This project reflects the type of work I support in real-world engagements. The documentation consolidates insights from that experience alongside my ongoing self-directed study. All materials use synthetic data—no client information is reproduced—and the templates are either self-developed or properly licensed and are not proprietary to any organisation.
The work assessed supply-chain risk for a financial software provider, triggered by a ransomware attack originating from a critical payroll and procurement vendor.
The documents developed reflect the full incident lifecycle: from analysing the failure of a prior vendor assessment, to reporting the breach, to redesigning a robust vendor risk management framework that prevents recurrence.
-
Analysed the failed 2023 vendor assessment (Metalytics), which revealed red flags like an absent CISO and multiple "Partially" or "Not Implemented" controls. This indicated a weak, checkbox-ticking exercise.
-
Prepared the detailed ransomware incident report, which documented the attack vector, impact, and validated the need for a transformed approach.
-
The 2026 vendor assessment framework (Motiontek) demonstrated a clear evolution to a rigorous, evidence-based methodology. The exhaustive questionnaire mapped controls to specific services (see 'Service Specific Assessment') and demanded concrete evidence.
-
To solidify this shift, the company appointed an external Data Protection Consultancy (ATSL) for independent audits, moving the risk management model from vendor self-assessment to verified, third-party control validation.
-
Lack of Evidence-Based Validation: The breach was missed because assessments accepted vague promises. Recommendation: For critical vendors, mandate proof like encryption screenshots and security logs.
-
Absence of Continuous Monitoring: The pre-breach process was a static, annual review. Recommendation: Replace this with a dynamic risk register that mandates periodic security scorecards and trigger-based reassessments for real-time risk management.
Third-party risk is dynamic. A strong initial assessment is insufficient without mechanisms for continuous assurance.
Future programs should implement right-to-audit clauses with automated evidence collection and require vendor cyber insurance verification as a financial mitigant.