ADRIAN DAVIS INFORMATION SECURITY FORUM

Similar documents
SUPPLY CHAIN ASSURANCE FRAMEWORK: THE SUPPLY CHAIN STANDARDS TRANSLATOR

A GOOD PRACTICE GUIDE FOR EMPLOYERS

Are You Ready for PCI 3.1?

Securing external suppliers and supply chains: the ISF approach

Security Controls What Works. Southside Virginia Community College: Security Awareness

ISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters

PROTEUS Enterprise - IT Governance, Risk and Compliance Management Solution

Cyber Security - What Would a Breach Really Mean for your Business?

The 2011 Standard of Good Practice for Information Security. June 2011

The EIU Methodology EIU (Economist Intelligence Unit)

Cloud Security Keeping Data Safe in the Boundaryless World of Cloud Computing

Trade risk management: a global approach

State Agency Cyber Security Survey v October State Agency Cybersecurity Survey v 3.4

Cybersecurity Framework Security Policy Mapping Table

Forensic Services. Third Party Risks. March 2013

Benchmark of controls over IT activities Report. ABC Ltd

Overview TECHIS Manage information security business resilience activities

DIGITALEUROPE and European Services Forum (ESF) response to the Draft Supervision Rules on Insurance Institutions Adopting Digitalised Operations

Third Party Risk Management 12 April 2012

The downturn and the cloud..challenge and solution?

Developing the Corporate Security Architecture. Alex Woda July 22, 2009

Position Paper (II) Healthcare Provider Advisory Council Implementation in hospitals hindered by bar code symbol issues

INFORMATION SYSTEMS. Revised: August 2013

MSACMT260A Use planning software systems in manufacturing

Address C-level Cybersecurity issues to enable and secure Digital transformation

Risk Mitigation in Sustainable Supply Chain Management

Ensuring Cloud Security Using Cloud Control Matrix

Open Certification Framework. Vision Statement

Earning Your Security Trustmark+

A complete Information Risk Management solution for ISF Members using IRAM and STREAM

What do you do well? What relevant resources do you have?

A Simple Guide to Material Master Data Governance. By Keith Boardman, Strategy Principal

PCI Compliance Overview

APPLICATION SECURITY RESPONSE: WHEN HACKERS COME A-KNOCKING

Information Security Policy

Procuring Penetration Testing Services

ISO 27002:2013 Version Change Summary

ICAICT704A Direct ICT in a supply chain

White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management

P&SM: Supply Chain Management

White Paper. Guide to PCI Application Security Compliance for Merchants and Service Providers

Helping to protect your business and your customers in the event of a data breach

Information Security Management System for Microsoft s Cloud Infrastructure

Project Risk Analysis toolkit

Securing a Digital Economy

How to Develop Successful Enterprise Risk and Vendor Management Programs

Microsoft s Compliance Framework for Online Services

Auditing Outsourcing Arrangements

BUILD YOUR CYBERSECURITY SKILLS WITH NRB

IMPROVING DELIVERY PROCUREMENT AND SUPPLY CHAIN MANAGEMENT

FSSC Certification scheme for food safety systems in compliance with ISO 22000: 2005 and technical specifications for sector PRPs PART I

Cybersecurity Strategic Consulting

Info sheet : Considering labour standards in the procurement process

A tool for small-to-medium sized businesses. Anti-Money Laundering and Counter-Terrorism Financing Act 2006

Schweppes Australia Head Office Level 5, 111 Cecil Street South Melbourne Victoria

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

/ BROCHURE / CHECKLIST: PCI/ISO COMPLIANCE. By Melbourne IT Enterprise Services

The Influence of Software Vulnerabilities on Business Risks 1

CYBER SECURITY DASHBOARD: MONITOR, ANALYSE AND TAKE CONTROL OF CYBER SECURITY

Cloud Security. DLT Solutions LLC June #DLTCloud

How To Manage Risk On A Scada System

<Insert Picture Here> How to protect sensitive data, challenges & risks

Compliance, Audits and Fire Drills: In the Way of Real Security?

Implementing and monitoring effective compliance policies & procedures. charlesrussellspeechlys.com

How Safe are you in your Cloud?

PCI Compliance: How to ensure customer cardholder data is handled with care

Key Speculations & Problems faced by Cloud service user s in Today s time. Wipro Recommendation: GRC Framework for Cloud Computing

Information Security ISO Standards. Feb 11, Glen Bruce Director, Enterprise Risk Security & Privacy

Information security controls. Briefing for clients on Experian information security controls

Cyber security Building confidence in your digital future

How to ensure control and security when moving to SaaS/cloud applications

Information Security: Business Assurance Guidelines

Addressing the Global Supply Chain Threat Challenge Huawei, a Case Study

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session One

CIS 523/423 Disaster Recovery Business Continuity

AN EVALUATION OF THE UPSTREAM CRUDE OIL INDUSTRY SUPPLY CHAIN RISK

The Supply Chain Management Process

Delphi Information 3 rd Party Security Requirements Summary. Classified: Public 5/17/2012. Page 1 of 11

National Approach to Information Assurance

Developing National Frameworks & Engaging the Private Sector

IT Governance: The benefits of an Information Security Management System

eguide: Designing a Continuous Response Architecture Executive s Guide to Windows Server 2003 End of Life

Information Systems for Business Integration: EDI, SCM, CRM Systems

Transcription:

Securing the Supply Chain: Guide to Risk Management ADRIAN DAVIS INFORMATION SECURITY FORUM Session ID: GRC-201B Session Classification: Intermediate

Introduction

Introduction Presentation based on research across the ISF s 310+ Members Scope: global, covering all sectors Builds on our previous work: Information security for external suppliers: A common baseline (2010) The Standard of Good Practice for Information Security (2011) The Standard of Good Practice for Information Security (2012) 3

A typical supply chain Suppliers Suppliers Suppliers Suppliers Suppliers Supplier Acquirer Customer Ultimate (End) Customer Tier 3 Tier 2 Tier 1 This diagram has been adopted by ISO for the upcoming ISO/IEC 27036 standards Upstream Your organisation Typically from raw material to finished product Services Downstream 4

Supply chain: the information risk view Suppliers Suppliers Suppliers Suppliers Suppliers Supplier Acquirer Customer Ultimate (End) Customer Shared information: Personally identifiable Intellectual property Commercial Logistical Management Legal, regulatory and privileged Your organisation 90% of suppliers are upstream of tier 1 5

Building in information risk 6

Supply chain information risk components Law / regulation Industry sector Vulnerabilities Type of information shared Volume of information shared Criticality Information Business impact Extent of downstream sharing Extent of upstream sharing Level of threat Supplier attributes Number of suppliers 7

Information risks by sector Risks Impacts Solution Finance CIA Fines Franchise risks Regulatory risks Fines Suppliers financial ratings Integrity of data Loss of data Integrity Security Regulatory requirements (across borders and industries) Customer information leakage Vary depending on issue and data. We look at type, volume, frequency, whether it gets moved. Insurance Reputational damage is the biggest impact. If we lose our data we won t be seen as the best in the industry! Production Impacts vary widely, we try to focus on enterprise impacts i.e. Regulatory (PCI, privacy...) E.g. With food traceability if you couldn t comply, the worst case scenario is losing your business. Logistics Brand reputation Fines from data protection commissioner Loss of customers Use these criteria to produce a risk level which spans from very high to very low. This determines how quickly we will go on site after agreeing the contract with a supplier. Identify data types and use a matrix tool to get a weighting Business units analyse the impact of loss of data and produce a score for it Assess suppliers against 3 threats, one being loss of data Standards vary from industry to industry and country to country. To help, we rely on localised business resources to give more clarity on standards and how to map them. A tool to map all regulations we need to comply with to our internal framework and other global standards would be useful. Only collect and use the minimal amount of customer information that is required for processing bookings. 8

SCIRAM Supply Chain Information Risk and Assurance Methodology 1. Plan for the assessment 1.1 Decide the scope 1.2 Create assessment criteria 1.3 Assess business impact 2.1 Group suppliers 2. Assess suppliers 2.2 Apply assessment criteria 2.3 Select suppliers for review 3. Decide to assess the next tier 3.1 Consider available information 3.2 Evaluate results of supplier review 3.3 Make decision (repeat 2 and 3) 9

Next steps 10

ISF Supply Chain Assurance Framework Defines fundamental controls Based on ISF Standard of Good Practice 2012 and Encompasses regulatory compliance requirements Allows comparison of suppliers against a known baseline Consistent approach, driven by risk Offers a single approach to assurance Provides common language for acquirers and suppliers Aimed at the business, not just information security 11

What you can do Follow the information Identify suppliers Assess the risk they present Based on risk: Select controls at the supplier Decide whether to review upstream suppliers 12

Thank you adrian.davis@securityforum.org http://uk.linkedin.com/in/adriandaviscitp 13

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information