When we think about supply chains, we typically think of them in relation to manufacturing, for example a car typically will have a radio supplied by one manufacturer, an air-conditioning system from another supplier (or two), nuts, bolts and screws from other suppliers, and so forth. The same is true of most companies operating today with respect to their IT.
In looking at the security of links between a company and its business partners, it goes without saying that the security is only as good as the weakest business partner link. But in saying that, we must include the company’s IT in that statement and the security of a partner’s IT system.
Good practices, from my experience, in dealing with IT supply chain security, can be broken down into the following steps, but remember that these steps are relatively high level and that the devil is in the detail. Also note that the list is not exhaustive because each IT scenario is different.
- An IT security team needs a solid understanding of a company’s business, including all partners, subsidiaries and other external services that are used, be they public or private.
- Arising from this will be an understanding of the assets at risk and the associated value at risk (reputation, financial, ability to trade, etc).
- Likewise, the IT security team needs a solid understanding of the company’s IT, including its suppliers.
- In-house, in-house/third-party maintenance, partial outsource: do the outsource suppliers, in turn, outsource some of “their” IT, remote working, etc?
- The security team needs a good and up-to-date understanding of the threat and vulnerability landscape.
- The security team needs to be able to map out the key parts of the supply chain. Caveat: too much detail and you’ll not see the wood for the trees, but conversely, take a too high-level view and you’ll start to miss some key points.
- Once the key parts of the chain have been mapped, the team need to identify for each part whether its security is within the direct control of the company, the company is in indirect control, or if the company has no control.
- The key here is to identify the boundaries between each supply chain part and who has the technical management of security for each part and its interfaces.
- As part of this mapping exercise, the team should consider what current industry good-practice security controls they would expect to find, both for the supply chain part under consideration and its interfaces to other supply chain parts.
- For each part of the chain, the next step is to review what security controls are actually in place, including its interfaces, and compare those with the identified good-practice controls.
- These reviews, together with the knowledge of the company assets that could be exposed by a security breach and the value at risk should a control fail, will lead to a risk profile and a remediation plan to improve security.
What I have not explicitly covered here are the physical aspects of security, for example if a company’s offices are in a shared or multi-tenanted building, then cable rooms, closets and risers are important, is guarding outsourced, does an outsourced guarding service create entry cards, and who employs the cleaners? That is not an exhaustive list, but these are all equally part of the security supply chain.
A few thoughts to close with:
Direct control: This would be where company assets are controlled by company policies, procedures, standards and work guides. Maintenance staff could be employees or contractors legally required to follow company policies, etc.
Indirect control: This is where a third party provides services under a legal contract. That contract would have clauses relating to security and annexes spelling out the security requirements in detail. Security needs to be spelt out; it is no good just saying that the third party must be ISO27001 compliant, the statement of applicability and the relevant clauses need to be identified, together with any necessary expansion. Other standards, including any company-specific ones, need to be covered by the contract, together with mechanisms to ensure that the security is being regularly maintained – independent auditor opinion, copy of a standards renewal certificate, for example.
No control: The interconnections between the company and its partners (and subsidiaries and remote workers) over public or third-party networks such as the internet. Here we would have to look for the interface security of the supply chain part, for example to add a layer of security, such as encryption.
My previous Think Tank article, Security Think Tank: To follow a path, you need a good map, might add a little more with respect to risk analysis.