This post is the fourth part of a series looking at cyber security supply chain risk management (C-SCRM).
在本系列的前一篇博文中, we looked at some of the important issues to consider when outsourcing, and listed some of the elements of a C-SCRM programme that could be outsourced. Today we are going to discuss the first of these: the development of your C-SCRM policy and setting up a C-SCRM programme.
为什么需要C-SCRM策略?
C-SCRM策略的目的是设置范围, 目标, 以及企业中C-SCRM的治理结构, 并传达高层管理人员的意图. It should give a clear indication to all staff of the importance of cyber security supply chain risk management to the business, consistent with the wider risk management framework for your business. 就像你的其他政策一样, it will need to be regularly reviewed and kept up to date to ensure it remains relevant as your business changes.
建立C-SCRM计划
对于C-SCRM, 这取决于你的业务规模, t在这里 might initially be only two projects in your programme: assessing the cyber security of your current supply chain and reviewing your current procurement processes. You might later add in a review of your supplier life-cycle management processes.
You might decide to implement additional projects from the outset, 例如在整个企业中建立C-SCRM结构, 有专门的员工和项目管理办公室, 建立一个培训项目.
如果你在内部开发软件, you might also consider reviewing the security of your software development lifecycle, looking at the security of software acquired for use from open-source libraries.
The extent of your programme will depend on your business scale and needs, 但无论大小如何, an early part of programme setup should be the establishment of a steering group.
对于大型组织来说, the C-SCRM steering group would ideally include representatives from departments with direct involvement (such as legal and IT), 但是对于小企业来说, 指导小组可以小得多, 即使是一个人, 如果那个人有适当的权力. Their brief is to set the tone for how C-SCRM risk is managed in the business, 同意, 以及后期的支持和监控, 高层次的实施计划. 这个计划将涵盖预算, 时间尺度, 角色, 以及项目间的责任. Some of these 角色 and responsibilities could be met by outsourcing, 内部资源是否不足.
C-SCRM项目包括什么?
A programme is a group of projects, each of which supports an overall goal for the programme. 该方案的早期任务应包括:
- mapping the current supply chain: establishing an inventory of current suppliers, contracts (and end dates) and the products and services provided
- reviewing the list of supplied products and services to assess their criticality to the business, and identify relevant controls or requirements by service or product type
The size of the task for each supplier will depend on the criticality of the supplier to the business. The results of these will feed into the next step: assessment of cyber security at current suppliers.
以后的任务或项目可能包括:
- Developing policies and procedures to enable integration of C-SCRM into the business
- Maintaining the specific elements of the enterprise risk register that relate to cyber security supply chain risk
- Developing and monitoring metrics to measure the success of the programme
- Developing implementation plans for new controls needed to mitigate any security risks identified by risk assessments
- Developing and maintaining a C-SCRM Plan for monitoring implemented controls
- 制定事件响应管理计划
- Embedding C-SCRM into the business through training and redefinition of performance measures.
无论你的C-SCRM意图有多大, coordinating the C-SCRM tasks with each other and with related tasks across your organisation – such as enterprise-wide risk management, and business continuity planning - will achieve better results than by conducting each project separately.
在下一篇文章中, we will look at assessing the cyber security of your current supply chain, C-SCRM项目的关键步骤是什么. This could be done in parallel with assessing your current C-SCRM processes or in series, 取决于您的课程可用的资源水平.
在以后的文章中,我们将讨论:
- 回顾当前流程:我们可以做得更好的地方?
- 实施和嵌入C-SCRM计划
If you need help to manage or complete your programme, do contact us 在这里 at CSP on 0113 5323763.
对CSP
CSP are a specialist security consultancy helping our clients navigate this increasingly interconnected world. 我们的团队可以:
- 根据您的情况,对安全要求提出建议
- assess your suppliers against your security requirements at every stage:
- 检查他们对安全问题的回答
- 审查合同中的担保条款
- auditing your selected suppliers for compliance with your security requirements.
- work with you to enhance your policies and processes to improve security throughout your procurement process.
请全球最大的博彩平台 在这里 或者呼唤我们 0113 5323763 谈谈我们能帮上什么忙.
