Phil Lewis of Alliantist describes how data protection regulations are driving big changes in the way we approach supplier security and compliance.
Compliance is moving away from the contractual but trust based and tick box Information Security Management assurance, towards a more contextual, risk-focused and demonstrable compliance.
This long overdue transition is being driven, in part, by data protection regulations such as the General Data Protection Regulation (GDPR) in Europe, and New York State Department of Financial Services (NYS DFS) 500 in the US.
Directly addressing Supply Chain Security, Article 28 of GDPR makes the Data Controller accountable for only choosing Data Processors that can guarantee their technical and organisational measures will ensure meets the requirements of GDPR to ensure the protection of the rights of the Data Subject. It explicitly cites compliance with Article 32 Security of Processing measures.
Although targeted at the Financial Services sector NYS DFS Section 500.11 – Third Party Service Provider Security Policy, requires a ‘Covered Entity’s’ policies and procedures to be based on the .
It is not dissimilar to GDPR in requiring the minimum practices be met, due diligence processes are used to evaluate the adequacy of practices and periodic assessment takes place based on the risk they present and the continued adequacy of their practices.
Consequently, key regulatory stakeholders, such as the European Network and Information Security Agency (ENISA) are seeing Security in the Supply Chain as a significant Data Protection risk globally. Their recent report, Cyber Insurance: Recent advances, Good Practices and Challenges highlights only 23% of organisations assess suppliers for cyber risk.
And, in the US, the NIST Cybersecurity framework, which has a:( ) released the latest draft of the Framework for Improving Critical Infrastructure also known as the
“Greatly expanded explanation of using Framework for Cyber Supply Chain Risk Management (SCRM) purposes:
An expanded Section 3.3 CommunicatingRequirements with Stakeholders help users better understand Cyber SCRM. Cyber SCRM has also been added as a property of Implementation Tiers. Finally, a Supply Chain Risk Management Category has been added to the Framework Core”
Meeting supply chain management regulatory requirements
In Section 3.2.6 of the ENISA report, they recommend that, as per Annex A.15 controls, stakeholders such as insurers, customers, investors, and regulators, verify the existence of a formal third party management process, and receive details on due diligence, ongoing oversight, and contractual obligations.Control objectives and specifically
In the absence of approved GDPR Codes of Conduct, a Data Processor’s (or other critical supplier’s) ability to prove compliance with Article 32 Security processing requirements can be achieved by implementing and ideally securingaccreditation. This allows them to demonstrate contextual risk identification and management capabilities and the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.
Equally applicable to NYS DFS, in its latest draft of the “foundational” Identify framework function, also reference the same Control objectives and Annex A.15 controls for its Identify Supply Chain Risk Management category, as well as other ISO Control objectives and Annex A controls for all of the other key Identify Categories of:
- Asset Management;
- Business Environment;
- ; and
- Risk Management Strategy.
Therefore, whether you choose to implement all of NYS DFS 500.or just key around contextual risk identification and management, it is clear the A.15 to manage Supplier (and Other Important Relationships) offer an effective means of describing how you manage Security in the Supply Chain for both GDPR and
But how do you cost effectively and quickly demonstrate it?
How to prove management of Security in the Supply Chain
Large enterprises need to move beyond the traditional, comply or die, supplier questionnaires and contracts that encourage a tick box response, the accuracy of which will only be tested once an incident has happened, by which time it’s often too late.
Whilst you may be happy you have a watertight contract in place, it’s unlikely your investors, customers and, with GDPR compliance almost upon us, the regulators, will be quite so understanding if you have simply relied on questionnaires and contracts. They will be looking to see that you have engaged and collaborated with your supply chain and have a mechanism for evidencing that agreed/mandated, and or specific policies and , are working in practice and not just on paper.
Using online tools, such as ISMS.online allow you to evidence your effective supply chain management and how it integrates with your risk management, audits, and.
Beyond that, it allows you to collaborate effectively online with key suppliers, taking a responsible customer approach that helps even the smallest of suppliers achieve appropriate security measures. Encouraging them to take positive, pragmatic, but risk- focused steps will allow them to protect their and your information assets in line with your own policies and .
Working together you can build an ISMS and Supply Chain everyone can trust.