From: Financial Times
By Paul Taylor
Supply chains have emerged as a critical and integral part of how organisations operate and compete in the marketplace today, says Michael de Crespigny, chief executive of the UK-based Information Security Forum (ISF).
But that also makes them a target for hackers and other cyberthieves, a reality that has prompted Mr de Crespigny to launch a new initiative.
Mr de Crespigny is leading a project to examine how to collaborate and share intelligence that would enable organisations to be sure information in their supply chains is secure. The idea is to align the myriad of approaches into a security framework that would provide organisations with a degree of assurance about how their information is being protected.
The ISF chief executive notes that in spite of the development of supply chain and supply chain risk management, which typically focus on the physical security and risks of supply chains, the security of information – which may be as valuable as the physical product and may be required for the supply chain to function – is typically addressed in a less rigorous manner. “Supply chains are now not just concerned with physical product,” he says.
As the chief information officer from an ISF member in the food manufacturing and consumer goods sector states: “We now have to deal with the digital supply chain – the supply, operation and maintenance of our internet and cyber presence and our electronic commerce channel.”
The increasing importance of information and information technology in the supply chain and the need to share information was mentioned in a recent World Economic Forum report (New Models for Addressing Supply Chain and Transport Risk, 2011). That report identified the availability of shared data and information as the second biggest network vulnerability – just behind the reliance of supply chains on oil.
“The risk of shared data being compromised is one of the key risks in the supply chain,” says Mr de Crespigny. “The sharing of information across multiple tiers in a supply chain magnifies that risk and many organisations find it difficult to understand or track where their information goes.”
“The most important piece of analysis required is what information is shared,” adds another ISF member and information security officer working in a financial organisation. “After that, you have to deal with the fact that you have a degree of control over your information in tier one: but in tier two and beyond, you have very little or no visibility or control.”
But that loss of visibility and control over information does not mean that responsibility for protecting that information goes away under some statutes. Although organisations can do vendor comparisons, rely on service level agreements or contracts, or perform audits to provide a level of assurance at the top level of their supply chain, those approaches typically do not work below that tier.
“Trying to understand what information goes where and how well it is protected is a significant issue, because information flows wherever and whenever it’s needed. Your supply chain and its information content are dynamic,” says a procurement officer from a global manufacturer and forum member.
Unfortunately this picture is further complicated by a profusion of standards and guidance on supply chain information security and audit, according to Mr de Crespigny. Various standard setting bodies, including the International Standards Organisation, supply chain management professional bodies, financial services and the audit bodies, have all published material in this field.
However, this material varies in scope, in purpose, the level of detail specified and in outcomes; little, if any, is cross-referenced or mapped. “This lack of cross-referencing and mapping means that requirements and results cannot be shared or interpreted, hindering efforts to both harmonise results and assist organisations to secure their supply chains and related information,” says Mr de Crespigny.
From an information security perspective, he notes that many standards and guidelines focus on the protection of information inside the organisation; how it is protected externally, as in a supply chain, has only recently been addressed and usually in an ad hoc manner. Additionally, much of the deployment and implementation of information security controls is risk-driven, meaning that different organisations deploy different controls because they perceive the risk differently.
Overlaying the confusion of supply chain information standards are the varying legal requirements in different geographies. Since supply chains often span two or more countries, supply chain managers have been accustomed to dealing with differing legal frameworks for the supply, delivery and shipping of goods and raw materials – and the inevitable conflicts that arise.
Today, those same managers are dealing with information-related laws, such as data privacy and breach notification. Many of these information-related laws require that organisations adopt specific approaches or even technologies to protect information.
As a result of these multiple, overlapping and conflicting standards, guidelines and laws, acquirers and suppliers find it difficult to communicate clearly about information and its protection. Typically, a supplier will be required to follow the acquirer’s information security policy, but for a supplier with multiple acquirers, that means adopting multiple policies, providing multiple reports and answering multiple review, assessment or audit questions on similar if not identical topics.
To address this issue and provide a common framework to communicate requirements and measure performance, the forum has launched the Supply Chain Information Security Assurance Framework. The initiative, which is a collaborative venture involving standard setting organisations, supply chain bodies, auditors, acquirers and suppliers, will focus on integrating existing standards and guidelines, including the ISF Standard of Good Practice and common baseline for external suppliers.
“The aim of the initiative is to provide a ‘Rosetta Stone’ for securing and assuring information in the supply chain,” says Mr de Crespigny. “The benefits of doing this will be wider adoption, better risk management and increased reliability and resilience for our businesses and supply chains.”
Leave a Reply