在当今全球互联的世界, organizations are finding themselves at a greater risk than ever of a 供应链妥协. 的 2022年Verizon数据泄露调查报告(DBIR) details supply chain partners as nearly 60 percent of the vectors for system intrusion incidents they reviewed over the past year, 这一比例比前一年的不到1%有了惊人的增长.
As companies strengthen their cyber defenses and mature capabilities to protect assets, evildoers are finding ways to circumvent these protections in the simplest way: infiltrating by means of a trusted third-party partner or supplier. 通常, 由于组织迫切需要实现最佳防御, they fail to consider the security risks of their supply chain partners. Threat actors have found it much easier to attack smaller targets with weaker cybersecurity capabilities in order to eventually infiltrate their primary targets. 当你仔细想想,这是完全有道理的. Why waste time and resources to breach the castle’s main gate when you can simply be let in the postern?
的威胁 供应链妥协 has garnered the attention of the top officials across the world. In the US, a Presidential Executive Order on Improving the Nation’s 网络安全 发布 as a result of the need to provide guidance on combating 供应链妥协 in both the public and private sectors. 的 order calls on federal agencies to improve their methods for identifying, 防止, 应对, 从供应链攻击中学习. Because many federal agencies are at the end of the supply chain, this executive order affects any and all organizations that do business with the federal government, 来自独立的“妈妈” & 小商店,一直到大型国防承包商. What the executive order is asking is that organizations develop an effective means for ensuring the integrity of their supply chain through the use of a Cyber Supply Chain Risk Management (C-SCRM) process.
C-SCRM incorporates information security concepts into an organization’s current risk management process. 这种集成有助于识别, assess and mitigate risks associated with the product and service supply chains for information technology (IT) and operational technology (OT). Identifying supply chain risk is a crucial first step to a mature program. 了解供应链风险, an organization must first have a clear understanding of its assets (e.g., 产品, 服务, 人员)在他们的整个生命周期, including assets the organizations use that are provided to or received from third parties. 另外, assets should be categorized by their importance to the overall business mission and objectives to help understand priority when assessing risk.
A strong asset identification and management process will provide an avenue for more easily assessing and managing organizational supply chain risks. A good cyber supply chain risk assessment takes into consideration the likelihood of occurrence and impact of all potential risks to the organization and its partners, 然后根据最大的总体风险对它们进行优先排序. 一旦风险被识别并确定优先级, 组织必须指定如何管理和应对(例如.e.(避免,转移,减轻,接受). Whether it is an internal response or an action to be performed by a supplier, risk responses must be documented and agreed to ahead of time, 在可能的情况下.
Identifying risks and documenting response actions are only part of the equation. Crucial to the overall C-SCRM process is the communication and education of all parties involved about organizational risks and how to respond. Organizations must ensure that all personnel and third-party partners are trained on supply chain risks, 鼓励自上而下的意识, and involve partners and suppliers in organization-wide tests and assessments of response plans. Organizations should establish open communications with their supplier partners about risk concerns and encourage partners to do the same in return. 的 general idea is individual strength through community strength. As an organization matures its C-SCRM (or overall cybersecurity) process, lessons learned and best practices should be shared along the way to help bolster others’ programs.
C-SCRM并不是一个新概念. In fact, there are many sources that have provided guidance on the topic over the years. 的 National Institute of Standards and Technology (NIST) has a 特别刊物(SP) 800-161 和一个 内部报告(IR) 8276 关于这个问题. 的 网络安全 and Infrastructure Security Agency (CISA) has a 致力于供应链风险管理的网站 以及关于管理依赖关系的评估指南. 的se are just a few of the resources among countless publications, 网站, 以及讨论这个话题的帖子.
For help filtering through the noise and building a more robust C-SCRM program, CMMI网络成熟度平台(CMMI- cp) from ISACA provides not only a resource for organizations to mature their C-SCRM process, 而是他们的整体网络安全计划. 的 CMMI-CP risk-based solution assists organizations in building cyber supply chain resilience through the identification and assessment of risks based on globally accepted industry standards. 的 platform includes Practice Areas that target methods for determining organizational dependencies as well as identifying supply chain risks to help organizations develop a robust cyber supply chain risk management program. 有关CMMI-CP的更多信息可在 http://rao6wx8.8289777.com/enterprise/cmmi-cybermaturity-platform.
