Skip to content
VigilGuard Logo VigilGuard
Contact Us
EASM Platform VendorGuard ITRM Platform

Supply Chain Security

Supply Chain Security

Section titled “Supply Chain Security”

5 automated security scanners

Vendor Manufacturing Assessment

Section titled “Vendor Manufacturing Assessment”

Purpose: The Vendor Manufacturing Assessment Scanner is designed to evaluate vendor security practices and manufacturing controls by analyzing publicly available documentation, policy pages, trust center information, and compliance certifications. It aims to ensure adherence to industry standards and best practices through a comprehensive analysis of various resources.

What It Detects:

  • Identifies the presence of formal security policies.
  • Checks for incident response procedures.
  • Verifies data protection measures.
  • Ensures access control mechanisms are in place.
  • Confirms SOC 2 compliance certification.
  • Validates ISO 27001 adherence.
  • Detects penetration testing activities.
  • Identifies vulnerability scanning or assessment processes.
  • Scans for security-related content on public policy pages.
  • Analyzes trust center information for transparency in security practices.
  • Ensures detailed explanations of data protection policies and well-documented access control mechanisms are present.
  • Identifies compliance certifications such as SOC 2 and ISO 27001.
  • Verifies the presence of penetration testing reports and vulnerability scanning or assessment documentation.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com)
  • company_name (string): Company name for statement searching (e.g., “Acme Corporation”)

Business Impact: This scanner is crucial as it helps in assessing the security posture of potential vendors, ensuring that they adhere to industry standards and best practices which directly impacts your organization’s overall security posture and compliance with regulatory requirements.

Risk Levels:

  • Critical: Findings that indicate a severe lack of basic security measures or policies that could lead to significant risks such as data breaches or non-compliance with critical regulations.
  • High: Issues that pose high risk, affecting the integrity and confidentiality of sensitive information, but not necessarily leading directly to regulatory non-compliance without other mitigating factors.
  • Medium: Vulnerabilities that are serious but may be mitigated through technical controls or existing security measures, posing moderate risk.
  • Low: Informalities that do not significantly impact security posture but still need attention for continuous improvement and compliance with best practices.
  • Info: Non-critical findings providing additional context about the vendor’s security practices without immediate operational risks.

Example Findings:

  1. A company lacks a formal security policy document, which is critical for establishing baseline security measures.
  2. The trust center does not provide details on data protection policies, making it difficult to assess how sensitive information is handled and protected.

Distribution Security

Section titled “Distribution Security”

Purpose: The Distribution Security Scanner is designed to safeguard companies against potential threats by scrutinizing their security documentation, public policy pages, trust center information, and compliance certifications. Its primary objective is to ensure robust supply chain security measures are in place, thereby mitigating the risk of package tampering and interception attacks.

What It Detects:

  • Security Policy Presence: The scanner checks for the existence of a comprehensive security policy document that addresses essential areas such as incident response, data protection, and access control.
  • Incident Response Procedures: It verifies the presence of an incident response plan and ensures it includes detailed procedures for managing breaches and attacks.
  • Data Protection Measures: The tool evaluates whether data protection policies are up-to-date and cover essential measures like encryption, secure storage, and regular audits.
  • Access Control Policies: It assesses the strength of access control mechanisms and clarifies guidelines for user authentication, authorization, and session management.
  • Compliance with Standards: The scanner identifies certifications such as SOC 2, ISO 27001, and other relevant compliance standards to ensure adherence to industry best practices and regulatory requirements.

Inputs Required:

  • domain (string): Primary domain of the company website for analysis.
  • company_name (string): The name of the company whose security documentation is being reviewed.

Business Impact: This scanner plays a crucial role in enhancing the overall security posture of companies by proactively identifying and addressing potential vulnerabilities in their supply chain. It helps ensure that all critical aspects of cybersecurity are covered, thereby protecting sensitive information and maintaining trust with stakeholders.

Risk Levels:

  • Critical: The scanner flags conditions where there is no documented security policy or the existing policy lacks essential elements such as incident response procedures or data protection measures.
  • High: The presence of outdated or incomplete policies that do not meet current cybersecurity standards, leading to potential exposure and risks in handling sensitive information.
  • Medium: Inadequate access control mechanisms without clear guidelines for user authentication and authorization can lead to unauthorized access and increased risk of data breaches.
  • Low: Informational findings include the presence of compliance certifications but with minor discrepancies that do not significantly impact security posture, such as outdated documentation or incomplete procedures.

Example Findings:

  1. A company lacks a documented security policy despite being involved in sensitive industries like healthcare.
  2. The incident response plan is insufficiently detailed and does not cover all critical aspects of handling data breaches effectively.

Asset Lifecycle Management

Section titled “Asset Lifecycle Management”

Purpose: The Asset Lifecycle Management Scanner is designed to ensure secure disposal practices, data sanitization procedures, hardware reuse policies, compliance with standards, and documentation availability by analyzing company security documentation, public policy pages, trust center information, and compliance certifications. This tool helps identify potential vulnerabilities in the asset lifecycle management processes that could lead to data leaks or unauthorized access.

What It Detects:

  • Secure Disposal Practices: The scanner tests for policies related to secure disposal of hardware and media, checks for procedures on physical destruction methods, verifies guidelines on electronic waste recycling, detects mentions of data sanitization before disposal, and flags any lack of specific disposal instructions.
  • Data Sanitization Procedures: It tests for policies detailing data sanitization techniques, checks for references to software-based sanitization tools and methods, verifies steps taken to ensure data cannot be recovered after sanitization, and detects guidelines on handling sensitive data during sanitization processes.
  • Hardware Reuse Policies: The scanner tests for policies governing the reuse of hardware assets, checks for procedures on reconditioning and refurbishing hardware, verifies guidelines on software reinstallation and configuration before reuse, and detects mentions of data erasure before hardware is reused.
  • Compliance with Standards: It tests for references to compliance certifications such as SOC 2, ISO 27001, checks for penetration test results and vulnerability assessments, and verifies adherence to industry standards for asset lifecycle management.
  • Documentation Availability: The scanner tests for the presence of comprehensive security documentation, checks for accessibility of policy pages related to asset lifecycle management, verifies trust center information includes relevant asset lifecycle details, and detects availability of compliance certifications and audit reports.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com)
  • company_name (string): Company name for statement searching (e.g., “Acme Corporation”)

Business Impact: Ensuring secure disposal, data sanitization, and hardware reuse practices is crucial for protecting sensitive information from unauthorized access and ensuring compliance with regulatory standards. This directly impacts the overall security posture of an organization by minimizing potential vulnerabilities that could lead to data breaches or non-compliance fines.

Risk Levels:

  • Critical: Findings indicating a direct risk to asset integrity, availability, and confidentiality due to lack of secure disposal practices, improper sanitization procedures, inadequate hardware reuse controls, or non-compliance with critical standards.
  • High: Issues that pose significant risks such as incomplete or vague data sanitization guidelines, insufficient documentation on security policies, or outdated compliance certifications.
  • Medium: Weaknesses in asset lifecycle management processes that could be exploited but do not directly compromise security. These include minor gaps in disposal procedures or incomplete hardware reconditioning records.
  • Low: Informalities such as missing details in the trust center information or minor discrepancies in documentation, which while important are unlikely to lead to significant risks.
  • Info: General informational findings about the presence and accessibility of company security documentation without immediate risk.

Example Findings:

  • “The company lacks a specific data sanitization policy that outlines how they ensure complete data erasure before disposal.”
  • “There is no mention of compliance with ISO 27001 in any public documents, which could lead to non-compliance risks.”

Hardware Supply Chain

Section titled “Hardware Supply Chain”

Purpose: The Hardware Supply Chain Scanner is designed to detect counterfeit components and hardware tampering within the supply chain of hardware products. It aims to ensure the integrity and security of these products by analyzing company policies, certifications, and trust center information to identify potential vulnerabilities in the supply chain management processes.

What It Detects:

  • Counterfeit Component Detection: Identifies mentions of counterfeit parts or components, checks for reported incidents of counterfeit hardware, and verifies supplier verification practices.
  • Hardware Tampering Indicators: Looks for signs of tampered hardware, detects reports of physical security breaches in manufacturing facilities, and analyzes incident response plans related to hardware tampering.
  • Supply Chain Security Policies: Reviews company security documentation for supply chain policies, checks compliance with industry standards like ISO/IEC 28000, and verifies the presence of third-party audits and certifications.
  • Vendor Risk Management: Evaluates vendor management practices, including due diligence processes, identifies key suppliers and their security measures, and assesses supplier diversity and redundancy plans.
  • Compliance Certifications: Looks for recognized compliance certifications such as ISO/IEC 27001 or SOC 2, verifies the presence of penetration testing and vulnerability assessments, and checks for data protection policies and access controls.

Inputs Required:

  • domain (string): The primary domain to analyze (e.g., acme.com)
  • company_name (string): The company name for statement searching (e.g., “Acme Corporation”)

Business Impact: This scanner is crucial for organizations aiming to safeguard their hardware products against counterfeit components and tampering, which can lead to significant security breaches and financial losses. It helps in maintaining the integrity of the supply chain and ensuring that only genuine and secure parts are used in the final product.

Risk Levels:

  • Critical: Conditions where there is clear evidence of unauthorized modifications or use of counterfeit components, with potential severe impacts on product safety and compliance.
  • High: Situations where significant vulnerabilities exist without adequate security measures, such as missing penetration tests or incomplete data protection policies.
  • Medium: Where some deficiencies in supply chain practices are observed but do not pose immediate critical risks, requiring improvement to align with industry standards.
  • Low: Informal findings that might indicate a need for better awareness or clarification of existing practices without significant security implications.
  • Info: General information about company policies and procedures related to hardware supply chain management, which does not directly affect risk levels but provides baseline insights.

Example Findings:

  1. The scanner flagged multiple mentions of counterfeit components in the supplier documentation, indicating a potential vulnerability that needs immediate attention.
  2. A detected tampering incident in one of the manufacturing facilities highlighted inadequate physical security measures, posing a high risk to product integrity.

Manufacturing Security

Section titled “Manufacturing Security”

Purpose: The Manufacturing Security Scanner is designed to identify potential vulnerabilities and gaps in a company’s manufacturing security posture by analyzing its documentation, public policy pages, trust center information, and compliance certifications. This tool helps ensure that the organization has robust security policies and practices in place to protect against threats and comply with industry standards.

What It Detects:

  • Security Policy Indicators: The scanner identifies the presence of a formal security policy, checks for incident response procedures, verifies data protection measures, and ensures access control mechanisms are documented.
  • Maturity Indicators: This includes confirming SOC 2 compliance certification, validating ISO 27001 standards adherence, detecting penetration testing activities, and identifying vulnerability scanning or assessment processes.
  • Public Policy Pages: It analyzes public-facing policy documents for security-related content, searches for incident response plans on official company websites, evaluates data protection policies and their implementation details, and reviews access control measures described in public documentation.
  • Trust Center Information: The scanner scrapes trust center pages for security disclosures, checks for transparency in security practices and certifications, validates the presence of compliance badges or logos, and ensures detailed descriptions of security controls are available.
  • Compliance Certifications: Identifies SOC 2, ISO 27001, and other relevant compliance certifications, verifies their validity and scope, checks for regular audits and updates to compliance status, and ensures that certification details are publicly accessible and up-to-date.

Inputs Required:

  • domain (string): The primary domain of the company website to be analyzed (e.g., acme.com).
  • company_name (string): The name of the company for which the analysis is being conducted (e.g., “Acme Corporation”).

Business Impact: This scanner plays a crucial role in enhancing the security posture of manufacturing organizations by proactively identifying and addressing potential weaknesses in their documentation, policies, and compliance practices. It helps ensure that companies are meeting industry standards and protecting sensitive information effectively, which is critical for maintaining trust with stakeholders and avoiding significant risks associated with data breaches or non-compliance.

Risk Levels:

  • Critical: Conditions that would lead to a critical severity finding include the absence of any documented security policy, lack of clear incident response procedures, inadequate data protection measures, and ineffective access control mechanisms.
  • High: High risk conditions involve missing SOC 2 or ISO 27001 compliance certifications, unreported penetration testing results, and incomplete vulnerability scanning or assessment processes.
  • Medium: Medium severity risks are associated with insufficient transparency in security practices, outdated compliance status information, and unclear descriptions of implemented security controls.
  • Low: Low risk conditions include minor discrepancies in public policy pages that do not significantly impact overall security posture but should be addressed for continuous improvement.
  • Info: Informational findings pertain to the presence of compliance badges or logos without detailed supporting documentation or publicly accessible information about security practices and certifications.

Example Findings:

  1. The company lacks a formal security policy document that outlines incident response procedures, data protection measures, and access control mechanisms. This could lead to critical risk as it significantly compromises the organization’s ability to respond to potential threats and protect sensitive information.
  2. There is no evidence of ISO 27001 compliance certification or any other relevant standards adherence, which would be considered a high-risk condition due to the lack of formalized security practices and potential exposure to regulatory non-compliance.