1.12 Apply Supply Chain Risk Management (SCRM) concepts

1.12 Apply Supply Chain Risk Management (SCRM) concepts

• Risks associated with hardware, software, and services
• Third-party assessment and monitoring
• Minimum security requirements
• Service-level requirements

If you buy a computer from HP, it will contain components from Intel (processor), AMD, Nvidia, Logitech, etc.  Each of those components will contain sub-components from different vendors.  That means that hundreds of companies may have supplied components to the computer.  Now think about a Cisco switch or a Juniper router.  The same issue happens – it may contain components from hundreds of different vendors. 

Every product contains components from other vendors, each of whom could have modified it in a bad way.  We call this the supply chain.  We want each company in the supply chain to be trusted so that they cannot introduce bad things into the final product.  It’s not just malware in the firmware, it could also be poor manufacturing processes, counterfeit components, or harmful chemicals.  We don’t want to buy products with components that could fail or that could harm us.  We also don’t want to buy products or services from vendors who do illegal things, use child labor, violate human rights, or harm the environment.

How do we know if we should trust a vendor?  We can perform a security assessment, which can include

• On-Site Assessment – we visit the vendor’s offices, factories, and warehouses.  We interview the vendor’s employees and managers to ensure that they are operating in accordance with security policies.  We should perform surprise inspections where possible.  This might be difficult because the vendor will not want to disclose proprietary information.
  
  
• Document Exchange and Review – we review documentation provided by the vendor.  This could include policies, standards, baselines, and operating documentation.
  
  
• Third-Party Audit – we ask the vendor to perform a third-party audit.  The audit will be based on a framework (of which there are many).  We must choose a framework that is consistent with our security objectives.
  
  
• Service-Level Agreement – we sign an agreement that outlines how the vendor is expected to perform
  
  
  • What products or services is the vendor going to provide?
    
    
  • How quickly will the vendor provide the products or services?
    
    
  • What quantity of products and services will they provide?
    
    
  • What penalties can be imposed for a failure to abide by the agreement?

There are several Supply chain Frameworks

• NIST IR 7622: Notional Supply Chain Risk Management Practices for Federal Information Systems
  
  
  • It was developed for the federal government, but has applications in the private sector
    
    
  • There are ten steps
    
    
    • Uniquely Identify Supply Chain Elements, Processes, and Actors
      
      
    • Limit Access and Exposure within the Supply Chain
      
      
    • Establish and Maintain the Provenance of Elements, Processes, Tools, and Data
      
      
    • Share Information within Strict Limits
      
      
    • Perform SCRM Awareness and Training
      
      
    • Use Defensive Design for Systems, Elements, and Processes
      
      
    • Perform Continuous Integrator Review
      
      
    • Strengthen Delivery Mechanisms
      
      
    • Assure Sustainment Activities and Processes
      
      
    • Manage Disposal and Final Disposition Activities throughout the System or Element Life Cycle
      
      
• ISO 28000:2007 Specification for security management systems for the supply chain
  
  
  • It is based on Plan, Do, Check, Act
    
    
  • Plan – what are the objectives of the policy
    
    
  • Do – implement the policy
    
    
  • Check – monitor the systems to ensure compliance
    
    
  • Act – improve the system based on information gathered
    
    
• UK National Cyber Security Center – Supply chain security guidance
  
  
  • Puts out guidelines for supply chain security
    
    
    • Understand what we are protecting and why
      
      
      • How valuable is the information?
        
        
      • What will each supplier have access to?
        
        
    • Know who our suppliers are and what their security is like
      
      
      • Physical and logical security
        
        
      • Maturity
        
        
    • Understand supply chain security risks
      
      
      • What are all the risks?
        
        
      • What are the mitigation efforts?
        
        
    • Communicate our security needs with our suppliers
      
      
    • Set minimum security requirements with our suppliers
      
      
    • Build security into our contracting process
      
      
      • Prospective suppliers should prove that they meet our security standards
        
        
      • Provide support to suppliers
        
        
      • Tailor security requirements to the circumstances of each vendor
        
        
    • Enforce security on our own systems
      
      
      • Accept security requirements from our customers
        
        
      • Comply with audits
        
        
      • Push customer security requirements onto our subcontractors
        
        
    • Raise security awareness within our supply chain
      
      
    • Provide support for security incidents
      
      
    • Build assurance into your supply chain
      
      
      • Require key suppliers to report on their security
        
        
      • Implement a “right to audit” clause into all contracts
        
        
      • Act on security threats
        
        
    • Encourage continuous improvement
      
      
      • Provide suppliers with time to improve
        
        
    • Build trust
      
      
      • Maintain communication with suppliers