A disruption in your supply
chain or a service provider security breach can have a material impact on
your operation and damage your organization's
image and reputation. Ensure preventive,
detective, and corrective controls are in place
to manage your supply chain risks.
The first step is to perform a
supply chain risk assessment. Identify your assets and related threats and
vulnerabilities. Once your assets, threats, and
vulnerabilities have been identified, determine
the impact of each vulnerability or event on
your organization. Once your know your risk
areas, identify controls that reduce, eliminate, or transfer
the risks.
The supply chain risk assessment should have defined goals
and objectives. Aligning these goals and
objectives with your organization’s business
drivers allows your organization to prioritize
and focus on critical systems and assets
including your supply chain and third party
service providers.
When evaluating supply chain risks, consider the
criticality and importance of the outside entity
and determine which supply chain IT
infrastructure components and assets are most
important to your organization. In some cases,
you may want to limit the scope to
mission-critical components and assets only.
Examples of supply chain risks include:
- Inadequate needs assessment and planning
- Insufficient capacity planning
- Contingency risks caused by not having backup or alternative solutions
- Ineffective security controls
At a minimum, the risk assessment should:
- Be performed on an annual basis or more frequently if major changes occur to the environment or services performed
- Identify compliance objectives and control requirements
- Identify risks related to business continuity, capacities, and dependent services
Summary
When evaluating
supply chain services, consider not only functionality
but also security and availability of systems
and services. IT
risk assessments
and
network security audits evaluate
information security, service level performance,
support (technical and user), redundancy and
availability, as well as fail over and
contingency plans.
Security Blog menu
Tags: supply chain risk management | third party service providers |
|