Concurrently, a major vendor may not be critical at all to your operations. You will see in a moment a non-major vendor may be critical to your cybersecurity resilience. That’s not necessarily in the sense that they are major or non-major to you and your organization. How you label them is strictly up to you, but think in terms of major and non-major as reference points. Well, the first thing you should do is to start splitting off your vendors into two groups. Look at this from the perspective of the vendor: wouldn’t it be a risk to share all this information with all its customers? Indeed, it would. News flash: do not expect you will get all this information. In an ideal world, you would have the opportunity to validate your vendors’ security reports (such as penetration test results and SOC II reports, business continuity plans, disaster recovery strategies, crisis management protocol and independent certifications and confirmation of testing). Trust and Verify for Cybersecurity Resilience Instead of doing deep dives into these documents, let us focus on some key considerations to help minimize your organization’s risk. And for some extremely detailed guidance, including some control mapping back to NIST SP 800-53, those concerned with supply chains can reference NIST SP 800-161 Supply Chain Risk Management Practices for Federal Information Systems and Organizations.Īll these information security and cybersecurity frameworks and standards can help improve your organizational resilience.
#WORKING TIME CRISIS 2 ISO ISO#
Also in 2021, ISO reviewed and made current ISO 28001: Security management systems for the supply chain - Best practices for implementing supply chain security, assessments and plans - Requirements and guidance.
#WORKING TIME CRISIS 2 ISO SOFTWARE#
For example, the May 12 executive order 14208, Improving the Nation’s Cybersecurity, tasked NIST with identifying existing or developing new standards, tools, best practices and other guidelines to enhance software supply chain security. There is a lot going on in the supply chain space these days in regards to working with partners. Namely, an organization is more likely to inherit the vulnerabilities of its external partners in the effort to transfer risk or offset inefficiencies. Therefore, organizations need to be cognizant of the risks they take on, as the calculus has recently changed a bit. Candidly, without external partners, it is quite possible most organizations would not be able to run, especially if they are heavily reliant on services and platforms (think ‘as-a-service’ models). That is not to say organizations should cease these partnerships. Working with external partners has become a riskier business. Therefore, it is worth asking: is the risk worth the reward? Inheriting the Vendor’s Cybersecurity Resilience Vulnerabilities Call it the business case.įor many organizations, this arrangement has generally worked well for some time. In essence, the organization goes through a process to determine whether they will give up something of value today in return for some future benefit (e.g., contractually and confidentially sharing your intellectual property in exchange for some better performance). When an organization is looking to partner with an external group, it will perform: It’s no different than any sports team looking to make a trade.
In turn, there was an offering or efficiency incentive where, for an exchange, your organization could operate more productively.
You see, the purpose of using external partners is to take advantage of a capability that your organization did not have, or the vendor was just better at than you. Recent attacks have resulted in an industry wake-up call when it comes to cybersecurity resilience.
Working with external partners can be difficult. The next stop on our journey focuses on those that you rely on: supply chains and third parties.
0 kommentar(er)
