Supply Chain
Most organisations rely upon suppliers to deliver products, systems, and services. You probably have a number of suppliers yourself, it's how we do business.
But, supply chains can be large and complex, involving many suppliers doing many different things. Effectively securing the supply chain can be hard because vulnerabilities can be inherent, or introduced and exploited at any point in the supply chain. A vulnerable supply chain can cause damage and disruption.
Despite these risks, many companies lose sight of their supply chains. In fact, according to the 2016 Security Breaches Survey, very few UK businesses set minimum security standards for their suppliers.
A series of high profile, very damaging attacks on companies has demonstrated that attackers have both the intent and ability to exploit vulnerabilities in supply chain security. This trend is real and growing. So, the need to act is clear. Until you have a clear picture of you supply chain, it will be very hard to establish any meaningful control over it. You will need to invest an appropriate amount of effort and resource to achieve this.
Understand what needs to be protected and why.
You should know…
The sensitivity of the contracts you let or will be letting.
The value of your information or assets which suppliers hold, will hold, have access to, or handle, as part of the contract.
Think about the level of protection you need suppliers to give to your assets and information, as well as the products or services they will deliver to you as part of the contract.
Understand the security risk posed by your supply chain.
Assess the risks these arrangements pose to your information or assets, to the products or services to be delivered, and to the wider supply chain.
Sources of risk
Risks to and from the supply chain can take many forms. For example, a supplier may fail to adequately secure their systems, may have a malicious insider, or a supplier's members of staff may fail to properly handle or manage your information.
It could be that you have poorly communicated your security needs so the supplier does the wrong things, or the supplier may deliberately seek to undermine your systems through malicious action (this may be under state influence for national security applications).
Use the best information you can to understand these security risks. For example:
Getting mitigation right
Understanding the risk associated with your supply chain is key to ensuring security measures and mitigations are proportionate, effective and responsive. Further information can be found at Risk Guidance - First Drop and CPNI Operational Requirements.
Use this understanding to decide the appropriate levels of protection you will expect suppliers across your supply chain to provide for any contract information, and contracted products or services.
Plan of action
It may be useful to group different lines of work, contracts or suppliers into different risk profiles, based on considerations such as: the impact on your operations of any loss, damage or disruption, the capability of likely threats, the nature of the service they are providing, the type and sensitivity of information they are processing etc. Each profile will require slightly different treatment and handling to reflect your view of the associated risks. This may make things easier to manage and control.
You should document these decisions and share them with suppliers. For example, you may decide that contracts which provide basic commodities such as stationery, or cleaning services require very different approaches to management to those that provide critical services or products.
Contains public sector information licensed under the Open Government Licence v3.0.