Developing Your C-SCRM Policy and Programme

This post is the fourth part of a series looking at cyber security supply chain risk management (C-SCRM).

In the previous blog post in this series, we looked at some of the important issues to consider when outsourcing, and listed some of the elements of a C-SCRM programme that could be outsourced. Today we are going to discuss the first of these: the development of your C-SCRM policy and setting up a C-SCRM programme.

Why do you need a C-SCRM policy?

The purpose of a C-SCRM policy is to set the scope, objectives, and governance structure for C-SCRM in your business, and to convey the intentions of senior management. It should give a clear indication to all staff of the importance of cyber security supply chain risk management to the business, consistent with the wider risk management framework for your business. Like all your other policies, it will need to be regularly reviewed and kept up to date to ensure it remains relevant as your business changes.

Setting up a C-SCRM programme

For C-SCRM, and depending on the size of your business, there might initially be only two projects in your programme: assessing the cyber security of your current supply chain and reviewing your current procurement processes. You might later add in a review of your supplier life-cycle management processes.

You might decide to implement additional projects from the outset, such as establishing a C-SCRM structure across your enterprise, with dedicated staff and a programme management office, and setting up a training programme. 

If you develop software in-house, you might also consider reviewing the security of your software development lifecycle, looking at the security of software acquired for use from open-source libraries.

The extent of your programme will depend on your business scale and needs, but whatever the size, an early part of programme setup should be the establishment of a steering group. 

For a large organisation, the C-SCRM steering group would ideally include representatives from departments with direct involvement (such as legal and IT), but for small businesses, the steering group could be much smaller, even a single person, if that person had appropriate authority. Their brief is to set the tone for how C-SCRM risk is managed in the business, and to agree, and later support and monitor, a high-level implementation plan. This plan would cover budget, timescales, roles, and responsibilities across projects within the programme. Some of these roles and responsibilities could be met by outsourcing, should in-house resources be insufficient.

What would the C-SCRM programme involve?

A programme is a group of projects, each of which supports an overall goal for the programme. Early tasks for the programme should include:

• mapping the current supply chain: establishing an inventory of current suppliers, contracts (and end dates) and the products and services provided 
• reviewing the list of supplied products and services to assess their criticality to the business, and identify relevant controls or requirements by service or product type 

The size of the task for each supplier will depend on the criticality of the supplier to the business. The results of these will feed into the next step: assessment of cyber security at current suppliers.

Later tasks or projects could include:

• Developing policies and procedures to enable integration of C-SCRM into the business
• Maintaining the specific elements of the enterprise risk register that relate to cyber security supply chain risk
• Developing and monitoring metrics to measure the success of the programme
• Developing implementation plans for new controls needed to mitigate any security risks identified by risk assessments
• Developing and maintaining a C-SCRM Plan for monitoring implemented controls
• Developing an incident response management plan
• Embedding C-SCRM into the business through training and redefinition of performance measures.

Whatever the scale of your C-SCRM intentions, coordinating the C-SCRM tasks with each other and with related tasks across your organisation – such as enterprise-wide risk management, and business continuity planning - will achieve better results than by conducting each project separately. 

In our next post, we will look at assessing the cyber security of your current supply chain, which is a key step in your C-SCRM programme. This could be done in parallel with assessing your current C-SCRM processes or in series, depending on the level of resources available to your programme. 

In future posts, we will talk about:  

• Reviewing current processes: what could we do better?
• Implementing and embedding a C-SCRM programme

If you need help to manage or complete your programme, do contact us here at CSP on 0113 5323763. 

About CSP

CSP are a specialist security consultancy helping our clients navigate this increasingly interconnected world. Our team can:

• advise on security requirements, based on your situation
• assess your suppliers against your security requirements at every stage:
  • reviewing their responses to security questions
  • reviewing security clauses in contracts
  • auditing your selected suppliers for compliance with your security requirements.
•  work with you to enhance your policies and processes to improve security throughout your procurement process. 

Please contact us here or call us on 0113 5323763 to talk about how we can help.