Good day Jamie,
Thank you for this insightful information - much appreciated! What we attempt in our assessment (my team is only responsible for the Security assessment aspect) we have the basic questions in terms of Security posture, policies, ISMS etc. However this can give me guidance in terms of their approach to security and their controls - not necessarily prove that the software is free of any vulnerabilities or backdoors. We are currently looking at tools that can scan the binary, but the volume of applications is just to high. I was thinking of adding a requirement that the supplier give me assurance in the form of a security assessment / pentest report on their application - but again, the smaller companies we work with especially in the LATAM regions are very tricky when it comes to this.
I would like to understand your approach to this.
Kind regards
Mandy
Original Message:
Sent: 11-29-2023 05:20 PM
From: Jamie Sumter
Subject: Suppliers providing COTS solutios
We do the same Due Diligence however it is based on what they do for our company. Also being a manufacturer, we are concerned on Information Security as it relates to installation, any kind of access to our network for support, data involved, patching, etc.
Happy to talk more if you would like to.
Jamie Sumter
IT Risk Management Lead
Clarios
THIS MESSAGE MAY CONTAIN INFORMATION THAT IS PRIVILEDGED AND CONFIDENTIAL. The information contained in, or attached to, this message is intended solely for the use of the specific person(s) named above. If you are not the intended recipient, then you have received this communication in error and are prohibited from review, retransmission, taking any action in reliance upon, sharing the content of, disseminating or copying this message and any of the attachments in any way. If you have received this communication in error, please contact the sender immediately and promptly delete this message from all types of media and devices. Thank you.
Original Message:
Sent: 11/29/2023 12:33:00 PM
From: Anonymous Member
Subject: Suppliers providing COTS solutios
This message was posted by a user wishing to remain anonymous
Good day ThinkTank Guru's,
Apologies in advance if this is a silly question - for due diligence on suppliers that sell COTS applications - do you still perform the same information security due diligence. We get a lot of push back with regards to this from suppliers. We are a global organisation and some regions we are just not getting great feedback on this. This is in the manufacturing industry where we buy equipment and in some cases it comes with software proprietary to that piece of hardware.
Any feedback would be immensely appreciated