Ensuring that your supply chain is secure is often handled through policies. In this video, learn the pros and cons of instructing suppliers what policies to implement and how to ensure compliance.
- [Instructor] So let's have a look at the pros and cons of businesses identifying cyber risk, and instructing their suppliers what mitigation is to implement. A cyber security policy is a document that outlines how an organization, plans to protect their assets from cyber threats. So a business has identified a risk, and they might choose to be prescriptive about what cybersecurity needs to be implemented by their suppliers. UK Government supply chain is a great example of this. They have a standard that's mandatory for many organizations bidding for funding. If a supplier has a prescriptive approach to compliance, but doesn't think that any of the standards provide the assurance that they're looking for, then the other option is to attach a prescriptive set of requirements to the contract. The alternative solution is for customers to communicate their cyber security goals. They communicate a policy that talks about mitigating risks to certain level, leaving the suppliers to choose how to comply with these requirements. Both options come with their own advantages and disadvantages, and sometimes one will work better than the other. This often depends on the relationship between businesses and their business culture. And of course, anytime that a business creates rules, they have to enforce them for them to be effective. So the process has an auditing requirement. What are the advantages of prescriptive requirements? Requiring a recognized standard reduces the risk of conflicting requirements from other customers. The suppliers are more likely to consider changing their processes, not to mention that there's an independent audit process built in. I think specific requirements allows the business to clearly communicate the tailored requirement, and might help with demonstrating regulatory compliance. Both approaches simplify relationship management. The downside of contracting prescriptive cyber security requirements are that, it introduces an audit requirement unless all the business's needs are covered by a third party standard. Anything too specific becomes unachievable. If you use too much detail then suppliers would have to rebuild their systems to look like yours. And the suppliers know their business better than you. Spending money box ticking might stop them thinking about the problem for themselves, and investing in controls that are actually more effective. A prescriptive supply chain policy is likely to contain the following types of terms. Clarification of definitions, human and technical requirements, evidential and auditing requirements, breach detection response and notification requirements, the process for reviewing and updating the policy and finally requirements for handing over security responsibilities at the end of the contract. If you've never seen a policy before, then there's a sample supply chain cyber security policy supplied with this course. Now let's look at the other option. The business could communicate their cyber security goals, and allow the supplier to work out how to integrate them into their own business processes, will result in something more aligned with the suppliers' pre existing processes, it maintains the risk based approach to cyber security. This integral is a good practice. It might help suppliers work more in collaboration with the customer to achieve security, and it could make them more receptive to the customers' needs. This comes with a slightly different set of downsides to the prescriptive requirement approach. Goals are more challenging to communicate, and might result in too many risks being accepted without mitigation. The suppliers interpretation might not be compatible with regulatory compliance. And the auditors this will need greater security knowledge because there'll be more than one way to solve each problem, as well as many ineffectual approaches. So goal based cyber security policies differ, and that instead of requirements, they describe a set of risks and the goals that the business has for mitigating those risks. The other elements that might be in the policy are the same to those found in the prescriptive policy. Because there's not a specific set of requirements, the business is likely to accompany this policy with a complaint's document. This asks the supplier what their plan is for reducing the risks that the business is worried about. From the perspective of a supplier, it can be challenging to respond to a compliance questions. They need to think about what their current cyber security policy and architecture looks like. What compliance questions they need to develop a plan for? What questions need to be answered by suggesting an alternative approach, more compatible with the suppliers current system. Many of the compliance questions asked will be answered by the suppliers' own cyber security policies. These communicate with end users, is the business's strategy for protecting assets. The system users role in protecting those assets, the process will notify the business if there's a problem, and the consequences of system misuse or failing to report problems. There's also a sample end-user policy with the documents in this course. So you can compare its contents with the supply chain policy. But are policies what we need? There're great communication tool helping businesses clarify what they're aiming to do. They document some of the decisions for compliance, and the approach depends on things like money and risk and the relationship between businesses. But there are hidden costs from audits and the like. And it has to be implemented and kept up to date to be effective, they're living documents.
- Recognize how business and technology together create a supply chain cybersecurity problem.
- Identify how cybersecurity defines and maintains boundaries.
- Analyze how common cybersecurity practices compare to supply chain security issues.
- Give examples of how cybersecurity is implemented throughout an organization.
- Differentiate between prescriptive-based requirements and goal-based cybersecurity, with an identified supply chain risk.
- Provide evidence for why communicating about cybersecurity between businesses can be daunting.