Tag Archives: cyberattack

A blueprint for cyber supply chain risk management

Posted on by
A blueprint for cyber supply chain risk management

A blueprint for cyber supply chain risk management

One challenge for supply chain security practitioners is choosing which of the multitude of guidance documents and best practice frameworks to use when building a cyber supply chain risk management (C-SCRM) program. There is no touchstone in this arena; instead, we have shades and gradations of goodness and a plurality of approaches.

The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST), SAFECode, The East-West Institute, Critical Infrastructure Coordinating Councils, and many others have published guidance on methods to address cyber supply chain risks. But to date, there is little evidence that C-SCRM practices are effective in stopping or reducing cyberattacks.

This lack of objective evidence of efficacy makes it difficult for a practitioner to choose which guidance or practices or framework to use in our own operations.

When faced with this problem several years ago, at the outset of developing a C-SCRM function for a large enterprise, I created a compilation of different practices from various publications. This article is based on the compilation and provides a short narrative about why certain practices are included.

The compilation is primarily derived from practices described in NIST Special Publication 800-161, Cyber Supply Chain Risk Management Practices for Systems and Organizations, the results of a NIST-GSA-University of Maryland study (Sandor Boyson, Technovation), SAFECode supply chain guidance, the Build Security In Maturity Model (BSIMM), and a variety of other articles, blog posts, and documents in the public domain.

Much like the publications it is derived from, the compilation is intended to be used as a catalog of practices that is tailored by the user based on the particular circumstances of the supply chain that is being managed and which phase of the procurement lifecycle the practices are being used in.

The starting point is to identify which of the various practices in the document are best suited to your supply chain. For example, if you’re purchasing hardware, chain of custody and traceability practices are probably more important than they would be for a software purchase, and for software, secure development life cycle practices are probably more important than traceability practices.

The next steps are to incorporate the selected practices into your supply chain management processes, from onboarding to performance to closeout.

Read more A blueprint for cyber supply chain risk management

If you have opinions, please write to use in the comment box below. Subscribe to us for more updates.

How To Avoid a Third-Party Break in Your Supply Chain

Posted on by

Your business is only as secure as the weakest link in your supply chain. A single lapse by a third-party can lead to an operational disruption, cyberattack, or compliance violation. How can you be certain that your vendors and partners are keeping up with the latest regulatory mandates, industry best practices, cybersecurity measures, and your own corporate standards?

Vendor Risk Management Should Be a Top Priority

In these days of high-profile data breaches and intensifying regulatory requirements, supply chain risk management has become a critical priority for every organization. Such programs typically encompass policies, standards, governance, and risk assessment. Vendor risk management falls under the last of these—and it’s the cornerstone of effective supply chain risk management.

Develop a Vendor Risk Policy with Teeth

Nothing gets the attention of a vendor like a withheld payment. To set the expectation that risk policy compliance is a requirement, not an option, let vendors know that no money will be released until the right boxes have been checked.

Document and Track

A supply chain risk register is essential to keep track of your vendors and their risk. Your database should provide a single source of information on which vendors have been approved and when, as well as their current risk assessment rating.

Stay Engaged During Procurement

Don’t wait until the final review of a master services agreement (MSA) to get involved. Build a strong collaborative relationship with the procurement team so you can be notified promptly when a business function submits a procurement request, and stay engaged during vendor sourcing. By getting in front of the process, you can avoid being labeled as a roadblock or deal-breaker.

Maintain, Scale, and Repeat Your Program

Running an effective vendor risk management program and managing supply chain risk in general is all about scaling and repeating. To uphold your policy and standards, be diligent and strict about annual security assessment and verification, and perform site inspections as needed depending on the severity of risks posed by a given vendor.

‘Trust But Verify’

From the earliest stages of the procurement process through onboarding, service provision, and offboarding, expectation-setting and verification should be woven through each vendor relationship. Even the most secure organizations can encounter challenges, and the best-run programs can break down—assume nothing, check everything.

Read more at How To Avoid a Third-Party Break in Your Supply Chain

What do you think about this topic? Express your thoughts in the comment box below, and subscribe us to get updates.