Supply chain security: answering the key questions

The events of 2020 have emphasised two key facts:

• Supply chains are vital to business.
• Supply chains are a major source of information risk.

Businesses need supply chains to operate efficiently, and when they are stretched – as has happened during the global COVID-19 pandemic – information security can be deprioritised. Risk appetite changes in favour of keeping production lines running at all costs, and less attention is paid to maintaining good security practices. For those tasked with managing their organisation’s supply chain information risk, the result is that challenges are amplified.

This is where the ISF can help. Over the years, we’ve put together a range of reports, tools and services that help to answer the three big questions every organisation has in relation to supply chain security. With the risk landscape constantly evolving, this guidance is needed now more than ever.

Where is the information risk in our supply chain?

The first and most important challenge to address is working out which suppliers present the greatest information risk. This involves a process of assessment, categorisation and prioritisation according to the criticality of the supplier and the type of information to which they have access. The answers are not always simple: the most critical suppliers may not pose the greatest risk, while small and seemingly insignificant suppliers may pose disproportionate risk due to the type of information shared with them and/or their security arrangements.

Securing the Supply Chain: Preventing your suppliers’ vulnerabilities from becoming your own was published in 2013 and has been re-published in 2020. It sets out a comprehensive process to help organisations identify and manage supply chain information risk: the supply chain information risk assurance process (SCIRAP). The report is supplemented by:

• an Implementation Guide that presents detailed actions for each step of SCIRAP
• the Supplier Security Evaluation (SSE) Tool, which provides an easy-to-use, spreadsheet-based method to assess the information security status of an individual supplier or a group of suppliers.

How do we build the correct security requirements into supplier contracts?

A common issue faced by those responsible for supplier security is that they are often the last to be consulted when contracts are negotiated. Just before contracts are signed, they are asked whether the security requirements are sufficient – and often they have to say no. Security is therefore seen as a blocker, rather than enabler to the business.

The key to overcoming this issue is to engage earlier in the process – ideally when defining requirements for suppliers, before going to supplier tender and evaluation. Supply Chain Assurance Framework: Contracting in confidence was first published in 2014 and has been re-published in 2020. Building on SCIRAP, it provides a structured approach to building security requirements into contracts, for both acquirers and suppliers. It offers guidance and recommended actions on steps to take throughout the supplier management lifecycle, helping to ensure that Information Security teams are not the last to see a contract.

The report is supported by the Supply Chain Assurance (SCA) Tool, which provides three types of question sheet, used for: information security triage; information security supplement for request for information (RFI); information security supplement for request for tender (RFT).

How do we maintain an up-to-date picture of risk in our supply chain?

Even once the main sources of information risk have been identified and suitable security requirements added to contracts, a key challenge remains in terms of maintaining an up-to-date picture of risk. Risk assessments deteriorate over time: an audit or self-assessment satisfactorily completed at the beginning of the contract may be irrelevant less than six months later, given how quickly the information risk landscape changes.

Continuous Supply Chain Assurance: Monitoring supplier security aims to address this challenge, examining the available tools and techniques that can be used to continuously monitor supplier security. These include the use of open source intelligence and security ratings and guidance on more efficient use of security audits and supplier security self-assessments. The report also explores how automation can speed up the process of reporting on supplier security, helping Members present risk owners and decision makers with up-to-date information and evidence on the security posture of suppliers.

Supply chain security: an ongoing challenge

Supply chains are huge and complex, and there are no easy answers when it comes to managing information risk. Information security teams need to keep on assessing, categorising and prioritising their critical suppliers whilst monitoring their performance throughout the duration of the relationship. ISF research and tools can help Members put relevant processes in place, and ISF Live offers a place to share experiences, hints and tips. Please do make use of the Supply Chain community to keep asking questions and interact with other Members, as well as us in the Global Team.