Over the next few weeks, 我们计划发布一系列博客文章,探讨网络安全供应链风险管理(C-SCRM),并探讨在决定是否将C-SCRM项目外包时应该考虑什么. 我们将涵盖一切,从最初的解释为什么你应该这样做, planning a structured approach, 开发和实施最适合你公司的方法, and how to continually assess and monitor.
这些博客文章将为您提供所需的经验和知识,以确保您的生态系统并帮助您赢得更多业务. Check them out as they are released weekly.
In this initial post, we’ll look at C-SCRM is, why it matters, and why you might think about outsourcing it. If you are thinking of outsourcing some, or all, 将您的C-SCRM项目提交给独立或外部顾问, there are some things to consider, both beforehand and during the process, to avoid issues arising later.
There is, of course, always the option to manage it yourself, 如果您愿意,本系列旨在为您提供内部管理C-SCRM的工具.
What is C-SCRM?
Supply chain risks in general are very well understood. For example, your supplier might suffer a disaster, and be unable to supply what you need for your business, so you must find a new supplier. 或者你需要的某种特定产品可能在全球范围内短缺, and nobody else can supply it—or only at great expense.
C-SCRM更具体:它旨在理解和减轻与企业供应链相关的网络安全风险, whether this is from the suppliers, their products, or their services, or even their suppliers. C-SCRM涉及识别和评估与每个供应商相关的网络安全风险, determining appropriate mitigating actions for any risks, and then implementing those actions.
Examples of cyber security risks include:
- If your business buys software from a company, 该软件包含一个可能被攻击者利用的安全漏洞, your business is at risk of a cyber attack.
- If your business stores data with a third party, and they are attacked, your data may be at risk of being breached.
- 如果为供应商(可能是系统集成商)工作的人可以访问您的敏感知识产权并窃取它, you could lose your competitive advantage
- If a supplier has access to your IT, 他们(或已获得访问其系统的攻击者)可能会破坏您的系统, data, and reputation.
- If your business depends on a particular widget, but that widget can’t be delivered by your supplier of widgets, 因为他们的配件供应商遭受了勒索软件的攻击, 你可能会因为供应链下游的网络问题而产生生产问题.
Figure 1: Cyber security supply chain risks
网络安全供应链风险管理越来越被视为风险管理的重要组成部分, and so has been added to the draft of NIST Cyber Security Framework v2, within the newly added Govern function. 此外,国家网络安全中心最近创建了一个新的 resources to support your supply chain security.
Why does it matter?
Why does cyber security supply chain risk management matter?
网络罪犯通常是精明的商人,他们很可能会瞄准链条中最薄弱的环节来实现他们的目标——这可能是渗透到你的业务中, or a smaller one that supplies you.
你可能会在网络安全技术控制上投入大量成本和资金, but cyber criminals will target a smaller, less secure organisation. 既然攻击你的供应商的成本要低得多,为什么还要花数百万美元来攻击你呢? 实际上,对于有商业头脑的网络罪犯来说,这是一个更好的投资回报.
通过了解你的供应商(以及他们的供应商)所采取的网络安全预防措施, 您可以了解网络攻击者可能会将注意力集中在哪里,并实施安全控制,以最大限度地降低对您的业务以及潜在客户的风险.
Benefits of C-SCRM
Once you have established a C-SCRM programme, your business will:
- 了解您的哪些关键资产最容易受到供应链弱点和漏洞的影响
- reduce the likelihood of supply chain compromise
- 你是否更确信你购买的产品在你的业务中是安全的
- have greater assurance that suppliers, whether of services or technology, can be relied on to deliver what you need, securely, as required.
本系列旨在帮助您建立或加强您的C-SCRM计划.
Why outsource?
聘请外部顾问为您执行部分或全部C-SCRM活动有几个好处. The most relevant benefits in this case include:
- 当其他人处理C-SCRM时,你可以专注于你的核心业务活动
- 你将有机会获得C-SCRM技能和资源,而这些技能和资源在你的组织中可能无法获得
- 因此,这些任务的交付速度和质量可能会提高.
You will need to bear in mind, of course, 你的顾问不是你的业务和运作方式方面的专家——你是这方面的专家——所以你和/或你的团队需要一些时间来涵盖业务特定领域. 你还需要对他们诚实地谈论你的业务(问题和成功)。, 这样他们就可以根据你的具体情况提供最好的建议.
In this series
- On communications, contracts, and meeting expectations
- Planning for success when outsourcing C-SCRM
- Developing a C-SCRM policy and programme
- Assessing current suppliers: where are the security gaps?
- Reviewing current processes: what could we do better?
- Implementing and embedding a C-SCRM programme
About CSP
CSP是一家专业的安全咨询公司,帮助我们的客户驾驭这个日益互联的世界. Our team can:
- advise on security requirements, based on your situation
- 在每个阶段根据您的安全要求评估您的供应商:
- reviewing their responses to security questions
- reviewing security clauses in contracts
- 审核选定的供应商是否符合你们的安全要求.
- 与您合作,加强您的政策和流程,以提高整个采购过程的安全性.
Please contact us here or call us on 0113 5323763 to talk about how we can help.
