Summary

Compromise of security and integrity management of large, complex supply chains is not a new risk, but is certainly getting more attention from senior leadership across industries in the past one year than it has ever been.  Part of the reason stems from reported security incidents in the supply chain as well as a recognition that a compromise of the supply chain can present an existential risk to the organisation itself and cause significant revenue loss and reputational damage.  This series of articles will deal with key aspects of protecting the supply chain, the authoritative guidance that is slowly emerging out of the standard setting bodies and the operational aspects of implementing them.

The first part in this series deals with the recently published draft guidance from National Institute of Standards and Technology (NIST).  It explains some (not all, by any stretch) of its requirements, what organisations can expect if they choose to implement a similar program and the main challenges they will face.

 Supply Chain Risk Management (SCRM)-who needs it?

 As in most aspects related to security, there is no clear answer to this.  All security or compliance requirements constitute a process overhead viz. they add to the cost and complexity and more often than not, “stretches” the critical path in executing projects.  Organizations need to weigh the risks and rewards, its hard dollar costs and often intangible benefits and take a conscious decision that they can live by.  However, in my assessment, all organisations probably need some aspects of it (“SCRM lite”) and a few large organizations should implement a full-scale SCRM program.

 

What are the pre-requisites of an effective SCRM program?

 

Most of the requirements (i.e. well defined and documented processes, agreed upon roles and responsibilities, a robust QA program and requisite budgetary support) are not rocket science, and are well known to organisations and practitioners who have implemented any standards based competency.  However the NIST guidance introduces two requirements that are unique to SCRM and merits some discussion here.

 

  • Mechanisms that enable adherence to supply chain processes even during adverse events (e.g. disasters, emergency yet major technology changes etc.).   This is an obvious, yet counter-intuitive requirement.  Emergencies require an agile response, and often that can only be achieved by not conforming to a process.  However, ad-hoc decisions, taken without the benefit of a playbook, can also introduce vulnerabilities that may prove costly in the longer term.  There is no magic bullet to manage this requirement, other than
    • A well-documented emergency procurement playbook; and
    • Practicing emergency procurement as part of BCP exercises with the participation of key actors.
  • Expanding the Incident Management program to include supply chain events.  This involves broadening the scope of the incident management program to
    • Enable identification and reporting of supply chain incidents.  Both are key steps, missing either makes the entire program ineffective
    • Involving contracting organizations in incident management teams as well as post-facto metadata analysis
    • Institutional mechanisms to resolve and remediate, like any other incident. 
    • Simulated table-top exercises to continuously build and enhance the playbook.  Real-life incidents seldom afford the luxury of time, and organisations who are prepared for the worst fare the best in their effectiveness of response.

SCRM implementation process

Organizations need to implement a risk-based implementation, starting with an honest risk assessment followed by planning, requirement specification, supplier/ market analysis, procurement and contract execution.  The difference under the SCRM approach lies not in the procurement process itself (which does not change much), but in the nuanced interject of information security and risk management activities into the overall process.  These include elements like

  •  Security, threat and vulnerability assessment of suppliers as part of RFI review and not as a compliance requirement or an afterthought
  •  Comparing competing suppliers on their information security track record as well as their commitment to maintaining a strong security posture (and bearing the costs associated with it)
  •  Assessment of the supplier’s fiduciary commitment to the safety of market sensitive data as well as intellectual property
  •  Maturity of supplier’s continuous monitoring processes and the effect that a low maturity of supplier’s control environment may have on overall program costs (necessitating higher effort to source, process and analyze continuous monitoring data)

 The success of the implementation lies in designing the interjects intelligently and with a high degree of business acumen, resulting in actions that leverages existing technology, infrastructure and systems of records and do not add any noticeable delay in the larger business process.

 Supply Chain Risk Management Practices

 NIST recommends the following SCRM best practices.  Each of these practices offer substantial risk reduction benefits, generate significant challenges (especially in large, heterogeneous organizations) and needs an implementation approach that is uniquely tailored to its product suite and business model.  The elements are:

  • Identify all aspects of the supply chain including all participating organisations and internal stakeholders
  • Limit access to the supply chain on a strict “need-to-know” basis
  • Create and maintain provenance of all “elements, processes, tools and data” in the supply chain.  In my opinion, this requirement puts the most demands on the SCM system, is the costliest to implement and may require re-configuration of systems of record (e.g. ERP, CMDB etc.)
  • Share information on a “need-to-know” basis
  • Invest in SCRM awareness and training.  Again, training remains a much neglected area but its importance on effective security implementation can’t be over-emphasized.
  • Use “defensive design” to protect intellectual property , trade secrets and other confidential data
  • Sustain controls throughout the lifecycle of the relationship
  • Ensure secure disposal and final disposition at the end of key asset cycle or when the relationship terminates

I hope to discuss two key requirements (viz. provenance assurance and continuous monitoring) in subsequent blogs on this topic based on your feedback and interest.

 Conclusion

Complex, pervasive supply chains have introduced unforeseen risks for large organisations who now need to adopt a new approach to manage identify, enumerate and manage them.  The guidance from NIST is a good document to a discipline which is evolving along with its practitioners.  New risks will continue to emerge, as will control approaches to mitigate them.  However, organisations need to take a stand now and set out a program that works for them today instead of waiting for a comprehensive solution which may come too late for them, and at a cost that may far outweigh the investments that is needed for an immediate implementation.

References

  1. Draft NISTIR 7622 from National Institute of Standards and Technology (NIST)
  2. http://blogs.technet.com/b/microsoft_blog/archive/2012/09/13/microsoft-disrupts-the-emerging-nitol-botnet-being-spread-through-an-unsecure-supply-chain.aspx