GenAI as Cyber Blue Team Copilot - Supply Chain Risk Assessment
Supply Chain Risk Management (also often called Third Party Risk Management or TPRM) has been on the shortlist of top focus areas for cybersecurity teams for sveral years now. It’s an effort to assess and monitor the cyber risks of using technology - hardware, software, services- provided by a third party. It’s still a relatively new area for some cyber blue teams and can be a little tricky when it comes to the back and forth of the assessing organization’s requests for information and vendors’ ability and willingness to share that information.
So this is another fun topic to throw at a few GenAI chatbots and see how they can help brainstorm an effective outline for a supply chain risk assessment. Today I have Microsoft’s Copilot, Claude-3-Opus, ChatGPT 4o, and Gemini-1.5-Pro as my copilots. Here’s my prompt to them:
You are a Cybersecurity GRC Manager. Please provide a detailed outline for your team on how to carry out a supply chain risk assessment of a SaaS provider
All four of the chat bots offered solid, useful responses. The phases of supply chain risk assessment were very similar across all four. Here are some of the best individual bits from Copilot, ChatGPT 4o, and Gemini 1.5 Pro:
Copilot
Map the Supply Chain: Understand the SaaS provider's supply chain and identify all third-party dependencies*
Regulatory Compliance: Check for compliance with relevant regulations like GDPR, HIPAA, etc.
ChatGPT 4o
Identify Potential Risks
Categories of risks:
Data Breach
Service Disruption
Compliance and Regulatory Violations
Third-Party Dependencies
Financial Stability of the Provider
Map Data Flows
Understand data handling:
Data collection, storage, processing, and transmission
Identify sensitive and regulated data
Assess Provider's Security Posture
Review security measures:
Encryption standards
Access controls
Vulnerability management
Risk Rating and Prioritization Use a risk matrix: Plot risks based on likelihood and impact Prioritize high-risk areas
4.2. Determine Risk Appetite Align with organizational risk tolerance: Compare identified risks with the company’s risk appetite Identify acceptable and unacceptable risks
5. Risk Treatment 5.1. Develop Mitigation Strategies Mitigation options:
Enhance security controls
Adjust SLAs
Diversify providers
📌 The best bits among these (ChatGPT 4o) bits are: mapping data flows, comparing identified risks with the company’s risk appetite, and the risk treatment bullets.
Gemini 1.5 Pro
Geographical locations of data processing and storage. Internal Stakeholders: Identify key stakeholders within our organization who rely on the SaaS provider and understand their data sensitivity and business impact concerns.
Supply Chain Threats: Evaluate risks introduced through the SaaS provider's own supply chain:
Fourth-party vendors.
Open-source software vulnerabilities.
Physical security weaknesses at sub-processor locations.
And now there’s on chatbot missing. That’s because for my money Claude-3-Opus gave the best response overall, and it’s worth sharing all of it:
Claude-3-Opus
Preliminary Research
1.1. Identify the SaaS provider and gather basic information about their services, industry reputation, and market presence.
1.2. Review the provider's website, terms of service, privacy policy, and any publicly available security documentation.
1.3. Identify the specific services or products our organization intends to use from the provider.
Questionnaire and Documentation Request
2.1. Prepare a comprehensive questionnaire covering various aspects of the provider's security practices, including:
2.1.1. Information security policies and procedures
2.1.2. Data protection and privacy measures
2.1.3. Access control and user management
2.1.4. Incident response and business continuity plans
2.1.5. Compliance with relevant industry standards and regulations (e.g., ISO 27001, SOC 2, GDPR)
2.2. Request relevant documentation from the provider, such as:
2.2.1. Third-party audit reports (e.g., SOC 2, ISO 27001 certification)
2.2.2. Data flow diagrams and architecture overviews
2.2.3. Penetration testing and vulnerability assessment reports
2.2.4. Business continuity and disaster recovery plans
Risk Assessment
3.1. Review the provider's responses to the questionnaire and the provided documentation.
3.2. Identify potential risks and vulnerabilities in the provider's security practices, such as:
3.2.1. Inadequate data protection measures
3.2.2. Weak access controls or user management processes
3.2.3. Lack of compliance with relevant standards and regulations
3.2.4. Insufficient incident response or business continuity plans
3.3. Assess the likelihood and potential impact of each identified risk on our organization's data and systems.
3.4. Prioritize the risks based on their severity and the provider's criticality to our operations.
Mitigation and Contract Negotiation
4.1. Develop a risk mitigation plan for each identified risk, which may include:
4.1.1. Requesting the provider to implement additional security controls or processes
4.1.2. Establishing specific contractual requirements related to security and data protection
4.1.3. Implementing compensating controls within our own organization
4.2. Engage with the provider to discuss the identified risks and proposed mitigation measures.
4.3. Negotiate the contract terms to ensure that the provider agrees to implement the necessary security controls and comply with relevant standards and regulations.
Ongoing Monitoring
5.1. Establish a process for periodic review and reassessment of the provider's security practices.
5.2. Monitor the provider's compliance with the agreed-upon security requirements and contract terms.
5.3. Regularly review the provider's updated security documentation, audit reports, and any reported security incidents.
5.4. Maintain open communication channels with the provider to address any new risks or concerns that may arise.
📌 My favorite parts of Claude’s response are:
Phases breakdown
The Questionnaire and Documentation Request phase
3.4 Prioritize the risks based on their severity and the provider's criticality to our operations.
Just about all of phases 4 and 5.
All of these are things I’ve had opportunities to work with and see the benefits of.
📌 I have to give a big hat tip here to Poe - which I have previously called the most useful GenAI app - for making my interaction with all the chatbots except Copilot faster and easier because of its Compare feature. The Compare feature lets you throw your prompt at whichever model/chatbot you’ve got selected from the 50+ available, and then at the bottom of that tool’s response and choose a tool to get a response to the same prompt, like so: