Cyber threats, hackers, espionage and warfare are increasing the amount of successful attacks on critical infrastructure and companies of all sizes. We have technologies that are somewhat successful at blocking and stoping "some" attacks.
Amidst these threat vectors many people forget some of the most obvious targets like the supply chain and the security of data, information and IP as it leaves the outsourcing company (acquirer) to the supplier. An example of this type of attack is what happened to one of the biggest SIM manufacturers of the world Gemalto.
Supply chain risk management in its simplest form:
This is an introduction to the course, what we will be looking at and why this is important to anyone interested in information security and supply chain security.
This section explains what risk management is and what are the major components of a simple risk management approach and program. (copyright 2014-2015 M.Goedeker)
This lecture discusses the terms and some definitions commonly used in supply chain information security and the ISO/IEC 27036.
This section discusses the need for external companies that may be needed based on process, product, service or a mixture of services in order to fulfill production and manufacturing needs.
This section explains different types of suppliers and supplier types. Each supplier type has a specific relationship and requirements as well as risk aspects.
Introducing suppliers into any supply chain that are not from the company (external) are additional risks to governance and information security. This section explains the underlying issues with external companies and securing data and information while producing products and services.
As multiple suppliers are added into the mix of risks, outsourcing it, data and information security into a multi-tiered supplier network makes governance and security more complex. This section discussed the unique challenges involving multi-tiered suppliers and their IT security risks.
Guidance on implementing controls and mechanisms to manage information security within the supply chain.
This is the structure of the ISO/IEC standard for Information security in supplier relationships.
Supply chains can also be involved in critical infrastructure and require that certain processes and mechanisims be in place to prove compliance at the national level. This requires knowledge from both the acquirer as well as the suppler in which relevant laws and regulations apply to the outsourced services and products in the supply chain.
Supply chains can also be involved in (globally relevant) critical infrastructure and require that certain processes and mechanisims be in place to prove compliance at the international level. This requires knowledge from both the acquirer as well as the suppler in which relevant laws and regulations apply to the outsourced services and products in the supply chain. As the supply chain becomes more dispersed into multi-tiers, so does the complexity and range of monitoring that is needed to ensure proper security measures are in place.
In order to satisfy the reporting and mitigating of risks at certain levels an acquirer or regulatory entity may request that suppliers either submit to a 2nd party audit or submit proof of an internal audit. In reality many suppliers have pushed back but as regulatory issues and compliance grow this will change as customer expect this to be possible. (Copyright 2014-2015 M.Goedeker)
This section looks at ways in which a company can limit or reduce risks and monitor suppliers adherence to compliance and regulatory requirements by implementing mechanisms, procedures, processes and agreements.
This lecture provides a short overview of some areas or vectors / factors of supply chain attacks from nation-states, competitors or attackers (cyber espionage, warfare, or crime). (Copyright 2014-2015 M.Goedeker)
This exam checks to see that course participants have understood the concepts and basics of Supply chain information security risk management. (Copyright 2014-2015 M.Goedeker)
Here are additional documents and inputs that will help you understand aspects of this introduction to supply chain security and information security based on ISO27036 and best practices.
Michael has worked on multiple projects globally from architecture to cyber security, working with some of the biggest fortune 50 companies and within the top 5 consulting industry. Some companies he has worked with and for include Accenture, Avanade, Dell, FSC, HP, IBM, Microsoft, Sophos and Symantec.
Michael's company (HakDefNet) currently does research and projects focused on Global Cyber Threats, International Business and Security Leadership and are aimed at making security products, processes, solutions and defense against cyber threats as easy to understand and implement as possible. Michael is also the author of the chapter "Cyber Security: Future IT-Security Challenges for Tomorrow's Leaders and Businesses", and recently participated in an interview with IGI Global Promotions Coordinator Ann Lupold, elaborating on elevating issues in cyber security and cyber espionage, as well as the challenges that leaders and businesses face in confronting such issues. He also has written for various IT, Channel and Business publications and newspapers internationally.
Michael is also certified as an ISO/IEC27001:2013 Lead Auditor and is the first cyber security trainer to ever be keynote speaker at Davos.