Skip to main content
All CollectionsCompliance and Risk Management
Vendor and Supply Chain Management
Vendor and Supply Chain Management
Updated over 3 months ago

Beacon employs a risk-based approach to vendor and supply chain management. This focuses on minimizing environmental risks to confidentiality, integrity, and availability.

Supply Chain Security

The Beacon team reviews the supply chain to assess what security issues may exist. This informs documenting the approach to address those risks. Key elements of this process include:

  • Perform a detailed review of each critical supplier’s compliance programs.

  • Verify any lingering risks or outstanding issues in third-party compliance reports.

  • Verify their adherence to a strict configuration and change management program.

  • Perform risk assessments of known adjudicated, mitigated, and open vulnerabilities.

  • Perform version verification of all software components (e.g., version verification, hash checks).

  • Run independent vulnerability scans of any provided libraries.

Supplier Risk Management

Supplier risk management starts with establishing clear security requirements in contractual documents where appropriate. At a minimum, end-user license agreements (EULAs) and/or Terms of Service are reviewed in detail to understand what impacts they may have on the expected delivery of resources. The Beacon team also performs detailed risk assessments of each supplier’s security program to make sure it adheres to industry best practices and the Beacon team’s standards. This includes verification of third-party compliance audit reports.

Supplier Diversity Program

Availability requirements for Beacon may require supplier diversity in support of some features and resources within the solution. In those cases, the Beacon team identifies a diverse suite of vendors that can provide equivalent resources, components, and functionality where necessary. The Beacon team regularly (at a minimum annually) assesses vendors to determine if there are competitive options that would improve the capability, availability, or security of the system. If alternate paths are identified as options, detailed reviews and assessments of those capabilities will commence and the new capability will be added using the appropriate configuration and change management processes.

Did this answer your question?