Until you have a clear picture of you supply chain, it will be very hard to establish any meaningful control over it. You will need to invest an appropriate amount of effort and resource to achieve this.
1. Understand what needs to be protected and why
You should know:
The sensitivity of the contracts you let or will be letting.
The value of your information or assets which suppliers hold, will hold, have access to, or handle, as part of the contract.
Think about the level of protection you need suppliers to give to your assets and information, as well as the products or services they will deliver to you as part of the contract.
2. Know who your suppliers are and build an understanding of what their security looks like
You should know:
You may have to rely on your immediate suppliers to provide information about sub-contractors, and it may take some time to ascertain the full extent of your supply chain.
- The maturity and effectiveness of your suppliers' current security arrangements. For example you could use CPNI Personnel Security Maturity Model to assess the maturity of your suppliers' people security arrangements.
- What security protections you have asked your immediate suppliers to provide, and what they, in turn, have asked any sub-contractors to do:
- Determine whether or not your suppliers and their sub-contractors have provided the security requirements asked of them.
- Understand what access (physical and logical) your suppliers have to your systems, premises and information and how you will control it.
- Understand how your immediate suppliers, control access to, and use of, your information and/or assets - including systems and premises, by any sub-contractors they employ.
You should focus your efforts in this area on those parts of your suppliers' business or systems that are used to handle your contract information, or to deliver the contracted product or service.
3. Understand the security risk posed by your supply chain
Assess the risks these arrangements pose to your information or assets, to the products or services to be delivered, and to the wider supply chain.
Sources of risk
Risks to and from the supply chain can take many forms. For example, a supplier may fail to adequately secure their systems, may have a malicious insider, or a supplier's members of staff may fail to properly handle or manage your information.
It could be that you have poorly communicated your security needs so the supplier does the wrong things, or the supplier may deliberately seek to undermine your systems through malicious action (this may be under state influence for national security applications).
Use the best information you can to understand these security risks. For example:
Descriptions of four known cyber attacks on supply chains (third party software providers, website builders, third party data stores and watering hole attacks) are also provided here. You should also watch out for routine threat advisories published by NCSC and CPNI.
Getting mitigation right
Understanding the risk associated with your supply chain is key to ensuring security measures and mitigations are proportionate, effective and responsive. Further information can be found at Risk Guidance - First Drop and CPNI Operational Requirements.
Use this understanding to decide the appropriate levels of protection you will expect suppliers across your supply chain to provide for any contract information, and contracted products or services.
Plan of action
It may be useful to group different lines of work, contracts or suppliers into different risk profiles, based on considerations such as: the impact on your operations of any loss, damage or disruption, the capability of likely threats, the nature of the service they are providing, the type and sensitivity of information they are processing etc. Each profile will require slightly different treatment and handling to reflect your view of the associated risks. This may make things easier to manage and control.
You should document these decisions and share them with suppliers. For example, you may decide that contracts which provide basic commodities such as stationery, or cleaning services require very different approaches to management to those that provide critical services or products.
< Introduction to the Principles Section II >