How to analyze a supplier to ensure data security

The speed with which technologies are evolving and the constant emergence of innovative products and services, brings some necessary reflections. On one side, we must think on how to maintain these activities, which are necessary for the evolution of our information society, and how to ensure everyone's privacy and data protection, especially of we, consumers of software products, holders of these data.

There are several regulations around the world regarding the subject, and the challenges to companies that seek to comply can be many. One of them is supplier analysis. In this process, we seek to identify risks in the supplier’s service provision which may impact the organization’s operations.

In this text, you will learn more about the topics that must be addressed from the point of view of information security when analyzing suppliers. You will also get some suggestions on how netLex can be used in this process.

What to evaluate in supplier analysis?

When carrying out a supplier analysis, it is necessary to evaluate several issues. This process involves areas such as Information Security, Privacy and Data Protection, as well as Information Technology, Finance and others.

The main objective is to certify that good information security practices are implemented, with sound technical and administrative measures to ensure privacy and data protection, while considering the criticality of the information involved in the process. In general, a vendor review process, conducted through netLex, draws in the following steps:

• Gathering initial information regarding the supplier, by filling out a questionnaire within the platform

At this initial stage, we aim at identifying whether the partner has, for example, a privacy policy, so that we can better understand how data processing takes place, and whether it would bring any risk to the business while providing the service required. Through netLex, it is possible to automate the stage in which the requestor makes the information available for analysis. These will be combined with others, such as “will data from the organization be used” and “does the supplier have certification” to rank criticality and calculate residual risk.

• Analysis of the responses by the Information Security team and other internal areas involved;
• Analysis of the residual risks, which may be generated by contracting the supplier

For example: during an analysis, no privacy policy to understand how data was treated was found. In this case, the risk increases. Therefore, a complementary procedure is necessary, such as contacting the company and requesting the mentioned document. If, in fact, it does not have it, an alignment of what the action plan will be is also important. Only then it is possible to evaluate whether the risk can be assumed and what its impact will be.

• Generate a document formalizing the opinion reached and store it on netLex with the full supplier analysis as well as mentioning the risks involved and plan of action - if applicable;

In this scenario, one of the biggest challenges is to carry out this assessment with the consistency, completeness and velocity required to keep up with internal demands. That is specially given that we are inserted in an environment of constant innovation.

How to win the challenge and perform the analysis with speed and security?

netLex clients combine speed and security using our platform to automate the document which contains the final analysis through a workflow that assesses criticality and risk, as well as addresses specific assessments to those responsible for each topic.Hence, it is possible to evaluate all suppliers in a more agile way, while analyzing all the risks that can be generated in the process. Here, at netLex, we work with a few criteria that are part of the Residual Risk Score calculation:

• Criticality level: it is calculated based on the analysis of whether any company data is shared or not, generating ratings that indicate low, medium or high level of criticality, depending on the supplier’s scenario and on the information shared.
• Risk assessment: in a subsequent step, we carry out this assessment, which is calculated as the applicant enters information about the supplier and attaches relevant documentation. A few aspects are considered, a specific weight is assigned to them for later calculation of the residual risk. Among the topics evaluated, we can exemplify with: “is there a privacy policy?”, “Does the supplier have certification?”, “Does the supplier do pentests?” and others.

Another important point is to maintain consistency in the review of suppliers, both to ensure security controls and to identify whether the service is still relevant.

Innovative environments require preventive measures and readiness

As we could see, our current scenario is one of constant and rapid evolution and innovation, and we need preventive measures against security incidents, as well as preparation to deal with them, should they occur, to reduce their impact.

Hence, we must ensure that all our suppliers are fit to provide the service while guaranteeing information security.

This procedure favors the evolution of both parties, since the company controls and reduces risks such as the leakage of its information, or even the unavailability of services, while the supplier is able to evaluate its controls and identify areas for improvement. This has a positive impact on increasing maturity, and creates a competitive advantage in the market.

To learn more about how netLex can help your company on the supplier analysis journey, speak to one of our specialists here!

*Samantha Nunes is the head of Information Security at netLex