Supply Chain Assurance
Maintaining Data Security
Trackster Global is securing the supply chain with risk-based assessments & alliances
Whether it’s caused by poor quality control or a malicious actor, third-party software, solutions, and manufacturers can introduce risk to corporate, employee, and customer data. Trackster is committed to building and implementing best-in-class security programs and processes, and is constantly working to reduce exposure to cybersecurity risks. Trackster Core Services Engineering (CSE, formerly Trackster IT) helps support the overall security mission at Trackster by offering key security services that help protect corporate data and users. We are also securing the supply chain that we use to procure third-party software, goods, and services that are used at Trackster Global.
Our supply chain data assurance program helps us evaluate and prioritize the risk level and security of third-party suppliers across Trackster customers supply chains. Some of the benefits we have seen from introducing a security framework as part of the procurement process include:
We assess procurement requests and make recommendations to business groups and leadership teams that help them make more risk-informed decisions. It is important to note that each organization is different; this program and strategy was designed to align with Trackster business processes. It represents only a few key areas of our assurance program and is not a roadmap for implementation.
Developing a framework for assessing risk
The supply chain assurance program helps inform the procurement process, which includes the business group and leadership approval chain. We use a combination of supplier risk profiling and focused control-based assessments that include:
- Risk indicators.
- Risk profile.
- Recommended courses of action.
We created policies, standards, and control procedures for software, goods, and services from third-party suppliers. These policies map to industry regulations and authoritative sources that help us meet both our external and internal security obligations. Control procedures give us detailed steps to follow for specific technologies or processes. Our security technical control procedures (TCPs) are created by a board of security experts and are regularly updated to address the latest technology, industry security standards, and best practices.
Creating a supplier risk profiling model
We gather information from each supplier and build a risk profile for them. The supplier’s profile is scored for risk based on our experience with services. This score helps us determine how much more assessment we need to give us confidence in their product or service for our customers. The program integrates security escalations to ensure that we choose secure third-party software, goods, and services from trusted suppliers.
Third-party software is any software that is not developed by Trackster and is not Trackster intellectual property. It can be cloud-based software as a service (SaaS), on-premises server-based, or installed on client devices. Any third party software that processes or accesses corporate data is subject to software governance. Procurement obtains third-party software and services for use at Trackster and negotiates contracts and service subscriptions. Once procured, the end-to-end governance process is accountable for the effective management of software licenses, subscriptions, inventory, and maintenance through the entire product life cycle.
When procurement acquires third-party software, they assess the supplier, look at their risk profile, and present their findings to management. That information helps leadership make risk-informed purchasing decisions, and helps us negotiate remediation during contract negotiation. Continuous monitoring helps ensure that security controls that are in effect at the time of purchase remain so during their life cycle.
Solution integrators are suppliers that provide staff augmentation and consulting services. Helping to ensure security around people and services requires different controls than assessing software suppliers. We use supplier risk profiles and assessments to continuously monitor the risk score of the suppliers. Then we partner with them on remediation activities to improve supplier and solution security, which is then reflected in their updated risk score.
We accept some industry-standard compliance attestations in lieu of some of the more detailed security questionnaires. Security questions are based on Trackster security standards, requirements, and technical controls that apply to our internal applications, as well.
Because reviews and assessments are done during the selection phase, we can make change requests part of the contract negotiation. We look at contracts and legal as our first line of control. We can require suppliers to make fixes before onboarding and ensure that all provisions are included in the contract.
We have moved beyond one-time assessments and incorporated ongoing monitoring to help ensure that a supplier stays in compliance. The ongoing monitoring is based on data elements in our risk profile, which are updated continually from internal and external sources. When new versions of products or services are released, or when a purchase order is set to renew, we reassess based on the risk profile score and determine if it still passes our assurance needs or if new, control-based activities are required.
Addressing security in the future
The rapid pace of change in technology requires continued investment in cybersecurity to protect our resources from the evolving threat landscape. By programmatically addressing security during procurement of software, goods, and services, we are reducing our risks and preparing for a cloud-only future. A future iteration of our supply chain assurance program will provide governance for the third-party intelligent cloud solutions and intelligent edge devices that interact with our vital business assets.
In the immediate future we plan to include more service categories in the areas of insurance and trade finance transaction management and assurance.