InfoGuard AG (Headquarter)
Lindenstrasse 10
6340 Baar
Switzerland
InfoGuard AG
Stauffacherstrasse 141
3014 Bern
Switzerland
InfoGuard Deutschland GmbH
Landsberger Straße 302
80687 Munich
Germany
In a previous article, we showed why many companies underestimate cyber supply chain risk management (C-SCRM), even though the impact on their own business can be huge. This is not due to a lack of interest ‒ quite the opposite! As is so often the case, it is caused by a lack of internal resources. In this article, we show you how to efficiently set up a C-SCRM and in doing so gain important insights into your risk landscape.
Companies' value chains have never been more vulnerable than they are today. This is due to influences such as changed production methods, globalisation, increasing technology / digitisation, economic and political influences etc. To be able to assess the risk potential, it is important to know the process chains, their dependencies and consequences in the event of disruptions (availability, financial consequences, reputation, compliance with SLAs, etc.). These form the basis for determining loss reduction measures as part of risk management.
Swiss companies are increasingly focusing on Cyber Supply Chain Risk Management (C-SCRM). It is important to be aligned with existing standards and best practices. For example, ISO/IEC 27036:2013 is part of the ISO/IEC 27001 series, and describes information security for supplier relationships. Additionally, in its update of the NIST Cyber Security Framework last year, NIST added the category "Supply Chain Risk Management", underlining the importance of SCRM in terms of corporate security.
Version 1.1 of the NIST Cyber Security Framework (in Switzerland, this framework forms the basis for the minimum ICT standard) is specifically designed to take account of new technological developments and also covers areas such as supply chain and IoT. Another focus is on identifying risks in the entire supply chain. NIST has introduced a separate category (ID.SC) to implement processes to identify, assess and manage risks in the supply chain.
This process involves not only the company itself but also a wide range of actors such as manufacturers of devices, network and cloud providers, other service providers and consumers. Communication and auditing of cyber security requirements between stakeholders is one aspect of C-SCRM. NIST defines the main objective as follows:
"Identify, assess, and minimise products and services that may contain potentially harmful features, are counterfeit, or are vulnerable due to poor manufacturing and development practices within the cyber supply chain."
In terms of cyber security, this means, among other things:
In concrete terms, this means that you must ensure that all your business partners enter into a binding commitment to protect digital intellectual property and data in exactly the same way as is stipulated in your cyber security requirements. In addition, all parties must be aware that you also reserve the right to review this.
The aim of a supplier lifecycle process is to optimally integrate and manage third-party providers in your company into your processes and to automate the monitoring and management of providers as far as possible, thereby reducing the workload. This also applies to the area of C-SCRM, which is part of Supplier Lifecycle Management and requires specific knowledge and experience in the cyber security field. The entire supplier lifecycle can be described as follows:
The challenges of C-SCRM that your company needs to focus on can be broken down into the following areas:
So as you see, Cyber Supply Chain Risk Management is not really a new discipline, but rather an extension of your own risk management and your cyber security in terms of the suppliers. The advantages are obvious: you get the transparency about cyber risks and the maturity of cyber security within your supply chain that you need. This enables you to meet the various compliance requirements, and at the same time view your critical assets in relation to your suppliers. By using an appropriate tool such as "SecurityScorecard", this can also be done with relatively little effort.
Our many years of experience in cyber security have given us the expertise you need to help you define and build your Cyber Supply chain Risk Management. We help you to understand your current risk landscape and measure your risks, define your supply chain risk management strategy and implement the measures required. Find out more about this on our web page.