This post is the seventh part of a series looking at cyber security supply chain risk management (C-SCRM).
在之前的文章中,我们看到 评估现有供应商 而在 reviewing your current supply chain cyber security processes. 在这篇文章中, we will look briefly at implementing new processes and embedding a supplier assessment programme.
实施新流程
基于对你们当前C-SCRM流程的分析, a few gaps may have been identified in your internal processes or with external suppliers. 下一步将是与供应商合作, and to develop and implement new processes and controls on both sides to fill those gaps.
如前所述, you will be in contract with at least some of your supplier list, so it may not be possible to make changes to all your arrangements. 然而, 你可以计划更新, 确定每个合同何时到期, and identifying which controls you’d like to insert into any new arrangement. 当然, it may be possible to identify and implement temporary controls for your own environment, to compensate for the gap in the supplier’s controls and reduce your risk.
在某一时刻, each of your suppliers should have reached end-of-contract, and C-SCRM will be implemented across your priority suppliers. 如果你还没有开始, you could expand the programme to cover more suppliers at this stage.
It will be important to continue to review not only your suppliers’ cyber security measures, but also the processes in your C-SCRM programme to continue to improve the programme.
将C-SCRM嵌入您的业务
关闭 collaboration and alignment between different teams or departments in an organisation improves the management of cybersecurity risks. Ensuring that C-SCRM remains embedded in your business will be an ongoing process once the initial set-up phase is complete.
需要考虑的因素包括:
- Integration of any changes to your current processes needed to include C-SCRM
- Ensuring that staff have C-SCRM skills and understanding appropriate to their role, 提供必要的培训和意识
- Implementation of any revised procedures, taking C-SCRM into account. 例如,你应该考虑:
- Procurement and vendor management, as discussed previously
- The security of your software development lifecycle, if relevant.
- Integration of C-SCRM into the contractual language used in your procurement practices
- Development of processes to ensure that your suppliers disclose to you any vulnerabilities identified
- Inclusion of your priority suppliers in your business continuity and incident response preparation, 计划和测试
- Implementation of a response plan, in case of a supplier cyber security incident
- 定义, 集合, 以及指标报告, so you can measure the ongoing performance of your C-SCRM programme.
确保C-SCRM项目的安全
While your C-SCRM programme is intended to help secure your supply chain by managing the cyber security risks, t在这里 are potential risks that could emerge within the programme.
例如, if you ask each supplier to provide information about their security practices and technical infrastructure, 然后存储文档, the supply chain may be at risk if that documentation is obtained by a threat actor. Consider whether this information needs to be retained at all, or for all suppliers. If you do need to retain it, consider how it could be secured, and how long it should be stored for. If you explain this to your suppliers when you ask them to provide information about themselves, 这将使他们对你自己的安全措施放心.
寻找更多信息?
的新添加的Govern功能 NIST网络安全框架v2 包括C-SCRM, 并讨论了第三方网络安全风险, 包括框架层级草案. This document will be a useful resource and is worth reading if you’d like more information; another is the NIST C-SCRM document NIST SP 800-161r1: Cybersecurity Supply Chain Risk Management Practices for Systems and Organisations. 您可以在他们的 资源中心.
国家网络安全中心有很多 资讯及指引 可用. 他们提供了供应链风险的介绍, 管理您的供应链的最佳实践指南, and new (free) training packages on supply chain management.
And we 在这里 at CSP will be happy to discuss your concerns about the cyber security supply chain risk in your business. Please call us on 0113 5323763 for a conversation about how we can help.
对CSP
CSP are a specialist security consultancy helping our clients navigate this increasingly interconnected world. 我们的团队可以:
- 根据您的情况,对安全要求提出建议
- assess your suppliers against your security requirements at every stage:
- 检查他们对安全问题的回答
- 审查合同中的担保条款
- auditing your selected suppliers for compliance with your security requirements.
- work with you to enhance your policies and processes to improve security throughout your procurement process.
