Resilience can come in all forms. When I examined a SCADA network that ran essential services I found that it had been implemented and entirely looked after by third partys.
For a critical piece of infrastructure the business was entirely reliant on them.
The same applied to applications developed for specific purposes, they can be locally developed and released with support only from a few contractors who move on shortly afterwards to another project.
This represents huge risks to the operation of a business.
Whilst it might be a good argument to have "one throat to choke" it can be a complete failure of a service for an extended periods if they don't respond and rectify any problem promptly. Loss of operations is real income gone.
Implementing a third party risk management program is key here, and auditing the third partys essential.
1. Contracts with them must be under a microscope
2. Staff at third partys need to be checked for their relevance to your operation and time in the job.
3. Updates to software must be checked to see if it is behind schedule; make sure they have a schedule too..
4. Key compliance requirements at them must be aligned with your requirements, this must be in writing and understood by all their employees.
What's been your experience with TPRM (Third-party risk management) programs? Any push back from suppliers when trying to get the necessary information before signing the contract or after? Do you follow a certain framework?
I only have a little experience in this area but I've been surprised so far on how open some suppliers are. I'll look at a sample risk assessment questionnaire and think, "yeah, there is no way the are going to willingly give us this answer" but then they do! Granted it sometimes requires an NDA beforehand. We're looking at correlating auditing frequency to how much risk they pose to our organization if something were to happen to them.
I think the third partys break down into categories. the big ones have provided answers on the key points before so when you ask them you should expect a mature answer... also some maturity in what they are doing.
Software developers are notoriously vague. they employ people to make an application, on contract, the people leave once it is implemented and no-one knows much later about what they did. Hence when you ask those guys, you little sense out of them.
The big third partys need to have their own review process in place for everything, with a program of control tests and reviews. You should be able to tap into that and ask for the reports.
The small ones will need you to push them once a quarter to ensure they make their program and then implement reviews, otherwise they'll make it and shove it in the drawer. next time you ask they'll just show you a document.