The SecureControls Framework (SCF) release 2023.2 contains completely newcontent for its Security& Privacy Capability Maturity Model (SP-CMM). Thiseffort was conducted to help streamline and standardize maturity criteria. Oneof the use cases for the SP-CMM is to provide minimum criteria that can be usedto evaluate third-party service provider controls.
It iscommonplace for Third-Party Service Providers (TSPs), including vendors andpartners, to be contractually bound to implement and manage a baseline set ofcybersecurity and privacy controls. This necessitates oversight of TSPsto ensure controls are properly implemented and managed.
In managing a cybersecurity and privacy program, it isimportant to address controls in a holistic manner, which includes governingthe supply chain. TSPs are commonly considered the “soft underbelly” for anorganization’s security program, since TSP oversight has traditionally beenweak or non-existent in most organizations. There have been numerous publicizedexamples of TSPs being the source of an incident or breach.
One of the issues with managing TSPs is most questionnairesask for simple yes, no or not applicable answers. This approach lacks detailsthat provide critical insights into the actual security posture of theTSP. The SP-CMM can be used to obtainmore nuanced answers from TSPs by having those TSPs select from L0-5 to answerif the control is implemented and how mature the process is.
Referencing back to the SP-CMM Overview section of thisdocument, L0-1 levels of maturity are identified as being deficient from a“reasonable person perspective” in most cases. Therefore, organizations need tolook at the “capability maturity sweet spot” between L2-L4 to identify thereasonable people, processes and technologies that need TSPs need to be able todemonstrate to properly protect your systems, applications, services and data,regardless of where it is stored, transmitted or processed. From a TSPmanagement perspective, this is often going to limit target CMM levels to L2-3for most organizations.
TSP controls are expected to cover both your internalrequirements, as well as external requirements from applicable laws, regulationsand contracts. Using the SP-CMM can be an efficient way to provide a levelof quality control over TSP practices. Being able to demonstrate propercybersecurity and privacy practices is built upon the security principles ofprotecting the confidentiality, integrity, availability and safety of yourassets, including data.
While there are over 1,000 controls in the SCF’s controlscatalog, it is necessary to pare down that catalog to only what isapplicable to that specific TSP’s scope of control (e.g., Managed ServiceProvider (MSP), Software as a Service (SaaS) provider, etc.). This step simplyinvolves filtering out the controls in the SCF that are not applicable. Thisstep can also be done within Excel or within a GRC solution (e.g., SCF Connect). In the end, the result is atailored set of controls that address the TSP’s specific aspects of thecybersecurity & privacy controls that it is responsible for or influences.
Now that you have pared down the SCF’s controls catalog toonly what is applicable, it is a manual review process to identify theappropriate level of maturity for each of the controls that would be expectedfor the TSP. Ideally, the TSP will inherit the same target maturity level forcontrols as used throughout the organization. For any deviations, based oncontract clauses, budget, time or other constraints, a risk assessment shouldbe conducted to ensure a lower level of maturity for TSP-specific controls isappropriate.
%20(white).png)
.png)