This post is the sixth part of a series looking at cyber security supply chain risk management (C-SCRM).
在上一篇文章中, we looked at one of the early projects in a cyber security supplier assessment risk management programme: 评估现有供应商. In this post, we will consider supplier management process review. This is to ensure that your processes are appropriate throughout the contract period, and that you retain control of your risk profile.
These processes cover onboarding of your suppliers, and then the management of those suppliers throughout their engagement with your business:
- 采购及入职
- 供应商生命周期管理
The aim will be to ensure that security is considered at every stage of each process – but only if relevant. 如果你正在购买回形针和打印纸, 例如, the cyber security risk will be low (but not non-existent, if you are buying online) and won’t need extensive assessment. 然而, if this is a trusted supplier with email access and perhaps IT access, 那么风险就会大大增加. 例如, they (or someone pretending to be them) could forward malware via email and—because they are trusted—your staff are more likely to accept the email at face value and click the malicious link or download the attached malware.
图2:供应商风险管理生命周期
采购及入职
A critical part of the C-SCRM programme will be to review your current procurement and onboarding processes, to ensure that cyber security is considered as part of selection, 在合同协议中, 当一个新的供应商开始工作时.
需要考虑的问题包括:
- Does your procurement process include cyber security as a gauge of suitability? 例如, does your initial risk assessment - often conducted via a questionnaire - ask about (if relevant): secure development lifecycle? 渗透测试? 认证?
- If you will be sharing data with the supplier, do you ask w在这里 the data will be stored? 如何转账?
- What about business continuity: do you discuss availability of service, 他们的连续性计划是什么?
- 那合同呢?包括了吗, 例如, 进行安全审计的权利, 与安全相关的sla, flowdowns of control requirements to subcontractors if applicable, and milestones for remediation of any security gaps?
Supplier Lifecycle Management (Ongoing and Offboarding)
Reviewing the current processes for supplier management once they are providing their product or service to you will indicate whether the cyber security of your suppliers is considered now. Don’t forget to think about how cyber security is handled at the end of the contract too.
需要考虑的问题包括:
- What processes do you have in place already to risk-assess current suppliers?
- 这些是通过评估风险来区分的吗?
- How will you be alerted if t在这里 is a cyber security incident (or indeed, any other incident that might impact your business continuity) at your supplier?
- Will you consider a lighter touch for the second and subsequent years of the contract? Ongoing checks on security may be just as important as the initial check.
- How do you ensure the security at contract-end of any data that your supplier has been processing on your behalf? What about physical access to any of your buildings?
一旦审查完成, it should be clear w在这里 t在这里 are gaps in the cyber security aspect of your supply chain risk management processes.
The next step will be to establish whether any of those gaps can be closed, and if so, how. Implementing new controls and processes will be the next step.
外包的考虑
T在这里’s a lot to think about in this phase of the programme; outsourcing these tasks can reduce your own workload and ensure that the phase is completed on time.
请注意, 虽然, that whoever does this work on your behalf will still need input from you and your staff to understand how these processes work in your business.
对CSP
CSP are a specialist security consultancy helping our clients navigate this increasingly interconnected world. 我们的团队可以:
- advise on security requirements, based on your situation
- assess your suppliers against your security requirements at every stage:
- reviewing their responses to security questions
- 审查合同中的担保条款
- auditing your selected suppliers for compliance with your security requirements.
- work with you to enhance your policies and processes to improve security throughout your procurement process.
