Cyber Supply Chain Risk Management (C-SCRM)
All organisations should consider cyber supply chain risk management. If a supplier, manufacturer, distributor or retailer are involved in products or services used by an organisation, there will be a cyber supply chain risk originating from those businesses.
“Almost 60% of all data breaches experienced by organisations are caused by a third-party.”
Effective cyber supply chain risk management ensures, as much as possible, the secure supply of products and services throughout their lifetime. This includes their design, manufacture, delivery, maintenance, decommissioning and disposal.
Cyber supply chain risk management can be achieved by identifying the cyber supply chain, understanding cyber supply chain risk, setting cyber security expectations, auditing for compliance, and monitoring and improving cyber supply chain security practices.
Once cyber security expectations have been established with suppliers, manufacturers, distributors, and retailers, it is important that organisations have confidence that those expectations are being met.
For instance … do your third-party vendors comply with any of the following:
- Payment Card Industry Data Security Standard (PCI DSS)
- National Institute of Standards and Technology (NIST)
- General Data Protection Regulation (GDPR)
- Essential Eight / Maturity Level Three
- ISO / IEC 27001; or
- Self-Certified
Conducting detailed assessments through questionnaires, background checks, and on-site audits provides visibility into vendor security policies, controls, and compliance. Reviewing contracts ensures security requirements are codified and ongoing monitoring will help detect any issues arising after onboarding.
While third-party vendor risk management can be relatively straightforward to assess with a strong third-party risk management process in place, the same cannot be said for fourth parties. As fourth parties are indirectly linked to your organisation, a different approach is required.
To effectively manage fourth-party risk, you will also need to ensure that your third parties are effectively monitoring your fourth parties. This will involve them using surveys, performing due diligence, identifying risks, and implementing mitigating controls too!