P2P

25 I L T A N E T . O R G security risks each one poses. Some vendors may pose a higher risk, particularly if they have access to sensitive or confidential information regarding the firm or its clients. The firm must determine whether remediation measures can mitigate these risks, whether the risk level is tolerable based on what product/service is being provided, or whether the vendor must be declined. Software vendors must be held to a higher standard than many other suppliers since they are often deeply entrenched in the firm's infrastructure and have remote access to the firm's network. When buying software, be sure to have a risk/compliance professional assist with compiling and reviewing risk management questionnaires. 6. Weigh Risks Against Business Necessity Remember that standard questionnaires are aspirational; no vendor response is ever 100% perfect. The firm's IT security and risk management professionals must review vendors' security credentials and then apply their judgment to the assessment. The firm may accept a greater level of risk for a specific vendor depending on how vital the vendor's product/service is, weighed against the potential risks to the firm. Vendors handling confidential or sensitive material for the firm, such as personally identifiable information (PII), credit card information, or privileged material, are held to a higher security standard because the risks are more significant. 7. Require Security Tools for Software Vendors Monitoring and Scanning – A firm's risk management questionnaire can include questions about the security technology tools the software vendor uses to monitor and detect vulnerabilities and anomalous activity. Ideally, software companies have deployed a suite of tools to scan their computers and services and detect vulnerabilities in code. This standard applies to both on-premise and cloud tech suppliers. Scanning and monitoring tools can also detect malicious code in PDF files and email messages, among the most common vehicles for bad actors to embed viruses or other harmful code. Security Agents – There are many links in the software supply chain, and weaker points give bad actors paths to intrude. Software providers can have a security agent sitting on each machine to detect anomalous/strange activity and shut down the activity immediately. Are the firm's devices being used to reach out to servers in countries with known cybercriminal activity, such as China, Nigeria, and Russia? Are machines making requests to strange websites? Security agent technologies slam the door on malicious servers and agents. Having security agents and the scanning/monitoring tools in place creates in- depth defense to block nefarious activity. Firewalls and Perimeter Defense – Network firewalls, web application firewalls, and similar devices form a frontline of defense for your vendors' networks. Ensure that your vendors are as vigilant in protecting their network as you are about protecting your own. This is especially important if the vendor can remotely access your networks since a compromise of your vendor's network could lead to unauthorized access of yours. 8. Create a Remediation Plan If a firm truly needs a vendor's product or services, but the supplier's security questionnaire is not satisfactory, law firm security managers, CIOs, and IT directors can start a dialogue with the vendor to create a remediation plan. The firm can assist vendors in setting objectives and timelines. Then, the vendor can be held accountable for making necessary security improvements to meet the firm's specifications. 9. Monitor and Adapt to Problems as They Arise New security issues surface daily, so law firm IT will continually prioritize, troubleshoot, and remediate problems as they are discovered. The supply chain inventory will grow and change. Vendor responses to questionnaires will change over time, so stay in touch with suppliers regularly. Software supply chain security is an eternal "rinse and repeat" process, so establish a routine around it that is flexible enough to incorporate new software products and address security threats that enter the environment. 10. Regularly Brief Business Leaders Law firm executive leadership looks to IT for guidance and accountability on security issues. Be sure to keep top executives informed about security, including the vetting of major new vendors and notification of data leaks or breaches. Establishing regular communication,

• Cover