This post is the seventh part of a series looking at cyber security supply chain risk management (C-SCRM).
In previous posts we looked at assessing your existing suppliers and at reviewing your current supply chain cyber security processes. In this post, we will look briefly at implementing new processes and embedding a supplier assessment programme.
Implementing new processes
Based on the analysis of your current C-SCRM processes, a few gaps may have been identified in your internal processes or with external suppliers. The next step would be to work with suppliers, and to develop and implement new processes and controls on both sides to fill those gaps.
As previously discussed, you will be in contract with at least some of your supplier list, so it may not be possible to make changes to all your arrangements. However, you can plan for renewal, identifying when each of the contracts will come to an end, and identifying which controls you’d like to insert into any new arrangement. Of course, it may be possible to identify and implement temporary controls for your own environment, to compensate for the gap in the supplier’s controls and reduce your risk.
At some point, each of your suppliers should have reached end-of-contract, and C-SCRM will be implemented across your priority suppliers. If you’ve not already initiated this, you could expand the programme to cover more suppliers at this stage.
It will be important to continue to review not only your suppliers’ cyber security measures, but also the processes in your C-SCRM programme to continue to improve the programme.
Embedding C-SCRM into your business
Close collaboration and alignment between different teams or departments in an organisation improves the management of cybersecurity risks. Ensuring that C-SCRM remains embedded in your business will be an ongoing process once the initial set-up phase is complete.
Among the elements to be considered:
- Integration of any changes to your current processes needed to include C-SCRM
- Ensuring that staff have C-SCRM skills and understanding appropriate to their role, providing training and awareness as needed
- Implementation of any revised procedures, taking C-SCRM into account. For example, you should consider:
- Procurement and vendor management, as discussed previously
- The security of your software development lifecycle, if relevant.
- Integration of C-SCRM into the contractual language used in your procurement practices
- Development of processes to ensure that your suppliers disclose to you any vulnerabilities identified
- Inclusion of your priority suppliers in your business continuity and incident response preparation, plans and tests
- Implementation of a response plan, in case of a supplier cyber security incident
- Definition, collection, and reporting of metrics, so you can measure the ongoing performance of your C-SCRM programme.
Securing your C-SCRM programme
While your C-SCRM programme is intended to help secure your supply chain by managing the cyber security risks, there are potential risks that could emerge within the programme.
For example, if you ask each supplier to provide information about their security practices and technical infrastructure, and then store that documentation, the supply chain may be at risk if that documentation is obtained by a threat actor. Consider whether this information needs to be retained at all, or for all suppliers. If you do need to retain it, consider how it could be secured, and how long it should be stored for. If you explain this to your suppliers when you ask them to provide information about themselves, this will reassure them about your own security practices.
Looking for more information?
The newly added Govern function of the NIST Cyber Security Framework v2 includes C-SCRM, and discusses third party cyber security risks, including in the draft Framework Tiers. This document will be a useful resource and is worth reading if you’d like more information; another is the NIST C-SCRM document NIST SP 800-161r1: Cybersecurity Supply Chain Risk Management Practices for Systems and Organisations. You can find the NIST documents in their resource centre.
The National Cyber Security Centre has a lot of information and guidance available. They offer an introduction to supply chain risk, guidance on best practices for managing your supply chain, and new (free) training packages on supply chain management.
And we here at CSP will be happy to discuss your concerns about the cyber security supply chain risk in your business. Please call us on 0113 5323763 for a conversation about how we can help.
About CSP
CSP are a specialist security consultancy helping our clients navigate this increasingly interconnected world. Our team can:
- advise on security requirements, based on your situation
- assess your suppliers against your security requirements at every stage:
- reviewing their responses to security questions
- reviewing security clauses in contracts
- auditing your selected suppliers for compliance with your security requirements.
- work with you to enhance your policies and processes to improve security throughout your procurement process.
