Metrics2Trust SuppliersStarted in December 2020
Almost every organisation uses third parties (suppliers) that provide services and products, ranging from cleaning companies to providers of cloud-based IT services. Dependence on these suppliers has increased in recent years.
The ultimate security level of an organisation and its services depends in part on the security level of the services a supplier provides to them and the security level of that supplier itself.
That is why it is very important to have a good understanding of the security level of all suppliers. Security ratings are already used to classify suppliers, but there are different methods and no standardisation. The multiplicity of suppliers, with a lot of different services, makes this is a difficult process.
The starting point of this project is a research what metrics are available and how they can be used in a standardized way to understand (changes in) the level of trust in third parties (suppliers). Where trust is both related to the security of the services a supplier provides and the security level of suppliers themselves.
Activities in Explore phase: in this phase the project team explored what internal and external metrics are available in current processes and on different security controls, how the concept trust can be modeled and how available metrics can be combined on a standardized (potentially automated) and reusable way to indicate (changes in) the level of trust.
Conclusion at the end of the Explore phase: the key finding is that there are numerous metrics with an abundance of relevant features. The key outcome is that the (conceptual) model on trust already added value during the explore phase, when incorporating it into day to day activities. The key result is that the model can ‘demystify’ the current measuring and processing of metrics, increasing re-usability and enabling automation’.
In the current Proof of Concept phase, the team aims to build an interactive dashboard where current features of metrics on specific control domains can be classified, processed and transformed to indicate (change in) the level of trust related to a supplier.
This project is part of the trend
Increasingly rely on third-party vendors
These vendors can support financial institutes as well as be a threat to them. Vendors can have access to critical banking and client data while maybe lack stringent security policies (and transparancy about this). Another threat is that products can get attacked/hacked already earlier in the supply chain, and leading to intentional or unintentional (unnoticed) danger in supplied hardware and software (updates).
Growth of outsourcing of IT services
Outsourcing of IT to, e.g., cloud-based services is becoming increasingly popular. These services are flexible and cheap, but also bring new security risks with them, as connected clouds make it difficult to monitor and manage all connected data.