The BSIMM (Building Security In Maturity Model), which helps organizations improve their software security initiatives (SSI) by showing what other organizations are doing and what works, also provides the BSIMMsc, for software supplied by third parties.
Sammy Migues, principal scientist at Synopsys and a co-author of the BSIMM, noted in the white paper Applying the BSIMM to Managing Risk in the Software Supply Chain that the BSIMMsc “leverages attestation and automation to function as a foundational security control for software supply chain risk management.”
Put a bit more simply, it is designed to help organizations avoid software vendors that are “clueless.”
Nicholas Marinos, director of IT and cybersecurity at the U.S. Government Accountability Office (GAO), said the reality is that most entities, including those in healthcare, have to rely on third parties for “security services, IT, or to help them perform their missions.”
That means organizations that handle protected health information (PHI) “must have a way to assure that third parties are protecting that data according to best practices,” he said, which includes following up to see if promised security tests were actually conducted.
“It means having expertise on hand to make sure tests were done, but that there was follow-up on the results,” he said.
The healthcare industry, he notes, is critical infrastructure. “Ultimately we’re talking about information,” he said. “Sometimes the focus on security ends up being on technology and systems, but any entity would benefit from knowing what data it has, how it’s used and where it’s going, as well as what kind of technology you have connected to your organization.”
And the Gartner report offers a playbook for organizations seeking to conduct effective oversight of the security of their third-party vendors.
Among the recommendations from analysts Katell Thielemann, Mark Atwood and Kamala Raman:
- Know what you, and your third parties, have and need to protect.
- Assess the security and risk management posture of third parties.
- Know all industry regulations applicable to you, and make them part of your supply chain risk management strategy.
The report offers more detail on how to achieve those and other goals.
None of this will make you perfect. But it will get you a lot closer. Which is usually enough to get attackers to look for easier targets.