Secure Thinking should not be restricted to your own organisation. With complex supply chains, how can you be sure your partners are protecting your corporate assets?
In a recent compliance audit for a global manufacturer we found a large number of suppliers did not meet required security standards. This is the case in other sectors too. Many companies have good internal security policies but fail to implement these externally.
It is often easier to attack a large organisation through its suppliers. Smaller organisations or those operating overseas may have inferior security procedures. Hackers gain access to public and private sector organisations not directly but much lower down in the supply chain.
Since supply chains rely on the rapid flow of information the pressure to share data faster and via more devices is greater than ever.
So what can you do to reduce possible threats from your own supply chain while staying connected?
The ISF Supply Chain Information Risk Assurance Process
In the most mature organisations, supply chain information risk management is integrated with vendor management, as shown in the diagram below. The ISF report Securing the Supply Chain (970 KB) helps organisations get to this state by providing a four-step process:
Organisations beginning to address information risk management in their supply chains – or where efforts are not aligned – should start here:
To build support, this Step includes Tasks such as creating a business case, a plan for action, defining benefits, justifying investments, gaining stakeholder support and obtaining senior management commitment. This Step should align the initiative with current business processes and build a coalition of support across the organisation by involving vendor management and business owners.
To prepare for Step C: Discover and Step D: Embed, Tasks such as securing resources, developing tools and writing information security policies that guide the process are required. This Step draws together characteristics of information risk in the supply chain – such as categories of information shared and their relative risk – to create balanced and proportionate information security arrangements.
Organisations that have too many contracts to assess individually, including those with suppliers of suppliers (which includes virtually all ISF Members) should focus here:
For organisations that have too many contracts to assess individually there is a need to identify and categorise the information shared in contracts, target the contracts that pose the greatest risk and assess the extent to which a supplier meets the required information security arrangements.
Organisations that know which contracts to assess should focus here:
This Step represents the desired outcome of the process, where supply chain information risk management is embedded into the procurement and vendor management lifecycle. This increases efficiency and effectiveness by providing a consistent, risk-based approach to managing information risk in contracts.