- THE MAGAZINE
According to the Information Security Forum (ISF), a global, independent information security body focused on cyber security and information risk management, organizations go to great lengths to secure intellectual property and other sensitive information internally. Yet, when that information is shared across the supply chain, security is only as strong as the weakest link.
|"There is a 'black hole' of undefined supply chain information risk in many organizations"|
The ISF’s latest report, Securing the Supply Chain, made the point that information compromised in the supply chain is just as damaging as that compromised from within the organization as evidenced by numerous recent incidents.
“Supply chains are inherently insecure and organizations create unintended information risk when sharing information with their suppliers,” said Michael de Crespigny, CEO of ISF. “There is a 'black hole' of undefined supply chain information risk in many organizations – they understand and manage this risk internally but have difficulty identifying and managing this risk across their hundreds or thousands of suppliers. Our Securing the Supply Chain report provides executives with a way for the organization to identify and manage risk in the supply chain and addresses how information risk management can be integrated into procurement and vendor management processes and activities. Our latest research will help them to better identify and understand the risks, and then respond in a proportionate, scalable and efficient manner”.
Sharing information with suppliers is an essential part of an organization’s daily business operation, however doing so increases information risk: the risk that the confidentiality, integrity or availability of that shared information could be compromised. Supply chains are difficult to secure, they create risk that is hard to identify, complicated to quantify, costly to address – the last of which can be disruptive to supplier relations. Think about the consequences of a supplier providing accidental, but harmful, access to your intellectual property, customer or employee information, commercial plans or negotiations.
Do you know if your most valuable and sensitive information is being protected by your suppliers as you would protect it? You can’t outsource this risk – it is yours to manage and regulators and stakeholders will look poorly on such incidents. By considering the nature of their supply chains, determining what information is shared, and assessing the probability and impact of potential compromises, organizations can balance information risk management efforts across their supplier base.
“When suppliers share your information with their suppliers, the risk is extended further up the supply chain and visibility and control diminish. This aspect of supply chain information risk often goes unseen and unmanaged,” continued de Crespigny. “The key to managing information risk in the supply chain is an information-led, risk-based approach to identify what information is being shared and assess the probability and impact of a compromise”.
To help organizations manage their supply chain information risk, the ISF has created the Supply Chain Information Risk Assurance Process (SCIRAP), an approach for larger organizations to manage this risk across their thousands or tens of thousands of suppliers. This focuses on identifying information shared in the supply chain and focusing attention on the contracts that create the highest risk.
This provides a scalable way to manage contracts so that efforts are proportionate to the risk. SCIRAP integrates with existing procurement and vendor management processes, providing a mechanism to make supply chain information risk management a part of normal business operation. As a result, organizations will be able to better understand their supply chain information risk, identify the assurance or actions required, and work with procurement or vendor management to manage information risk.
The Securing the Supply Chain report is available free of charge to ISF Members and available via ISF Live, a facilitated forum for ISF Members to discuss related issues and share solutions, along with additional resources including a webcast and presentations.