Assuring the Security of the Supply Chain - Designing best practices for cybersecurity in supply chains
Download as PPTX, PDF3 likes2,083 views
The document discusses the importance of cybersecurity in supply chains, emphasizing the need for effective risk management and maturity models to address cyber risks posed by suppliers. It highlights regulatory requirements for outsourcing and the responsibilities firms must maintain when utilizing third-party services. Additionally, it outlines approaches to building cyber resilience and the need for continuous assessment and validation of cybersecurity measures within the supply chain.
Assuring the Security of the Supply Chain - Designing best practices for cybersecurity in supply chains
- 1. Assuring the Security of the Supply Chain Designing best practices for cybersecurity in supply chains Ollie Whitehouse, Technical Director
- 2. Agenda Supply Chains and the Cyber Challenge Regulatory (FCA) Outsourcing Requirements Historic Approaches Models for the Future ā our maturity model 2
- 3. 3 Supply chainsā¦ ā¢ Software: common-off-the-shelf (COTS) and proprietary ā¢ Equipment: the routers, servers, tablets, phones, storage, multi function devices, the doors, conditional access devices, building management system etc. ā¢ Services: business process outsourcing, data processing, IaaS, PaaS, SaaS, people, other generic terms like data feeds, cloud and managed service etc.
- 5. 5 Supply chains cyber risk ..
- 6. 6 Supplier tiers.. Tiers of suppliers.. .. need to focus on tier 1 and 2 initially .. the tier a supplier exists in will be dictated by the business criticality of the what they supply
- 7. 7 Supplier tiers.. Tiers of suppliers have tiers of suppliers it is an exponential problem creating inadvertent centralized hot pockets of data or function for certain roles (legal, HR etc.) or sector niches
- 8. 8 Supply chains cyber risk ..
- 9. 9 Suffice to say Suppliers are increasingly operating business critical functions
- 10. 10 Today it is a challenge for customers Suppliers today need to show good will in order to support supply chain cyber maturity programs.. Legacy contractual cover is typically weak beyond compliance against standards such as ISO27001.. Cost of contract renegotiating is typically high.. If a supplier is unique or niche then commercial leverage evaporates..
- 11. 11 FCA outsourcing regulatory requirements ā¢ Senior Management Arrangements, Systems and Controls ā¢ SYSC 8.1: General outsourcing requirements ā¢ SYSC 13.7.9: Geographic location considerations ā¢ Threshold Conditions ā¢ COND 2.4: Appropriate resources ā¢ COND 2.5: Suitability.. .. then there is the DPA etcā¦ Handbook http://fshandbook.info/FS/
- 12. 12 FCA outsourcing regulatory reality At the time of authorisation, a firmās regulated activities must be supported by IT services which are effective, resilient and secure and have been appropriately designed to meet expected future as well as current business needs so as to avoid risks to our (the FCAās) objectives. Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions, July 2014 https://www.fca.org.uk/static/documents/barriers-to-entry-third-party-technology-considerations.pdf
- 13. 13 FCA outsourcing regulatory reality Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions, July 2014 https://www.fca.org.uk/static/documents/barriers-to-entry-third-party-technology-considerations.pdf The firm must have undertaken sufficient preparatory work to provide reasonable assurance that each OSP will deliver its services effectively, resiliently and securely.
- 14. 14 FCA outsourcing regulatory reality Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions, July 2014 https://www.fca.org.uk/static/documents/barriers-to-entry-third-party-technology-considerations.pdf The firm has established appropriate arrangements for the on-going oversight of its OSPs and the management of any associated risks such that the firm meets all its regulatory requirements.
- 15. 15 FCA outsourcing regulatory reality Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions, July 2014 https://www.fca.org.uk/static/documents/barriers-to-entry-third-party-technology-considerations.pdf Above all, a regulated firm should be clear that it retains full accountability for discharging all of its regulatory responsibilities. It cannot delegate any part of its responsibility to a third party.
- 16. 16 FCA protection considerations Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions, July 2014 https://www.fca.org.uk/static/documents/barriers-to-entry-third-party-technology-considerations.pdf
- 17. 17 FCA protection considerations Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions, July 2014 https://www.fca.org.uk/static/documents/barriers-to-entry-third-party-technology-considerations.pdf
- 18. 18 FCA protection considerations Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions, July 2014 https://www.fca.org.uk/static/documents/barriers-to-entry-third-party-technology-considerations.pdf
- 19. 19 FCA protection considerations Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions, July 2014 https://www.fca.org.uk/static/documents/barriers-to-entry-third-party-technology-considerations.pdf
- 20. 20 FCA protection considerations Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions, July 2014 https://www.fca.org.uk/static/documents/barriers-to-entry-third-party-technology-considerations.pdf
- 21. 21 Current approach to the supply chain today only the most mature
- 22. 22 This is not enoughā¦ Resilience
- 23. 23 What does cyber resilience mean? We will have incidents both of internal and external origin we will contend with accidents and malicious acts we will face an evolving set of threats requiring agility We will build services for the business which are appropriately secure and resilient ā¦ which frustrate threat actors and reduce likelihood of accidents ā¦ which minimize the impact of any incident whilst being useable We will be in a position to detect incidents in a timely fashion ā¦ whilst being able to answer who, what, when and how ā¦ and then recover
- 24. 24 How we deal with risk today ā¢ Elements / Tenants: CIA and Parkerian Hexad etc. ā¢ Models / Indexes: custom or off the shelf. ā¢ Taxonomies / Frameworks: FAIR, NIST RMF, OCTAVE, TARA, EBIOS, ISO/IEC 13335-2, SP800-30 etc. ā¢ Standards / Regulation: ISO/IEC 27001, PCI, FCA/PRA, SOC-1, SOX etc. ā¢ Maturity Models: recognizing risk isnāt static nor do we need to be perfect ā¢ Audit: tell us the gaps against regulation, standards, taxonomies etc.
- 25. 25 How we deal with risk today C AI this priority is good for your sensitive data C = confidentiality, I = integrity or A = availability
- 26. 26 How we deal with risk today CA I this priority is good for your buildings management system
- 27. 27 How we deal with risk today N I C this priority is good for high frequency trading A N = nonrepudiation
- 28. 28 Biggest challenges today are still ā¢ Where will my organizations data or the ability to significantly impact my business end up (logically and physically)? ā¢ Who will have access to it? ā¢ What is my suppliers ability to protect themselves in the first instance? ā¢ What is their ability to detect an incident, respond and notify me? ā¢ How cyber resilient is my supplier?
- 29. 29 A maturity model for the supply chain Immature Early Starter Progressive Semi-Mature Mature Cyber security strategy Approach to risk management Contractual cover / supplier relationship Standards and validation Overall cyber resilience Reactive Ad-hoc None Cyber Essentials None Regulatory (customer) driven Conformance and audit driven Minimal cyber security requirements Cyber Essentials + ISO 27001 Ability to defend against some attacks Regulatory, customer and maybe peer driven Audit and proactive Allows independent cyber security review CE+, ISO plus paper validation Ability to defend and detect common incidents Regulatory, customer, peer & threat driven Audit, proactive with dynamic risk models Independent validation / information shared CE+, ISO, paper & tech validation Ability to defend, detect and respond to most incidents Regulatory, peer, customer, threat and intelligence driven .. plus continual validation of risk models ā¦ plus requires pro- active notification of incidents CE+, ISO, paper, tech & end-to-end ongoing validation Ability to defend, detect, respond and gain intelligence Implementation NCC Group Supply Chain Cyber Security Maturity Model for Enterprise Risk Management
- 30. 30 CBEST in this context As a critical supplier to the UK economy of an economic function it validates ā¢ Level of threat awareness of the supplier i.e. tier 1 institution ā¢ Their ability to protect their estate in the first instance ā¢ Their ability to detect an incident, respond and notify in the second ā¢ The end-to-end technical and soft defence countermeasure effectiveness including from vectors such as the Internet and trusted partners etc.
- 31. 31 So where is the best supply chain today? Immature Early Starter Progressive Semi-Mature Mature Cyber security strategy Approach to risk management Contractual cover / supplier relationship Standards and validation Overall cyber resilience Reactive Ad-hoc None Cyber Essentials None Regulatory (customer) driven Conformance and audit driven Minimal cyber security requirements Cyber Essentials + ISO 27001 Ability to defend against some attacks Regulatory, customer and maybe peer driven Audit and proactive Allows independent cyber security review CE+, ISO plus paper validation Ability to defend and detect common incidents Regulatory, customer, peer & threat driven Audit, proactive with dynamic risk models Independent validation / information shared CE+, ISO, paper & tech validation Ability to defend, detect and respond to most incidents Regulatory, peer, customer, threat and intelligence driven .. plus continual validation of risk models ā¦ plus requires pro- active notification of incidents CE+, ISO, paper, tech & end-to-end ongoing validation Ability to defend, detect, respond and gain intelligence Implementation NCC Group Supply Chain Cyber Security Maturity Model for Enterprise Risk Management
- 32. 32 Closingā¦ CBEST is mature But we can expect it to be trickle down in terms of what is looked at in the supply chainā¦
- 33. 33 Further reading / viewingā¦ http://www.slideshare.net/OllieWhitehouse/red-teaming-and-the-supply-chainhttps://www.nccgroup.trust/uk/our-research/cyber-red- teaming-business-critical-systems-while-managing- operational-risk/
- 34. 34 How we help our customers ā¦ Red Team Assessments STAR and CBEST Phishing Assessments Cyber Incident Response Cyber Defence Operations Regulatory Advice Cyber Resilience Risk & Governance Supply Chain Assurance Operational Support
- 35. 35 Final thoughtā¦ Maturity is happening globally in financial servicesā¦ Israeli Cyber Defense Management directive , March 2015 Prescriptive in comparison including 24x7x365 SOCs, incident rooms, mandatory reporting of cyber incidents etcā¦ http://www.bankisrael.gov.il/en/BankingSupervision/SupervisorsDirectives/ProperConductOfBankingBusinessRegulations/361_et.pdf?AspxAutoDetectCookieSupport=1
- 36. 36 Europe Manchester - Head Ofļ¬ce Amsterdam Cambridge Copenhagen Cheltenham Edinburgh Glasgow Leatherhead London Luxembourg Munich Zurich Australia Sydney North America Atlanta Austin Chicago New York San Francisco Seattle Sunnyvale Ollie Whitehouse ollie.whitehouse@nccgroup.trust