Information Security, business continuity (BCP), privacy, compliance
Compromise of security and integrity management of large, complex supply chains is not a new risk, but is certainly getting more attention from senior leadership across industries in the past one year than it has ever been. Part of the reason stems from reported security incidents in the supply chain as well as a recognition that a compromise of the supply chain can present an existential risk to the organisation itself and cause significant revenue loss and reputational damage. This series of articles will deal with key aspects of protecting the supply chain, the authoritative guidance that is slowly emerging out of the standard setting bodies and the operational aspects of implementing them.
The first part in this series deals with the recently published draft guidance from National Institute of Standards and Technology (NIST). It explains some (not all, by any stretch) of its requirements, what organisations can expect if they choose to implement a similar program and the main challenges they will face.
As in most aspects related to security, there is no clear answer to this. All security or compliance requirements constitute a process overhead viz. they add to the cost and complexity and more often than not, “stretches” the critical path in executing projects. Organizations need to weigh the risks and rewards, its hard dollar costs and often intangible benefits and take a conscious decision that they can live by. However, in my assessment, all organisations probably need some aspects of it (“SCRM lite”) and a few large organizations should implement a full-scale SCRM program.
Most of the requirements (i.e. well defined and documented processes, agreed upon roles and responsibilities, a robust QA program and requisite budgetary support) are not rocket science, and are well known to organisations and practitioners who have implemented any standards based competency. However the NIST guidance introduces two requirements that are unique to SCRM and merits some discussion here.
Organizations need to implement a risk-based implementation, starting with an honest risk assessment followed by planning, requirement specification, supplier/ market analysis, procurement and contract execution. The difference under the SCRM approach lies not in the procurement process itself (which does not change much), but in the nuanced interject of information security and risk management activities into the overall process. These include elements like
The success of the implementation lies in designing the interjects intelligently and with a high degree of business acumen, resulting in actions that leverages existing technology, infrastructure and systems of records and do not add any noticeable delay in the larger business process.
NIST recommends the following SCRM best practices. Each of these practices offer substantial risk reduction benefits, generate significant challenges (especially in large, heterogeneous organizations) and needs an implementation approach that is uniquely tailored to its product suite and business model. The elements are:
I hope to discuss two key requirements (viz. provenance assurance and continuous monitoring) in subsequent blogs on this topic based on your feedback and interest.
Complex, pervasive supply chains have introduced unforeseen risks for large organisations who now need to adopt a new approach to manage identify, enumerate and manage them. The guidance from NIST is a good document to a discipline which is evolving along with its practitioners. New risks will continue to emerge, as will control approaches to mitigate them. However, organisations need to take a stand now and set out a program that works for them today instead of waiting for a comprehensive solution which may come too late for them, and at a cost that may far outweigh the investments that is needed for an immediate implementation.