Third-party software and services are inventoried and assessed for risk

Implementation steps

1. 1

   Build a third-party software and services inventory

   Create a list of all third-party software, SaaS applications, open-source libraries, and managed services your organization uses. Include the vendor name, what data or system access they have, and the business owner. For development teams, inventory open-source dependencies using a software composition analysis tool. Integrate inventory collection into procurement and onboarding processes.

   snyk github-dependabot sonatype-nexus vanta blissfully
2. 2

   Assess each vendor against a risk tier

   Score each vendor by the sensitivity of the data they access and the depth of their system integration. Vendors with access to production systems or sensitive customer data are high risk. Vendors with no data access and no integrations are low risk. Use your tier assignment to drive the depth of security review: high-risk vendors get a full assessment, low-risk vendors get a lightweight review.

   vanta drata whistic onspring servicenow
3. 3

   Monitor for supply chain compromise and security events affecting your vendors

   Subscribe to security advisories for your critical software dependencies. Use a software composition analysis tool to get automated alerts when a library you depend on has a new CVE. Monitor threat intelligence feeds for news of breaches affecting your vendors. When a vendor is breached, follow a defined protocol: assess exposure, rotate credentials, and review logs for anomalous activity.

   snyk github-dependabot crowdstrike recorded-future tenable

Evidence required