
This is an introduction to the course, what we will be looking at and why this is important to anyone interested in information security and supply chain security.
This section explains risk management and the significant components of a simple risk management approach and program. We also go into a simple review of ISO 27036:2021 and 28000:2022 and the differences between these two standards as they relate to Supply Chain Risk Management.
This explains the components of SCRM according to the latest information in 09/2023.
Risk Identification:
Recognizing potential risks and vulnerabilities within the supply chain.
Risk Assessment:
Evaluating and analyzing the identified risks to understand their potential impact.
Risk Mitigation:
Developing and implementing strategies to reduce or eliminate the impacts of identified risks.
Risk Monitoring:
Continually observing and assessing supply chain activities to detect emerging risks and evaluate the effectiveness of mitigation strategies.
Risk Reporting and Communication:
Systematically conveying risk assessments, mitigation strategies, and monitoring results to relevant stakeholders to ensure informed decision-making.
This lecture discusses the terms and some definitions commonly used in supply chain information security and the ISO/IEC 27036.
This section discusses the need for external companies that may be needed based on process, product, service or a mixture of services in order to fulfill production and manufacturing needs.
This section explains different types of suppliers and supplier types. Each supplier type has a specific relationship and requirements as well as risk aspects.
Introducing suppliers into any supply chain that are not from the company (external) are additional risks to governance and information security. This section explains the underlying issues with external companies and securing data and information while producing products and services.
This lecture discusses the types of Supply Chain Risks, the top 7 risks in 2023, and the top five attack vectors in the supply chain in 2023.
Operational Risks:
These encompass issues like equipment failures, human errors, and process disruptions, which can adversely impact the daily operations of a supply chain, causing delays and losses.
Strategic Risks:
Pertaining to decision-making processes, these involve risks related to poor planning, resource allocation, and partnerships, potentially compromising an organization's competitive advantage and long-term viability.
Supply Risks:
Originating from disruptions in the availability of raw materials or products, these can result from factors like supplier insolvency, geopolitical instability, or natural disasters affecting production and fulfillment.
Demand Risks:
These relate to unpredictable or misunderstood customer or market demands, which can lead to excess inventory, obsolescence, or lost sales, impacting financial performance.
Cybersecurity Risks:
Entailing potential breaches, data theft, or cyber-attacks, these risks can compromise information integrity, availability, and confidentiality, causing reputational damage and financial losses.
As multiple suppliers are added into the mix of risks, outsourcing it, data and information security into a multi-tiered supplier network makes governance and security more complex. This section discussed the unique challenges involving multi-tiered suppliers and their IT security risks.
Guidance on implementing controls and mechanisms to manage information security within the supply chain.
This is the structure of the ISO/IEC standard for Information security in supplier relationships.
Supply chains can also be involved in critical infrastructure and require that certain processes and mechanisims be in place to prove compliance at the national level. This requires knowledge from both the acquirer as well as the suppler in which relevant laws and regulations apply to the outsourced services and products in the supply chain.
Supply chains can also be involved in (globally relevant) critical infrastructure and require that certain processes and mechanisims be in place to prove compliance at the international level. This requires knowledge from both the acquirer as well as the suppler in which relevant laws and regulations apply to the outsourced services and products in the supply chain. As the supply chain becomes more dispersed into multi-tiers, so does the complexity and range of monitoring that is needed to ensure proper security measures are in place.
In order to satisfy the reporting and mitigating of risks at certain levels an acquirer or regulatory entity may request that suppliers either submit to a 2nd party audit or submit proof of an internal audit. In reality many suppliers have pushed back but as regulatory issues and compliance grow this will change as customer expect this to be possible. (Copyright 2014-2015 M.Goedeker)
This section looks at ways in which a company can limit or reduce risks and monitor suppliers adherence to compliance and regulatory requirements by implementing mechanisms, procedures, processes and agreements.
This lecture provides a short overview of some areas or vectors / factors of supply chain attacks from nation-states, competitors or attackers (cyber espionage, warfare, or crime). (Copyright 2014-2015 M.Goedeker)
Here are additional documents and inputs that will help you understand aspects of this introduction to supply chain security and information security based on ISO27036 and best practices.
In today's Supply Chain, cyber threats, hackers, espionage, and warfare are increasing the amount of successful attacks on critical infrastructure and companies of all sizes. We have technologies that are somewhat successful at blocking and stopping "some" attacks. But what happens when we need supply chain security or risk management? The things we wear, eat, and need would no longer exist. Risk Management is not the sexier of areas in security, but since it is so invisible, it is just as important as secure coding or SOC.
Amidst these threat vectors, many people forget some of the most prominent targets, like the supply chain and the security of data, information, and IP, as it leaves the outsourcing company (acquirer) to the supplier. An example of this type of attack is what happened to one of the biggest SIM manufacturers in the world, Gemalto.
Supply chain risk management in its simplest form:
Concentrates on identifying supply chain information security risks and the likelihood of those risks being exploited by missing governance, processes, and misunderstandings between acquirer and supplier
What types of risks are likely to a company or possibly a nation if supply chain risks and suppliers are not managed correctly
Help you identify which risks you have based on the type of supplier and, more importantly, which assets you need to protect
Choose mechanisms, processes, and procedures that can mitigate and minimize some risks