Supply chain security practices are monitored throughout the technology product and service life cycle
A vendor's security posture at the time of acquisition is not their security posture two years into the relationship. Products receive updates, vendors get acquired, and security teams turn over. Monitoring supply chain security through the entire product life cycle ensures you catch degradations before they affect you, rather than learning about them from a breach notification.
Implementation steps
- 1
Track software and service updates from critical vendors
For critical software vendors, subscribe to their security advisories and release notes. When a vendor releases a security update, have a process to evaluate and apply it within your patching SLA. Delays in applying vendor security patches are one of the most common root causes of successful attacks.
dependabotsnyktenablequalys - 2
Monitor for changes in vendor security posture
Use security rating services or periodic manual reviews to detect significant changes in a vendor's security posture: major personnel changes in their security team, new public vulnerabilities in their products, acquisition by a new parent company, or changes to their data handling practices.
securityscorecardbitsightgoogle-alerts - 3
Require vendors to notify you of significant security changes
Include in critical vendor contracts a requirement to notify you of significant changes to their security architecture, data processing arrangements, subprocessors, or in the event of a security breach. This creates a contractual basis for the ongoing information flow you need to maintain your risk assessment.
Evidence required
Vendor update and advisory tracking
Evidence of an active process to track and respond to security advisories and updates from critical vendors.
- · Security advisory subscription records for critical vendors
- · Patch management records showing timely application of vendor security updates
- · Dependency scanning reports showing vendor library versions and known CVEs
Vendor security monitoring records
Records showing ongoing monitoring of vendor security posture between formal reviews.
- · Security rating service reports for critical vendors
- · Alerts received from vendor breach notification subscriptions
- · Log of vendor security changes reviewed and responded to
Related controls
Supply chain risk management plans include provisions for activities after a supplier relationship ends
Cybersecurity Supply Chain Risk Management
Risks from suppliers are assessed, monitored, and responded to throughout the relationship
Cybersecurity Supply Chain Risk Management
A cybersecurity supply chain risk management program is established
Cybersecurity Supply Chain Risk Management
Cybersecurity roles and responsibilities for suppliers and partners are established and coordinated
Cybersecurity Supply Chain Risk Management