Every organisation works or partners with key suppliers to provide non-core services or resources to their organisations. Supply chains are often large and complex. Securing your supply chain is important. Disruption or compromise to your supply chain may affect your brand, your revenue, core business operations, your customers, your staff, and legal, regulatory, contractual compliance. To protect your organisation from supply chain risks CISO’s should channel their efforts in the following 6 major areas:
1. Clarify your CISO supply chain scope
Supply chain security is a whole of business issue, not just an IT issue. CISO’s rightly have a specific role in managing the risks associated with IT and digital related suppliers and services. It is very important to agree with the enterprise risk and procurement roles within your organisation the exact scope of CISO responsibility for supply chain assurance and controls. Grey areas such as shadow IT services, building management systems, integrated or managed services needing to “plug in” to your enterprise infrastructure services such as network, remote access, email, API access etc. needs agreed demarcation points,
You also need a process for selecting, assuring, on and off boarding, operation, change management etc. Shadow IT SaaS services also needs particular CISO attention, business awareness and compliance. Ensure you generate awareness of supply chain risk, the need for processes and controls within your organisation and what your standard requirements and policies are.
2. Use risk and maturity assessment based approaches
Security budgets, time and personnel are all scarce resources. You need to ensure that you are spending wisely, optimising your security controls effectiveness. One of the best methods to prioritise your efforts and spend is to use a risk-based approach. Supply chain risk management should be part of your overall organisations enterprise risk management process. Use risk management tools to identify high-risk, high-impact suppliers and target your efforts and security controls to mitigate those risks first. High-risk high impact suppliers from a cyber-risk perspective are not always key strategic suppliers to your business. So you need to be mindful for example that a relatively low profile HVAC supplier credential compromise was the ingress point to the Target retail network in the US, resulting in one of the largest data breaches in history.
You should use recognised processes and methodologies such as ISO28000 – specification for security management for the supply chain, ISO31000 for risk management and ISO27001 for Information Security Management, coupled with some maturity models such as CMM and CPNI to rank or rate supplier information security and supplier’s personnel capabilities. You also need a reasonably deterministic way of assessing your IT and digital suppliers based on parameters relevant to your organisation such as the value and sensitivity of the information or assets, which they processes, hold, supply or have access to.
3. Know your suppliers and the risks they pose
In order to properly risk asses you need to know who your suppliers are. You need to work with procurement and risk functions so that you have a comprehensive inventory of existing suppliers and your team are part of the process for identifying existing and new suppliers and services of relevance to your CISO supply chain scope. Using the methodologies above you need to assess the capabilities and the security arrangements of your suppliers and their sub suppliers. Also assess whether your own CISO and IT organisation are a supplier to your organisation and to your own customers and ensure that you enforce and meet any requirements that you are asking your supply chain to meet on your own service supply. This consistency helps ensure your controls and standards are relevant and your whole organisation is familiar with your standard.
- Know the critical information assets your supplier supply or have access to
You need to know, from your overall enterprise risk assessment the inventory and classification of your information assets and the controls to be applied to manage the risks you have identified to these assets. Your supplier due diligence then need to assess which supplier has access to these assets and their capability maturity. You then assess and define the controls they apply or propose applying to these assets to determine whether they are adequate or not.
You need to know and understand the sensitivity of the contracts you are or will be letting and the information assets impacted by these contracts and suppliers
4. Establish workable supply chain controls
Set supply chain security goals. Clearly communicate both your minimum and desirable security requirements and supplier responsibilities at procurement stage. Ensure security requirements and capabilities are appropriately weighted metrics in your evaluation, selection and renewal criteria and in supplier contracts. Control your supply chain by establishing the right to audit and any reporting requirements. You should have regular interaction, visibility and reporting of BAU and exceptions from suppliers as to their security status prior and in addition to conducting any supply chain security audits.
Security controls only work in your own or any third party organisation when they meet Specific Measurable, Achievable, Realistic, Timely (SMART) criteria. Some controls may not be economic to implement and other risk management mechanisms such as transference (insurance) or acceptance of the risk may be required.
Consider whether it is necessary to integrate your suppliers into your cyber security incident handling and response processes. If this integration is required then ensure that the supplier understands their roles and responsibilities in this process. Identify if any required systems integration is needed in your IR process (e.g. helpdesk etc) and that contact matrices are fully documented and kept up to date. Consider whether suppliers need to be exercised and tested as part of any incident response rehearsals that your perform.
5. Systemically operate controls
Define processes for on boarding of suppliers, continuous monitoring and validation of in particular high risk, high priority suppliers. Aim for consistency and sustainability of compliance with your supply chain controls and service levels over the lifecycle of supply. Identify conformity, reward consistently compliant suppliers. Remediate non-conformity by either allowing the supplier improve their performance or terminating and substituting with a better performing supplier. For newer suppliers or immature suppliers you may need to train and provide guidance, tools and processes to assist with controls. Ensure you have mechanisms for regularly reviewing your risks and modifying your controls as appropriate to remediate newly identified risks. Your supplier contracts need to cater for re-assessment and changes to required controls. For critical suppliers you should have resilience and redundancy in your supply chain. Best practice is to ensure regular contract renewals at appropriate intervals with reassessment of risks and improvement to existing supplier capabilities and value add.
Establish continuous improvement and consider initiatives such as supplier collaboration and security information and threat intelligence sharing, outputs of after action reviews etc. to promote better understanding of emerging supply chain attacks
6. Validate, Trust, Validate
For newer supply relationships you may wish to satisfy your organisation as to the suppliers conformance and performance through references, independent audits prior to and shortly after on boarding. Once a pattern of performance and compliance is established, you may be able to “trust” this supplier depending on self-reporting with more limited or less frequent audits. For problem suppliers you may need audits that are more regular and increased self-reporting. For critical suppliers you may need higher levels of assurance, regardless of “trust”. In the event of supply chain compromise or non-conformance, you may need to either terminate or replace. Alternatively, you may default back to lower levels of “trust” with higher levels of audit and reporting until appropriate equilibrium is re-established. Supply chain breaches, similar to any breach, should always have after action review, assessment of the issue/vulnerability across the entire supply chain with appropriate risk management and control adjustments as required.
Ward Solutions is a full service, full security lifecycle provider. If you don’t have the right manpower, tools and expertise then consider partnering with a Security consultancy and managed cloud security service provider with the knowledge and skills to help supply or augment your CISO, Security engineering and security operations resources. Talk to us today to see how we can help.