notifications from detection remediation support.
systems are investigated.
66
SP 800-53r5 Control Number and Name Applicable to SP 800-161r1
Cybersecurity Supply Chain Risk Management
ID.BE-1: The organization’s role in the supply The Prevalent Third-Party Incident Response Service
chain is identified and communicated. enables you to rapidly identify and mitigate the impact of
supply chain breaches by centrally managing vendors,
ID.SC-5: Response and recovery planning
proactively conducting event assessments, scoring identified
and testing are conducted with suppliers
risks, and accessing remediation guidance.
and third-party providers.
The Prevalent Platform includes unified capabilities for
PR.IP-9: Response plans (Incident Response
assessing, analyzing and addressing weaknesses in supplier
and Business Continuity) and recovery plans
business resilience plans. This enables you to proactively
(Incident Recovery and Disaster Recovery)
work with your supplier community to prepare for pandemics,
are in place and managed.
environmental disasters, and other potential crises.
DE.AE-4: Impact of events is determined.
In addition to facilitating automated, periodic internal control-
RS.RP-1: Response plan is executed based assessments, the Prevalent Platform provides cyber
during or after an incident. security, business, reputational and financial monitoring
– continually assessing third parties to identify potential
RS.CO-3: Information is shared consistent weaknesses that can be exploited by cyber criminals.
with response plans.
All risk intelligence is centralized, correlated and analyzed in
RS.CO-4: Coordination with stakeholders a single risk register that automates reporting and response,
occurs consistent with response plans. and features a flexible weighted scoring model based on
likelihood of an event and its impact.
RS.AN-2: The impact of the incident is understood.
67
SP 800-53r5 Control Number and Name Applicable to SP 800-161r1
Cybersecurity Supply Chain Risk Management
Supplemental C-SCRM Guidance: A number of enterprises may be involved in managing incidents and
responses for supply chain security. After initially processing the incident and deciding on a course of action
(in some cases, the action may be “no action”), the enterprise may need to coordinate with their suppliers,
developers, system integrators, external system service providers, other ICT/OT-related service providers,
and any relevant interagency bodies to facilitate communications, incident response, root cause, and
corrective actions. Enterprises should securely share information through a coordinated set of personnel in
key roles to allow for a more comprehensive incident handling approach. Selecting suppliers, developers,
system integrators, external system service providers, and other ICT/OT-related service providers with
mature capabilities for supporting supply chain cybersecurity incident handling is important for reducing
exposure to cybersecurity risks throughout the supply chain. If transparency for incident handling is limited
due to the nature of the relationship, define a set of acceptable criteria in the agreement (e.g., contract).
A review (and potential revision) of the agreement is recommended, based on the lessons learned from
previous incidents. Enterprises should require their prime contractors to implement this control and flow
down this requirement to relevant sub-tier contractors.
ID.SC-5: Response and recovery planning The Prevalent Third-Party Incident Response Service
and testing are conducted with suppliers enables you to rapidly identify and mitigate the impact supply
and third-party providers. chain breaches by centrally managing vendors, proactively
conducting event assessments, scoring identified risks, and
DE.AE-2: Detected events are analyzed to
accessing remediation guidance.
understand attack targets and methods.
The Prevalent Platform includes unified capabilities for
DE.AE-3: Event data are collected
assessing, analyzing and addressing weaknesses in supplier
and correlated from multiple sources
business resilience plans. This enables you to proactively
and sensors.
work with your supplier community to prepare for pandemics,
DE.AE-4: Impact of events is determined. environmental disasters, and other potential crises.
DE.AE-5: Incident alert thresholds are In addition to facilitating automated, periodic internal
established. control-based assessments, the Prevalent Platform
provides cyber security, business, reputational and financial
RS.RP-1: Response plan is executed monitoring – continually assessing third parties to identify
during or after an incident. potential weaknesses that can be exploited by cyber
criminals.
RS.CO-3: Information is shared consistent
with response plans. All risk intelligence is centralized, correlated and analyzed in
a single risk register that automates reporting and response,
and features a flexible weighted scoring model based on
likelihood of an event and its impact.
68
SP 800-53r5 Control Number and Name Applicable to SP 800-161r1
Cybersecurity Supply Chain Risk Management
IR-5 Incident Monitoring Prevalent Contract Essentials is a SaaS solution that centralizes
the distribution, discussion, retention, and review of vendor
Supplemental C-SCRM Guidance:
contracts. It also includes workflow capabilities to automate the
Enterprises should ensure that
contract lifecycle from onboarding to offboarding. With Contract
agreements with suppliers include
Essentials, your procurement and legal teams have a single
requirements to track and document
solution to ensure that key contract clauses are in place, and that
incidents, response decisions,
service levels and response times are managed.
and activities.
Supplemental C-SCRM Guidance: Communications of security incident information from the enterprise
to suppliers, developers, system integrators, external system service providers, and other ICT/OT-related
service providers and vice versa require protection. The enterprise should ensure that information is
reviewed and approved for sending based on its agreements with suppliers and any relevant interagency
bodies. Any escalation of or exception from this reporting should be clearly defined in the agreement. The
enterprise should ensure that incident reporting data is adequately protected for transmission and received
by approved individuals only. Enterprises should require their prime contractors to implement this control
and flow down this requirement to relevant sub-tier contractors.
69
SP 800-53r5 Control Number and Name Applicable to SP 800-161r1
Cybersecurity Supply Chain Risk Management
Incident Reporting | Supply Chain All risk intelligence in the Prevalent Platform is centralized,
Coordination Continued correlated and analyzed in a single risk register that
automates reporting and response, and features a flexible
ID.SC-5: Response and recovery planning
weighted scoring model based on likelihood of an event and
and testing are conducted with suppliers
its impact.
and third-party providers.
IR-8 Incident Response Plan The Prevalent Third-Party Incident Response Service
enables you to rapidly identify and mitigate the impact supply
Supplemental C-SCRM Guidance:
chain breaches by centrally managing vendors, conducting
Enterprises should coordinate, develop,
event assessments, scoring identified risks, and accessing
and implement an incident response
remediation guidance. The Incident Response Service
plan that includes information-sharing
responsibilities with critical suppliers and, provides the foundation to be well prepared for board and
in a federal context, interagency partners executive questions regarding the impact of supply chain
and the FASC. Enterprises should require incidents; and demonstrate proof of your third-party breach
their prime contractors to implement this response plan with auditors and regulators.
control and flow down this requirement to
relevant sub-tier contractors.
Supplemental C-SCRM Guidance: When addressing supply chain threat awareness, knowledge should be
shared between stakeholders within the boundaries of the organization’s information sharing policy.
ID.RA-2: Cyber threat intelligence is Prevalent VTM reveals third-party cyber incidents for 550,000
received from information sharing forums actively tracked companies by monitoring 1,500+ criminal
and sources. forums; thousands of onion pages, 80+ dark web special
access forums; 65+ threat feeds; and 50+ paste sites for leaked
ID.RA-3: Threats, both internal and credentials — as well as several security communities, code
external, are identified and documented. repositories, and vulnerability databases.
ID.RA-5: Threats, vulnerabilities, Prevalent then normalizes, correlates and analyzes information
likelihoods, and impacts are used to from across multiple inputs, including inside-out risk
determine risk assessments and outside-in monitoring from Prevalent Vendor
Threat Monitor and BitSight. This unified model provides
context, quantification, management and remediation support.
70
SP 800-53r5 Control Number and Name Applicable to SP 800-161r1
Cybersecurity Supply Chain Risk Management
PM-31 Continuous Monitoring Strategy Prevalent VTM reveals third-party cyber incidents for
550,000 actively tracked companies by monitoring 1,500+
Supplemental C-SCRM Guidance:
criminal forums; thousands of onion pages, 80+ dark web
The continuous monitoring strategy
special access forums; 65+ threat feeds; and 50+ paste
and program should integrate C-SCRM
sites for leaked credentials — as well as several security
controls at Levels 1, 2, and 3 in
communities, code repositories, and vulnerability databases.
accordance with the Supply Chain Risk
Management Strategy. Prevalent then normalizes, correlates and analyzes
information from across multiple inputs, including inside-
out risk assessments and outside-in monitoring from
Prevalent Vendor Threat Monitor and BitSight. This unified
model provides context, quantification, management and
remediation support.
71
SP 800-53r5 Control Number and Name Applicable to SP 800-161r1
Cybersecurity Supply Chain Risk Management
RA-1 Policy and Procedures The Prevalent Platform includes more than 200 standardized
risk assessment survey templates – including for NIST, ISO
Supplemental C-SCRM Guidance:
and many others — a custom survey creation wizard, and
Risk assessments should be performed
a questionnaire that maps responses to any compliance
at the enterprise, mission/program, and
regulation or framework. All assessments are based on
operational levels. The system-level
industry standards and address all information security
risk assessment should include both
topics as they pertain to supply chain partner security
the supply chain infrastructure (e.g.,
controls.
development and testing environments
and delivery systems) and the information With the Prevalent Platform, you can automatically generate
system/components traversing the supply a risk register upon survey completion, ensuring that the
chain. System-level risk assessments entire risk profile (or a role-specific version) can be viewed
significantly intersect with the SDLC in the centralized, real-time reporting dashboard – and
and should complement the enterprise’s reports can be downloaded and exported to determine
broader RMF activities, which take part compliance status. This filters out unnecessary noise and
during the SDLC. A criticality analysis zeros in on areas of possible concern, providing visibility
will ensure that mission-critical functions and trending to measure program effectiveness. Then, you
and components are given higher priority can take actionable steps to reduce vendor risk with built-in
due to their impact on the mission, if remediation recommendations
compromised. The policy should include and guidance.
supply chain relevant cybersecurity roles
that are applicable to performing and
coordinating risk assessments across the
enterprise (see Section 2 for the listing
and description of roles). Applicable roles
within suppliers, developers, system
integrators, external system service
providers, and other ICT/OT-related
service providers should be defined.
72
SP 800-53r5 Control Number and Name Applicable to SP 800-161r1
Cybersecurity Supply Chain Risk Management
Supplemental C-SCRM Guidance: Risk assessments should include an analysis of criticality, threats,
vulnerabilities, likelihood, and impact, as described in detail in Appendix C. The data to be reviewed and
collected includes C-SCRM-specific roles, processes, and the results of system/component and services
acquisitions, implementation, and integration. Risk assessments should be performed at Levels 1, 2, and
3. Risk assessments at higher levels should consist primarily of a synthesis of various risk assessments
performed at lower levels and used for understanding the overall impact with the level (e.g., at the
enterprise or mission/function levels). C-SCRM risk assessments should complement and inform risk
assessments, which are performed as ongoing activities throughout the SDLC, and processes should be
appropriately aligned with or integrated into ERM processes and governance.
ID.RA-1: Asset Vulnerabilities are The Prevalent Platform includes more than 200 standardized
identified and documented. risk assessment survey templates – including for NIST, ISO
and many others — a custom survey creation wizard, and
ID.RA-3: Threats, both internal and
a questionnaire that maps responses to any compliance
external, are identified and documented.
regulation or framework. All assessments are based on
ID.RA-4: Potential business impacts and industry standards and address all information security
likelihoods are identified. topics as they pertain to supply chain partner security
controls. Prevalent offers security, privacy, and risk
ID.RA-5: Threats, vulnerabilities, management professionals an automated platform to manage
likelihoods, and impacts are used to the vendor risk assessment process and determine vendor
determine risk. compliance with IT security, regulatory, and data privacy
requirements.
ID.SC-2: Suppliers and third party
partners of information systems, In addition to facilitating automated, periodic internal
components, and services are identified, control-based assessments, the Prevalent Platform also
prioritized, and assessed using a cyber provides cyber security, business, reputational and financial
supply chain risk assessment process monitoring – continually assessing third parties to identify
potential weaknesses that can be exploited by cyber
CSF DE.AE-4: Impact of events
criminals.
is determined.
All risk intelligence in the Prevalent Platform is centralized,
RS.MI-3: Newly identified vulnerabilities
correlated and analyzed in a single risk register that
are mitigated or documented as
automates reporting and response, and features a flexible
accepted risks.
weighted scoring model based on likelihood of an event and
its impact.
73
SP 800-53r5 Control Number and Name Applicable to SP 800-161r1
Cybersecurity Supply Chain Risk Management
74
SP 800-53r5 Control Number and Name Applicable to SP 800-161r1
Cybersecurity Supply Chain Risk Management
75
SP 800-53r5 Control Number and Name Applicable to SP 800-161r1
Cybersecurity Supply Chain Risk Management
Supplemental C-SCRM Guidance: This control enhancement is relevant to C-SCRM and plans for
continuous monitoring of control effectiveness and should therefore be extended to suppliers, developers,
system integrators, external system service providers, and other ICT/OT-related service providers.
PR.IP-2: A System Development Life In addition to facilitating automated, periodic internal control-
Cycle to manage systems is implemented. based assessments, the Prevalent Platform also provides
cyber security, business, reputational and financial monitoring
DE.CM-6: External service provider
– continually assessing third parties to identify potential
activity is monitored to detect potential
weaknesses that can be exploited by cyber criminals.
cybersecurity events.
All risk intelligence in the Prevalent Platform is centralized,
correlated and analyzed in a single risk register that
automates reporting and response, and features a flexible
weighted scoring model based on likelihood of an event and
its impact.
76
SP 800-53r5 Control Number and Name Applicable to SP 800-161r1
Cybersecurity Supply Chain Risk Management
Supplemental C-SCRM Guidance: System monitoring information may be correlated with that of
suppliers, developers, system integrators, external system service providers, and other ICT/OT-related
service providers, if appropriate. The results of correlating monitoring information may point to supply
chain cybersecurity vulnerabilities that require mitigation or compromises.
DE.AE-1: A baseline of network operations Prevalent VTM continuously tracks and analyzes externally
and expected data flows for users and observable threats to vendors and other third parties. The
systems is established and managed. service complements and validates vendor-reported security
control data from the Prevalent Platform by monitoring the
DE.AE-2: Detected events are analyzed to
Internet and dark web for cyber threats and vulnerabilities
understand attack targets and methods.
— and correlating assessment findings with research on
DE.AE-3: Event data are collected and operational, financial, legal and brand risks in a unified risk
correlated from multiple sources and register that enables centralized risk triage and response.
sensors.
All risk intelligence in the Prevalent Platform is centralized,
DE.AE-4: Impact of events is determined. correlated and analyzed in a single risk register that
automates reporting and response, and features a flexible
DE.CM-1: The network is monitored to weighted scoring model based on likelihood of an event and
detect potential cybersecurity events. its impact.
77
SP 800-53r5 Control Number and Name Applicable to SP 800-161r1
Cybersecurity Supply Chain Risk Management
Supplemental C-SCRM Guidance: The enterprise should evaluate security alerts, advisories, and
directives for cybersecurity supply chain impacts and follow up if needed. US-CERT, FASC, and other
authoritative entities generate security alerts and advisories that are applicable to C-SCRM. Additional
laws and regulations will impact who and how additional advisories are provided. Enterprises should
ensure that their information-sharing protocols and processes include sharing alerts, advisories, and
directives with relevant parties with whom they have an agreement to deliver products or perform services.
Enterprises should provide direction or guidance as to what actions are to be taken in response to sharing
such an alert, advisory, or directive. Enterprises should require their prime contractors to implement this
control and flow down this requirement to relevant sub-tier contractors. Departments and agencies should
refer to Appendix F to implement this guidance in accordance with Executive Order 14028, Improving the
Nation’s Cybersecurity.
ID.RA-1: Asset Vulnerabilities are Prevalent VTM continuously tracks and analyzes externally
identified and documented. observable threats to vendors and other third parties. The
service complements and validates vendor-reported security
ID.RA-2: Cyber threat intelligence is
control data from the Prevalent Platform by monitoring the
received from information sharing forums
Internet and dark web for cyber threats and vulnerabilities
and sources.
— and correlating assessment findings with research on
ID.RA-3: Threats, both internal and operational, financial, legal and brand risks in a unified risk
external, are identified and documented. register that enables centralized risk triage and response.
RS.CO-5: Voluntary information sharing All risk intelligence in the Prevalent Platform is centralized,
occurs with external stakeholders correlated and analyzed in a single risk register that
to achieve broader cybersecurity automates reporting and response, and features a flexible
situational awareness. weighted scoring model based on likelihood of an event and
its impact.
RS.AN-5: Processes are established
to receive, analyze and respond
to vulnerabilities disclosed to the
organization from internal and external
sources (e.g. internal testing, security
bulletins, or security researchers).
78
SP 800-53r5 Control Number and Name Applicable to SP 800-161r1
Cybersecurity Supply Chain Risk Management
SR-1 Policy and Procedures Prevalent Program Design Services define and document
your third-party risk management program. You get a clear
Supplemental C-SCRM Guidance:
plan that accounts for your specific needs while incorporating
C-SCRM policies are developed at Level
best practices for end-to-end TPRM.
1 for the overall enterprise and at Level
2 for specific missions and functions.
C-SCRM policies can be implemented at
Levels 1, 2, and 3, depending on the level
of depth and detail. C-SCRM procedures
are developed at Level 2 for specific
missions and functions and at Level 3 for
specific systems. Enterprise functions
including but not limited to information
security, legal, risk management, and
acquisition should review and concur on
the development of C-SCRM policies and
procedures or provide guidance to system
owners for developing system-specific
C-SCRM procedures.
79
SP 800-53r5 Control Number and Name Applicable to SP 800-161r1
Cybersecurity Supply Chain Risk Management
SR-2 Supply Chain Risk Prevalent Program Design Services help you to continually
Management Plan improve your Prevalent Platform deployment, ensuring
that your TPRM program maintains the flexibility
Supplemental C-SCRM Guidance:
and agility it needs to meet evolving business and
C-SCRM plans describe implementations,
regulatory requirements.
requirements, constraints, and
implications at the system level. C-SCRM
plans are influenced by the enterprise’s
other risk assessment activities and
may inherit and tailor common control
baselines defined at Level 1 and Level 2.
C-SCRM plans defined at Level 3 work
in collaboration with the enterprise’s
C-SCRM Strategy and Policies (Level
1 and Level 2) and the C-SCRM
Implementation Plan (Level 1 and Level
2) to provide a systematic and holistic
approach for cybersecurity supply chain
risk management across the enterprise.
C-SCRM plans should be developed as a
standalone document and only integrated
into existing system security plans if
enterprise constraints require it.
80
SP 800-53r5 Control Number and Name Applicable to SP 800-161r1
Cybersecurity Supply Chain Risk Management
SR-6 Supplier Assessments and Reviews The Prevalent Platform includes more than 200 standardized
risk assessment survey templates – including for NIST, ISO
Supplemental C-SCRM Guidance: In
and many others — a custom survey creation wizard, and
general, an enterprise should consider
a questionnaire that maps responses to any compliance
any information pertinent to the
regulation or framework. All assessments are based on
security, integrity, resilience, quality,
industry standards and address all information security
trustworthiness, or authenticity of the
topics as they pertain to supply chain partner security and
supplier or their provided services or
business resilience controls.
products. Enterprises should consider
applying this information against a Prevalent VTM continuously tracks and analyzes externally
consistent set of core baseline factors and observable threats to vendors and other third parties. The
assessment criteria to facilitate equitable service complements and validates vendor-reported security
comparison (between suppliers and over control data from the Prevalent Platform by monitoring the
time). Depending on the specific context Internet and dark web for cyber threats and vulnerabilities
and purpose for which the assessment — and correlating assessment findings with research on
is being conducting, the enterprise may operational, financial, legal and brand risks in a unified risk
select additional factors. The quality register that enables centralized risk triage and response.
of information (e.g., its relevance,
completeness, accuracy, etc.) relied upon
for an assessment is also an important
consideration. Reference sources for
assessment information should also be
documented. The C-SCRM PMO can help
define requirements, methods, and tools
for the enterprise’s supplier assessments.
Departments and agencies should refer
to Appendix E for further guidance
concerning baseline risk factors and
the documentation of assessments and
Appendix F to implement this guidance in
accordance with Executive Order 14028,
Improving the Nation’s Cybersecurity.
81
SP 800-53r5 Control Number and Name Applicable to SP 800-161r1
Cybersecurity Supply Chain Risk Management
SR-8 Notification Agreements With the Prevalent Platform, you can collaborate on
documents, agreements and certifications, such as NDAs,
Supplemental C-SCRM Guidance: At
SLAs, SOWs and contracts, with built-in version control,
minimum, enterprises should require
task assignment and auto-review cadences. Manage all
their suppliers to establish notification
documents throughout the vendor lifecycle in centralized
agreements with entities within
vendor profiles.
their supply chain that have a role or
responsibility related to that critical
service or product. Departments and
agencies should refer to Appendix F to
implement this guidance in accordance
with Executive Order 14028, Improving
the Nation’s Cybersecurity.
82
NIST: Summary Guidelines and Recommendations
To address the supply chain risk management control requirements established in SP 800-53, use the
Cybersecurity Framework v1.1 supplemental guidance and consider implementing the following practices.
Identify, establish, assess, and Define and document your third-party risk management
manage cyber supply chain program with expert professional services. Obtain a clear plan
risk management processes, that accounts for your specific needs while incorporating best
and ensuring organizational practices for end-to-end TPRM.
stakeholders agree.
Identify, prioritize, and assess Onboard, profile, tier and score inherent risks across all third
suppliers and third party partners of parties as a critical first step in the onboarding and prioritization
information systems, components, stages of the vendor lifecycle.
and services using a cyber supply
chain risk assessment process.
Implement appropriate measures Use dedicated and custom contract assessment questionnaires
in supplier and third-party partner to enable comprehensive reviews by identifying potential
contracts to meet the objectives breaches of contract and other risks. Customizable surveys
of an organization’s cybersecurity make it easy to gather and analyze necessary performance and
program and Cyber Supply Chain contract data in a single risk register.
Risk Management Plan.
Routinely assess suppliers and third- Use a comprehensive solution to address all information security
party partners using audits, test topics as they pertain to supply chain partner
results, or other forms of evaluations security controls.
to confirm they are meeting their
contractual obligations.
Conduct response and recovery Identify and mitigate the impact supply chain breaches by
planning and testing with suppliers centrally managing vendors, conducting proactive event
and third-party providers. assessments, scoring identified risks, and accessing
remediation guidance.
83
The Prevalent Difference
NIST SP 800-53, SP 800-161, CSF Compliance
NIST requires robust management and tracking of third-party supply chain security risks. SP 800-53,
SP 800-161, and CSF v1.1 specify that a policy for managing risk should be in place; security controls should
be selected; a policy should be codified in supplier agreements where appropriate; and suppliers should
be managed and audited to the requirements and controls. In short, organizations need to establish and
implement the processes to identify, assess and manage supply chain risk.
Contact Prevalent for a free maturity assessment to determine how your current TPRM policies stack
up to NIST requirements or request a solution demo today.
84
The Payment Card Industry Data Security Standard
(PCI DSS)
Originally developed in 2004 and revised consistently since, the Payment Card Industry
Data Security Standard (PCI DSS) aims to enhance cardholder data security and to
facilitate the broad adoption of consistent data security measures worldwide. The
standard applies to all entities that store, process or transmit cardholder data. With 12
requirements across six areas, the standard is designed to ensure that organizations have
the proper controls and procedures in place to secure cardholder data.
Specific to third-party risk management, PCI DSS requirements are applicable to organizations that
have outsourced:
• the management of systems (such as routers, firewalls, databases, physical security, and/or servers)
that are involved in transmitting, housing or protecting cardholder data.
All service providers with access to cardholder data – including shared hosting providers – must adhere to
PCI DSS; shared hosting providers must protect each entity’s hosted environment and data. This section
focuses specifically on those hosting provider requirements.
85
PCI DSS Checklist
Requirement 12.8 Maintain and implement Prevalent offers an internal automated qualification assessment
policies and procedures to manage service that enables you to gather required details about all entities your
providers with whom cardholder data is organization is working with from all departments to satisfy the
shared, or that could affect the security of requirements of 12.8.1. Prevalent utilizes standardized rule-based
cardholder data profiling and tiering logic to help risk and security teams understand
the scope of their vendors. Through a combination of information
12.8.1 Maintain a list of service providers collection and specific tiering questions, Prevalent leverages data
including a description of the service provided interaction, financial, regulatory and reputational considerations
to inform tiering. This process ensures that third parties are
assessed properly according their importance to the organization
and provides a central repository for vendor management.
12.8.2 Maintain a written agreement that Prevalent enables organizations to centralize agreements,
includes an acknowledgment that the service contracts and supporting evidence with built-in task and
providers are responsible for the security of acceptance management, plus mandatory upload features to
cardholder data the service providers possess accommodate 12.8.2. A dedicated contract assessment in the
or otherwise store, process or transmit platform raises risks related to the achievement of contract
on behalf of the customer, or to the extent clauses. Visualizing breaches of certain contract requirements
that they could impact the security of the or clauses ensures that organizations have the insights they
customer’s cardholder data environment. need when renewing contracts.
12.8.3 Ensure there is an established process Prevalent delivers a standardized PCI assessment incorporating
for engaging service providers including all 12 requirements, with built-in workflow to ensure the
proper due diligence prior to engagement. entire process – from survey collection and analysis to risk
identification and reporting – is automated and efficient.
12.8.4 Maintain a program to monitor service Building on the requirement in 12.8.3, Prevalent offers a
providers’ PCI DSS compliance status at least customizable survey to gather and analyze performance data,
annually. delivering a single repository of all third-party vendor evidence.
12.8.5 Maintain information about which PCI Prevalent enables organizations to centralize agreements,
DSS requirements are managed by each contracts and supporting evidence.
service provider, and which are managed by
the entity.
12.9 Additional requirement for service Prevalent enables organizations to centralize agreements,
providers only: contracts and supporting evidence with built-in task and
acceptance management, plus mandatory upload features.
Service providers acknowledge in writing to A dedicated contract assessment in the platform raises risks
customers that they are responsible for the related to the achievement of contract clauses. Visualizing
security of cardholder data the service provider breaches of certain contract requirements or clauses
possesses or otherwise stores, processes, or ensures that organizations have the insights they need
transmits on behalf of the customer, or to the when renewing contracts.
extent that they could impact the security of the
customer’s cardholder data environment.
86
The Prevalent Difference
The Payment Card Industry Data Security Standard
Prevalent can help address the third-party requirements published in the PCI standard by:
• Assessing third-parties using a comprehensive standardized PCI assessment built-in to the Prevalent
platform.
• Automatically generating a risk register once a survey has been completed, filtering out any unnecessary
noise and zeroing-in on areas of possible concern.
• Matching documentation or evidence against risks and vendors, creating an audit trail for review.
• Reporting against PCI compliance, including projecting future risks and compliance once recommended
remediations are applied.
• Identifying relationships between your organization and third parties to discover dependencies and
visualize information paths.
With advisory, consulting and managed services, organizations that need to assess their third parties for PCI
compliance can be assured of best practices with Prevalent.
To discuss how Prevalent can help you address PCI DSS requirements, request a demo today.
87
SEC Cybersecurity Risk Management, Strategy,
Governance and Incident Disclosure for Third Parties
In March 2022 the U.S. Securities and Exchange
Commission (SEC) proposed new rules and
amendments to enhance and standardize
disclosures regarding cybersecurity risk
management, strategy, governance and incident
reporting by public companies. Public comment on
the proposed rules ended on May 9, 2022. The SEC
has not yet announced a date for when the changes
will be finalized and enforced. However, there are
several things you can do now to begin preparing
your company now.
This section reviews the important third-party considerations in the SEC cybersecurity risk
management amendments and identifies critical third-party risk management (TPRM) capabilities
to address the requirements.
• Disclose information about a material cybersecurity incident within four (4) business days after the
company determines that it has experienced a material cybersecurity incident
• Provide updated disclosures relating to previously disclosed immaterial cybersecurity incidents when
they become material overall
• Enhance and standardize cybersecurity risk management, strategy and governance reporting by:
– Describing policies and procedures for the identification and management of risks from cybersecurity
threats, and oversight of third-party service providers
– Requiring disclosure about the board’s oversight of cybersecurity risk and management’s role and
expertise in assessing and managing cybersecurity risk and implementing policies, procedures
and strategies
• Disclose in annual reports and proxy filings if any member of the company’s board of directors has
expertise in cybersecurity
88
Checklist for Meeting SEC TPRM Requirements
Because 45% of organizations experienced a third-party security incident in the last year, it is essential that
public companies consider the proposed SEC reporting amendments in the context of those relationships.
This section identifies proposed requirements in the SEC cybersecurity risk management amendments and
maps capabilities in the Prevalent Third-Party Risk Management Platform to those requirements to help
security teams mitigate third-party risks and meet reporting obligations.
NOTE: This is a summary of the most relevant amendments only, and it should not be considered comprehensive,
definitive guidance. For a complete list of rules, please review the complete document in detail and consult your auditor.
“Disclose the following Prevalent enables your team to rapidly identify, respond to, report on, and
information about a mitigate the impact of third-party vendor security incidents as part of your
material cybersecurity broader incident management strategy.
incident, to the extent the
In addition to our SaaS platform solutions, Prevalent offers a managed
information is known at the
service where our experts centrally manage your vendors; conduct proactive
time of the Form 8-K filing:
event risk assessments; score identified risks; correlate against continuous
• When the incident was cyber monitoring; and issue remediation guidance – all on your behalf.
discovered and whether it
Key capabilities include:
is ongoing;
• Continuously updated and customizable event and incident
• A brief description of the management questionnaires
nature and scope of the
• Real-time questionnaire completion progress tracking
incident;
• Defined risk owners with automated chasing reminders to keep surveys
• Whether any data was on schedule
stolen, altered, accessed,
• Proactive vendor reporting
or used for any other
unauthorized purpose; • Consolidated views of risk ratings, counts, scores and flagged responses
for each vendor
• The effect of the incident
• Workflow rules to trigger automated playbooks to act on risks according to
on the registrant’s
their potential impact on the business
operations; and
• Built-in reporting templates for internal and external stakeholders
• Whether the registrant
• Guidance from built-in remediation recommendations to reduce risk
has remediated or is
currently remediating
the incident.”
89
SEC Cybersecurity Disclosure Rules Checklist
Armed with these insights, your team can better understand the scope and
impact of the incident; what data was involved; whether the third party’s
operations were impacted; and when remediations have been completed –
all by leveraging Prevalent experts.
90
SEC Cybersecurity Disclosure Rules Checklist
“The registrant has Prevalent partners with you to build a comprehensive third-party risk
a cybersecurity risk management (TPRM) program in line with your broader information security
assessment program and if and governance, risk and compliance programs based on proven best
so, provide a description of practices and extensive real-world experience.
such program;”
Our experts collaborate with your team on defining and implementing
TPRM processes and solutions; selecting risk assessment questionnaires
and frameworks; and optimizing your program to address the entire third-
party risk lifecycle – from sourcing and due diligence, to termination and
offboarding – according to your organization’s risk appetite.
• Third-party inventories
• Fourth-party mapping
91
SEC Cybersecurity Disclosure Rules Checklist
“The registrant engages Prevalent features a library of 200+ pre-built templates for third-party risk
assessors, consultants, assessments. Assessments can be conducted at the time of onboarding,
auditors, or other third contract renewal, or at any required frequency (e.g., quarterly or annually).
parties in connection with
Assessments are managed centrally in the Prevalent Platform, and are
any cybersecurity risk
backed by workflow, task management and automated evidence review
assessment program;”
capabilities to ensure that your team has visibility into third-party risks
throughout the relationship lifecycle.
“The registrant has Prevalent enables you to assess and monitor your third parties based on
policies and procedures extent of the threats to your information assets by capturing, tracking and
to oversee and identify quantifying inherent risks for all third parties.
the cybersecurity risks
Criteria used to calculate inherent risk for third-party classification includes:
associated with its use of
any third-party service • Type of content required to validate controls
provider (including, but • Criticality to business performance and operations
not limited to, those
• Location(s) and related legal or regulatory considerations
providers that have
access to the registrant’s • Level of reliance on fourth parties (to avoid concentration risk)
customer and employee • Exposure to operational or client-facing processes
data), including whether
• Interaction with protected data
and how cybersecurity
considerations affect the • Financial status and health
selection and oversight • Reputation
of these providers
and contractual and From this inherent risk assessment, your team can automatically tier
other mechanisms the suppliers; set appropriate levels of further diligence; and determine the
company uses to mitigate scope of ongoing assessments.
cybersecurity risks related
Rule-based tiering logic enables vendor categorization using a range of data
to these providers;”
interaction, financial, regulatory and reputational considerations.
92
SEC Cybersecurity Disclosure Rules Checklist
“The registrant undertakes Prevalent continuously tracks and analyzes external threats to third
activities to prevent, parties. The solution monitors the Internet and dark web for cyber threats
detect, and minimize and vulnerabilities, as well as public and private sources of reputational,
effects of cybersecurity sanctions and financial information.
incidents;”
All monitoring data is correlated with assessment results and centralized in
a unified risk register for each vendor, streamlining risk review, reporting,
remediation and response initiatives.
“The registrant has Prevalent automates the assessment, continuous monitoring, analysis and
business continuity, remediation of risks to third-party business resilience and continuity – while
contingency, and recovery automatically mapping results to NIST, ISO and other control frameworks.
plans in the event of a
To complement its business resilience assessments and validate vendor
cybersecurity incident;”
questionnaire responses, Prevalent:
• Automates continuous cyber monitoring that may predict possible third-
party business impacts
• Accesses qualitative insights from over 550,000 public and private sources
of reputational information that could signal vendor instability
• Outline recovery point objectives (RPOs) and recovery time objectives (RTOs)
• Centralize system inventory, risk assessments, RACI charts, and third parties
93
SEC Cybersecurity Disclosure Rules Checklist
When you need to terminate or exit critical services, you can leverage
customizable surveys and workflows to report on system access, data
destruction, access management, compliance with relevant laws, final
payments, and more. The Prevalent solution also suggests actions
based on answers to offboarding assessments and routes tasks to
reviewers as necessary.
“Previous cybersecurity With Prevalent, you can establish a program to efficiently achieve and
incidents have informed demonstrate third-party governance and compliance, while ensuring that
changes in the registrant’s policies and procedure evolve according to changing risk dynamics.
governance, policies
The solution automates third-party risk management compliance auditing
and procedures, or
by collecting vendor risk information, quantifying risks, recommending
technologies; ...
remediations, and generating reports for dozens of government regulations
"Cybersecurity related risk and industry frameworks.
and incidents have affected
Prevalent automatically maps information gathered from control-based
or are reasonably likely
assessments to ISO 27001, NIST, GDPR, CoBiT 5, SSAE 18, SIG, SIG Lite,
to affect the registrant’s
SOX, NYDFS, and other regulatory frameworks, enabling you to quickly
results of operations or
visualize and address important compliance requirements and adjust your
financial condition and if so,
program accordingly – including whether or not to accept residual risks.
how; and ...
“Whether the entire Prevalent provides a framework for centrally measuring third-party
board, specific board KRIs against your requirements and reducing gaps in vendor oversight
members or a board with embedded machine learning (ML) insights and customizable,
committee is responsible role-based reports.
for the oversight of
The capabilities can help your team to uncover risk trends, determine
cybersecurity risks;
third-party risk status, and identify exceptions to common behavior that
could warrant further investigation.
94
SEC Cybersecurity Disclosure Rules Checklist
“Whether and how the board Prevalent also improves efficiency by getting the right data into
or board committee considers the right hands at the right time. This makes it easy for report
cybersecurity risks as part of its recipients to quickly determine risk acceptability and make
business strategy, risk management, confident decisions, regardless of skill level.
and financial oversight.
95
The Prevalent Difference
SEC Cybersecurity Disclosure Rules Compliance
Prevalent solutions can help your organization to establish and mature your third-party cybersecurity risk
management, strategy, governance and incident disclosure program. With Prevalent, you can:
• Profile and tier all third parties, gaining inherent • Continuously monitor third parties for
risk scores that indicate the likelihood and impact cybersecurity risks and correlate risks against
of a cybersecurity incident and enable you to right- assessment results to validate findings
size ongoing due diligence activities
• Automate incident response processes, speeding
• Map fourth and Nth parties to identify reporting and time to resolution
concentration risk and reveal data flows across the
• Simplify board and executive reporting to enable
extended vendor ecosystem
clear and efficient decision making
• Automate third-party risk assessment, risk scoring
• Benchmark your program against accepted best
and remediation processes
practices with compliance reporting against
• Measure third-party business resilience against several frameworks and regulations
industry best practices
Contact Prevalent today for a free maturity assessment to determine how your TPRM policies stack
up to the SEC requirements, or schedule a demo to learn whether our solutions are a fit for you.
96
The Standard Information Gathering (SIG) Questionnaire
The Standard Information Gathering (SIG) questionnaire is a third-party risk questionnaire
created by the Shared Assessments membership organization. SIG is available in two
versions, Core and Lite, which equip organizations with industry-standard libraries
of curated questions to measure third-party risk across 19 different domains. Each
question is mapped to security controls across dozens of frameworks and compliance
requirements, enabling third-party risk standardization and improvement in adherence
with core TPRM compliance requirements.
SIG Lite questions can also be used when a SIG Core also allows organizations to select and
third-party vendor or supplier has a low degree of customize the questions they want answered for
profiled risk and requires less due diligence than each vendor. It also includes extensive coverage
of legal requirements and best practices related
higher-risk vendors.
to protecting personal information.
• Automate the collection and analysis of SIG • Proactively mitigate risk with access to centralized
questionnaire answers and supporting evidence remediation guidance
with a single platform
• Provide your team with reliable access to the latest
• Simplify regulatory and security framework version of the SIG questionnaire
reporting with additional, built-in control mappings
• Complement and validate SIG questionnaire
• Gain improved visibility into vendor risks with responses with continuous cyber, business,
machine learning analytics and reporting reputational, and financial risk monitoring
Contact Prevalent today to schedule a demo and learn about our solutions for automating
SIG assessments.
97
System and Organization Control (SOC) 2
The American Institute of Certified Public Accountants (AICPA) Assurance Services
Executive Committee (ASEC) developed trust services criteria for organizations to use as a
framework for demonstrating the confidentiality, integrity and availability of systems and data.
Organizations familiar with System and Organization Control (SOC) 2 audits will recognize that
these trust services criteria are used to report on the effectiveness of their internal controls
and safeguards over infrastructure, software, people, procedures, and data.
With technology outsourcing becoming ever more widespread, organizations must ensure that their third-
party vendors store, process, and maintain data in accordance with the highest levels of security control.
This section examines controls and guidance in the AICPA standard and identifies capabilities in the
Prevalent Third-Party Risk Management Platform that can be used to meet SOC 2 requirements for stronger
data security throughout the supply chain.
Once the controls audit is complete, outputs can include either a Type 1 report, which looks at a service
provider’s system and the suitability of the design of controls at a point in time; or a Type 2 report, which
adds to the Type 1 report by also looking at the operating effectiveness of controls over a period of time.
Organizations across multiple industries use SOC 2 reports to demonstrate due diligence to clients,
differentiate themselves from competitors based on their security posture, or be proactive with auditors in
measuring compliance against data protection regulations.
However, with 61 criteria across more than 300 points of focus, it can quickly become overwhelming for
organizations standardizing on a SOC 2 report to understand how to evaluate third parties for control
weaknesses that could result in a business disruption.
98
Mapping Prevalent Capabilities to AICPA Trust Service Criteria for
SOC 2 Reporting
Many companies have third parties that choose to submit SOC 2 reports instead of complete third-party
risk assessments, so it’s important to consistently evaluate all vendors. The summary table below maps
capabilities in the Prevalent Third-Party Risk Management Platform to select AICPA trust services criteria.
Organizations can leverage the Prevalent platform to understand and mitigate risks, regardless of how risks
are reported.
NOTE: This table should not be considered definitive guidance. For a complete list of controls, please review
the complete AICPA standard in detail and consult your auditor.
CC2.3: The entity communicates with external parties regarding matters affecting the functioning
of internal control.
99
SOC 2 Checklist
CC3.2: The entity identifies risks to the achievement of its objectives across the entity and
analyzes risks as a basis for determining how the risks should be managed.
Analyzes Threats and Vulnerabilities From The Prevalent TPRM Platform enables organizations
Vendors, Business Partners, and Other to automate the critical tasks required to assess,
Parties — The entity’s risk assessment manage, continuously monitor, and remediate third-
process includes the analysis of potential party security, privacy, compliance, supply chain and
threats and vulnerabilities arising from procurement-related risks across every stage of the
vendors providing goods and services, as well vendor lifecycle – from onboarding to offboarding.
as threats and vulnerabilities arising from
The solution includes the ability to issue and manage
business partners, customers, and others with
point-in-time risk assessments using more than 75
access to the entity’s information systems.
different templates, analyze the results, as well as
continuously monitor third-party cyber, business,
reputational, and financial risks for a holistic view of
third parties.
CC3.4: The entity identifies and assesses changes that could significantly impact the system of
internal control.
100
SOC 2 Checklist
CC9.2: The entity assesses and manages risks associated with vendors and business partners.
Establishes Requirements for Vendor and Prevalent Contract Essentials helps vendor
Business Partner Engagements — The management, procurement and legal teams simplify
entity establishes specific requirements for the process of establishing and negotiating contract
a vendor and business partner engagement terms and SLAs, managing redlines, and securing
that includes (1) scope of services and product approvals through workflow. The solution is fully
specifications, (2) roles and responsibilities, integrated with the complete TPRM Platform
(3) compliance requirements, and (4) ensuring that organizations can manage vendor
service levels. contracts with the same discipline that they manage
vendor risks.
Assesses Vendor and Business Partner Risks The Prevalent Platform enables organizations to
— The entity assesses, on a periodic basis, automate the critical tasks required to assess,
the risks that vendors and business partners manage, continuously monitor and remediate third-
(and those entities’ vendors and business party security, privacy, compliance, supply chain and
partners) represent to the achievement of the procurement-related risks across every stage of the
entity’s objectives. vendor lifecycle – from onboarding to offboarding.
Assigns Responsibility and Accountability With the Prevalent Platform, security and risk
for Managing Vendors and Business management teams can manually assign tasks
Partners — The entity assigns responsibility related to managing assessments risks, or leverage
and accountability for the management a pre-packaged library of ActiveRules to automate
of risks associated with vendors and a range of tasks normally performed as part of
business partners. the assessment and review processes – such as
updating vendor profiles and risk attributes, sending
notifications, or activating workflow – utilizing if-this,
then-that logic.
Assesses Vendor and Business Partner The Prevalent Platform enables vendor management
Performance — The entity periodically teams to establish requirements to track and to
assesses the performance of vendors and centralize SLA and performance reporting against
business partners. those requirements through a single reporting and
analytics dashboard.
101
SOC 2 Checklist
Implements Procedures for Addressing The Prevalent Platform features reporting that
Issues Identified During Vendor and reveals risk trends, status and exceptions to common
Business Partner Assessments — The behavior for individual vendors or groups with
entity implements procedures for addressing embedded machine learning insights. With this
issues identified with vendor and business capability, teams can quickly identify outliers across
partner relationships. assessments, tasks, risks, etc. that could warrant
further investigation.
Assesses Compliance With Confidentiality The Prevalent Platform enables risk management and
Commitments of Vendors and Business compliance teams to automatically map information
Partners — On a periodic and as-needed gathered from controls-based vendor assessments
basis, the entity assesses compliance to regulatory frameworks including ISO 27001, NIST,
by vendors and business partners with CMMC, GDPR, CoBiT 5, SSAE 18, SIG, SIG Lite, SOX,
the entity’s confidentiality commitments NYDFS, and more to quickly visualize and address
and requirements. important compliance requirements.
102
SOC 2 Checklist
P6.4: The entity obtains privacy commitments from vendors and other third parties who have
access to personal information to meet the entity’s objectives related to privacy. The entity
assesses those parties’ compliance on a periodic and as-needed basis and takes corrective action,
if necessary.
Discloses Personal Information Only to Prevalent includes built-in assessments for data
Appropriate Third Parties — Personal protection regulations such as GDPR, CCPA, HIPAA
information is disclosed only to third parties and NYDFS. Results from these assessments are
who have agreements with the entity to mapped into a central risk register where security and
protect personal information in a manner risk management teams can visualize and take action
consistent with the relevant aspects of the on potential risks to data and compare a vendor’s
entity’s privacy notice or other specific actions against their contractual obligations.
instructions or requirements. The entity
has procedures in place to evaluate that the
third parties have effective controls to meet
the terms of the agreement, instructions,
or requirements.
Remediates Misuse of Personal Information The Prevalent Platform includes built-in remediation
by a Third Party — The entity takes remedial guidance and recommendations. Security and risk
action in response to misuse of personal management teams can efficiently communicate with
information by a third party to whom the entity vendors and coordinate remediation efforts through
has transferred such information. the Platform, capture and audit conversations, and
record estimated completion dates.
P6.5: The entity obtains commitments from vendors and other third parties with access to
personal information to notify the entity in the event of actual or suspected unauthorized
disclosures of personal information. Such notifications are reported to appropriate personnel
and acted on in accordance with established incident-response procedures to meet the entity’s
objectives related to privacy.
Remediates Misuse of Personal Information The Prevalent Third-Party Incident Response Service
by a Third Party — The entity takes remedial enables security and risk management teams to
action in response to misuse of personal rapidly identify and mitigate the impact of data
information by a third party to whom the entity privacy incidents by centrally managing vendors,
has transferred such information. conducting event assessments, scoring identified
risks, and accessing remediation guidance.
Reports Actual or Suspected Unauthorized
Disclosures — A process exists for obtaining
commitments from vendors and other
third parties to report to the entity actual
or suspected unauthorized disclosures of
personal information.
103
The Prevalent Difference
SOC 2 Compliance
104
Maturing and Optimizing Your Third-Party Risk
Management Program
With the Prevalent TPRM Platform, your organization can effectively adapt to the ever-changing regulatory
landscape for third-party risk management. Our recommend approach follows best practices guidance for a
closed-loop third-party risk management program.
With Prevalent, you can mature your third-party risk management program from reactive, low-visibility and
low-efficiency, to proactive, intelligent and agile. Key steps include:
1. Manage all your vendors in one place: The first step is to take control of your third-party ecosystem by
onboarding vendors and getting a picture of their inherent risk. You can do that yourself, or you can have
Prevalent do it for you.
2. Get out of spreadsheet jail: Next, get out of spreadsheet jail with an automated assessment solution
that enables everyone to collaborate on industry-standard questionnaires. Again, you’re welcome to do
that yourself, or Prevalent can do it for you.
3. Make smarter decisions: Then, validate assessment responses against external cyber security
scores and business risk intelligence from continuous monitoring across thousands of public and
private sources.
4. Fix what’s important: Next, prioritize and fix what’s important to your organization by consulting a
centralized risk register that unifies assessment data and monitoring intelligence for each vendor.
5. Continuous, intelligent and automated: Finally, this gets you to a place where the third-party risk
management process is much more predictable and proactive, with continuous risk insights informing
your assessment cadence.
Following this process enables you to not only able to reveal potential compliance issues, but also adhere to
the TPRM lifecycle recommended by most regulatory bodies. By combining automated vendor assessments
with continuous risk monitoring, you gain a 360-degree view of third-party risk. This results in more secure,
more compliant operations between your organization and its vendors, suppliers and business partners.
105
How Prevalent Can Help
Prevalent delivers a unified third-party risk management platform that enables you
to better reveal, interpret and alleviate risk at every stage of the vendor lifecycle. By
combining automated assessment with continuous threat monitoring, Prevalent enables
your organization to simplify compliance, reduce security risks, and improve efficiency.
• Bi-directional remediation workflows to facilitate risk management and mitigation, with complete audit
trails for all vendor communications and risk decisions
• A central reporting interface for visualizing compliance and risk status across the vendor landscape
• Deep data security auditing and business monitoring capabilities that enable you to move beyond
tactical network health reporting to reveal critical operational, financial, legal and brand risks
With Prevalent, you gain a 360-degree view of vendor risk for managing regulatory compliance and aligning
with industry standards and guidelines.
To learn how Prevalent can assist with your specific compliance requirements, request a demo today.
106
About Prevalent
Prevalent takes the pain out of third-party risk management (TPRM). Companies use our software and
services to eliminate the security and compliance exposures that come from working with vendors and
suppliers across the entire third-party lifecycle. Our customers benefit from a flexible, hybrid approach
to TPRM, where they not only gain solutions tailored to their needs, but also realize a rapid return on
investment. Regardless of where they start, we help our customers stop the pain, make informed decisions,
and adapt and mature their TPRM programs over time.
© Prevalent, Inc. All rights reserved. The Prevalent name and logo are trademarks or registered trademarks of Prevalent, Inc.
All other trademarks are the property of their respective owners. 4/23
107