NIST 网络安全框架 (CSF) 2.0

管理（GV）：制定、传达和监督组织的网络安全风险管理战略、预期和政策

Cybersecurity Supply Chain Risk Management (GV.SC): Cyber supply chain risk management processes are identified, established, managed, monitored, and improved by organizational stakeholders

建立全面的第三方风险管理（TPRM）或网络安全供应链风险管理（C-SCRM）计划，与更广泛的信息安全和治理、企业风险管理和合规计划保持一致。

寻找专家与团队合作：

• 定义并实施 TPRM 和 C-SCRM 流程和解决方案
• 选择风险评估问卷和框架
• 根据组织的风险偏好优化计划，以应对整个第三方风险生命周期--从采购和尽职调查到终止和离职

作为这一过程的一部分，您应该确定：

• 明确的角色和职责（如 RACI）
• 第三方库存
• 基于组织风险承受能力的风险评分和阈值
• 事件响应的关键风险指标 (KRI)、关键绩效指标 (KPI)和服务水平

GV.SC-04：了解供应商，并根据重要性确定优先次序

将第三方库存集中到软件解决方案中。然后，量化所有第三方的固有风险。用于计算第三方优先级固有风险的标准应包括：

• 验证控件所需的内容类型
• 对业务绩效和运营的关键性
• 地点及相关法律或监管考虑因素
• 对第四方的依赖程度
• 接触过业务流程或面向客户的流程
• 与受保护数据的交互
• 财务状况和健康
• 声誉

通过这种固有的风险评估，您的团队可以自动对供应商进行分级；设定适当的进一步审查级别；并确定持续评估的范围。

基于规则的分层逻辑可利用一系列数据交互、财务、监管和声誉方面的考虑因素对供应商进行分类。

GV.SC-05：制定应对供应链中网络安全风险的要求，确定其优先次序，并将其纳入与供应商和其他相关第三方的合同和其他类型的协议中

集中分发、讨论、保留和审查供应商合同，实现合同生命周期自动化，确保关键条款得到执行。主要功能应包括

• 集中跟踪所有合同和合同属性，如类型、关键日期、价值、提醒和状态，并提供基于角色的定制视图
• 工作流程功能（基于用户或合同类型），实现合同管理生命周期自动化
• 自动提醒和逾期通知，以简化合同审查
• 集中合同讨论和意见跟踪
• 合同和文件存储，具有基于角色的权限，并对所有访问进行审计跟踪
• 支持离线合同和文件编辑的版本控制跟踪
• 基于角色的权限，可分配职责、访问合同和读/写/修改访问权限

有了这种能力，您就可以确保在供应商合同中明确规定责任和审计权条款，并相应跟踪和管理 SLA。

GV.SC-06：在与供应商或其他第三方建立正式关系之前进行规划和尽职调查，以降低风险

在单一解决方案中集中并自动分发、比较和管理招标书（RFP）和信息征询书（RFI），并对关键属性进行比较。

在对所有服务提供商进行集中管理和审查时，团队应创建全面的供应商档案，其中包含对供应商人口信息、第四方技术、ESG 分数、近期业务和声誉洞察、数据泄露历史以及近期财务业绩的深入了解。

This level of due diligence creates greater context for making vendor selection decisions.

GV.SC-07：在整个关系过程中，了解、记录、优先考虑、评估、应对和监控供应商、其产品和服务以及其他第三方带来的风险

寻找具有大型预建第三方风险评估模板库的解决方案。评估应在入职、合同续签时进行，或根据重大变化以任何规定的频率（如每季度或每年）进行。

Assessments should be managed centrally and backed by workflow, task management and automated evidence review capabilities to ensure that your team has visibility into third-party risks throughout the relationship lifecycle.

重要的是，TPRM 解决方案应包括基于风险评估结果的内置补救建议，以确保您的第三方及时、令人满意地处理风险，并能向审计人员提供适当的证据。

作为这一过程的一部分，持续跟踪和分析第三方面临的外部威胁。监控互联网和暗网的网络威胁和漏洞，以及声誉、制裁和财务信息的公共和私人来源。

所有监测数据都应与评估结果相关联，并集中到每个供应商的统一风险登记册中，从而简化风险审查、报告、补救和应对措施。

Be sure to incorporate third-party operational, reputational, and financial data to add context to cyber findings and measure the impact of incidents over time.

GV.SC-08：将相关供应商和其他第三方纳入事件规划、响应和恢复活动中

As part of your broader incident management strategy ensure that your third-party incident response program enables your team to rapidly identify, respond to, report on, and mitigate the impact of third-party vendor security incidents. Look for managed services where dedicated experts centrally manage your vendors; conduct proactive event risk assessments; score identified risks; correlate risks with continuous cyber monitoring intelligence; and issue remediation guidance. Managed services can greatly reduce the time required to identify vendors impacted by a cybersecurity incident and ensure that remediations are in place.

第三方事件响应服务的主要功能应包括

• 不断更新和可定制的事件和事故管理调查表
• 实时跟踪问卷完成进度
• 定义风险所有者，并通过自动追逐提醒，使调查如期进行
• 积极主动的供应商报告
• 每个供应商的风险评级、计数、评分和标记回复的综合视图
• 工作流程规则，根据风险对业务的潜在影响触发自动运行程序，对风险采取行动
• 为内部和外部利益相关者提供内置报告模板
• 来自内置补救建议的指导，以降低风险
• 数据和关系映射可识别组织与第三方、第四方或第 N 方之间的关系，从而直观显示信息路径并揭示风险数据

此外，还可考虑利用包含全球数千家公司数年数据泄露历史记录的数据库，包括被盗数据的类型和数量、合规性和监管问题，以及实时供应商数据泄露通知。

有了这些洞察力，您的团队就能更好地了解事件的范围和影响；涉及哪些数据；第三方的运营是否受到影响；以及补救措施何时完成--所有这一切都要借助专家的力量。

GV.SC-09: Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle

Please see GV.SC-01 and GV.SC-02.

IDENTIFY (ID): The organization’s current cybersecurity risks are understood

Asset Management (ID.AM): Assets (e.g., data, hardware software, systems, facilities, services, people) that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy

ID.AM-03: Representations of the organization’s authorized network communication and internal and external network data flows are maintained

To address this Subcategory, Prevalent helps to identify fourth-party and Nth-party subcontracting relationships in your supplier ecosystem. The solution includes a questionnaire-based assessment of your suppliers and passive scanning of the supplier’s public-facing infrastructure. The resulting relationship map depicts extended dependencies and information flows that could expose your organization to risk.

ID.AM-04: Inventories of services provided by suppliers are maintained

Prevalent enables you to build a centralized service provider inventory by importing vendors via a spreadsheet template or through an API connection to an existing procurement solution. Teams throughout the enterprise can populate key supplier details with a centralized and customizable intake form and associated workflow tasks. This capability is available to everyone via email invitation, without requiring any training or solution expertise.

ID.AM-05: Assets are prioritized based on classification, criticality, resources, and impact on the mission

Please see GV.SC-04.

ID.AM-08: Systems, hardware, software, services, and data are managed throughout their life cycle

To address this Category, Prevalent enables you to:

• Continuously assess and monitor the potential risks the service provider introduces into your environment; and make recommendations to mitigate the impact of those risks
• Monitor service levels, key performance indicators (KPIs) and key risk indicators (KRIs) to ensure adherence to contractual agreements
• Securely offboard service providers to ensure data and system security post-contract termination

Risk Assessment (ID.RA): The cybersecurity risk to the organization, assets, and individuals is understood by the organization

ID.RA-02: Cyber threat intelligence is received from information sharing forums and sources

ID.RA-03: Internal and external threats to the organization are identified and recorded

ID.RA-04: Potential impacts and likelihoods of threats exploiting vulnerabilities are identified and recorded

ID.RA-05: Threats, vulnerabilities, likelihoods, and impacts are used to understand inherent risk and inform risk response prioritization

ID.RA-06: Risk responses are chosen from the available options, prioritized, planned, tracked, and communicated

ID.RA-07: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked

Prevalent Vendor Threat Monitor continuously tracks and analyzes external threats to third parties. As part of this, Prevalent monitors the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information.

监测来源包括

• Criminal forums; onion pages; dark web special access forums; threat feeds; and paste sites for leaked credentials — as well as several security communities, code repositories, and vulnerability databases
• Databases containing several years of data breach history for thousands of companies around the world

All monitoring data is correlated with assessment results and centralized in a unified risk register for each vendor, streamlining risk review, reporting, remediation and response initiatives.

Once all assessment and monitoring data is correlated into a central risk register, the Prevalent Platform applies risk scoring and prioritization according to a likelihood and impact model. This model frames risks into a matrix, so you can easily see the highest impact risks and can prioritize remediation efforts on those.

Then, you can assign owners and track risks and remediations to a level acceptable to the business.

Please also see GV.SC-04.

D.RA-09: The authenticity and integrity of hardware and software are assessed prior to acquisition and use

As part of the due diligence process, you can use Prevalent to require vendors to provide updated software bills of materials (SBOMs) for their software products. This will help you identify any potential vulnerabilities or licensing issues that may impact your organization’s security and compliance. SBOMs are treated as any other document type, and you can apply automated document profiles to search for extract key details important to validating software components.

ID.RA-10: Critical suppliers are assessed prior to acquisition

Please see GV.SC-06.

Improvement (ID.IM): Improvements to organizational cybersecurity risk management processes, procedures and activities are identified across all CSF Functions

ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties

ID.IM-04: Incident response plans and other cybersecurity plans that affect operations are established, communicated, maintained, and improved

Please see GV.SC-08.

DETECT (DE): Possible cybersecurity attacks and compromises are found and analyzed

Continuous Monitoring (DE.CM): Assets are monitored to find anomalies, indicators of compromise, and other potentially adverse events

DE.CM-06: External service provider activities and services are monitored to find potentially adverse events

Please see ID.RA

RESPOND (RS): Actions regarding a detected cybersecurity incident are taken

Incident Management (RS.MA): Responses to detected cybersecurity incidents are managed

RS.MA-01: The incident response plan is executed in coordination with relevant third parties once an incident is declared

Please see GV.SC-08.

Incident Response Reporting and Communication (RS.CO): Response activities are coordinated with internal and external stakeholders as required by laws, regulations, or policies

RS.CO-02: Internal and external stakeholders are notified of incidents

RS.CO-03: Information is shared with designated internal and external stakeholders

Please see GV.SC-08.

RECOVER (RC): Assets and operations affected by a cybersecurity incident are restored

Incident Recovery Communication (RC.CO): Restoration activities are coordinated with internal and external parties

RC.CO-03: Recovery activities and progress in restoring operational capabilities are communicated to designated internal and external stakeholders

Please see GV.SC-08.