NCSC Guidance for Supply Chain Cyber Security and Third-Party Risk Management

Use these best practices to address requirements across all 5 stages of guidance from the UK National Cyber Security Centre.
By:
Scott Lang
,
VP, Product Marketing
April 11, 2023
Share:
White paper ncsc supply chain 0423

Following a continual increase in high profile cyber-attacks resulting from supply chain vulnerabilities, the United Kingdom National Cyber Security Centre (NCSC) – a part of GCHQ – has published updated guidance to help organisations effectively assess and gain confidence in the cyber security of their supply chains.

The latest guidance, issued in October 2022, is intended to help organisations implement the NCSC’s 12 supply chain security principles originally published in January 2018, noted in the illustration below (courtesy of the National Cyber Security Centre, a part of GCHQ).

The guidance is broken out into the following five stages:

  1. Before you start
  2. Develop an approach to assess supply chain cyber security
  3. Apply the approach to new supplier relationships
  4. Integrate the approach into existing suppler controls
  5. Continuously improve

This post examines the five stages in the latest NCSC guidance and identifies best practices steps to implement the guidance.

The NCSC Supply Chain Cyber Security Checklist

Download this 12-page checklist to evaluate your supplier risk management program against recommended best practices for implementing the NCSC guidance.

Read Now
Featured resource ncsc supply chain checklist

NCSC Supply Chain Cyber Security Guidance Stage 1: Before You Start

According to the NCSC guidance, the goal of stage 1 is to, “Gain knowledge about your own organisation’s approach to cyber security risk management.” This initial planning stage involves the following steps.

Understanding the risks your organisation faces

According to a recent industry study, 45% of organisations have experienced a third-party data or privacy breach in the past 12 months. Answer these key questions:

  • Can your organisation remain resilient in the face of a supply chain cyber disruption?
  • Can you identify the target of a cyber attacker? Is it data?
  • Can you identify the most likely attack path for a cyber attacker?

If the answer to any of these questions is “no,” then you must assess the weak points in your cyber supply chain and build a plan to mitigate those risks.

Determining who should be involved in supply chain cyber security decisions

Participants can include representatives from procurement and sourcing, risk management, security and IT, legal and compliance, and data privacy teams. The reason that so many teams should be engaged as part of the supply chain cyber risk management process is that each department tends to focus on the risks that matter to them. For example:

  • IT security and privacy teams must determine what controls are in place to protect data and access to systems, if the supplier was breached, what the impact was, and if there is undue risk from fourth parties.
  • Procurement teams may want to if the supplier’s financial or credit history raises any concerns, or if the supplier carries a reputational problem with them.
  • Compliance and legal teams will want to know if the supplier has been flagged for data privacy, environmental, social and governance, bribery or sanctions.
  • Risk management teams will want to know if the supplier is in a region prone to natural disasters or geo-political instability.

First, establish a RACI matrix to define who in the organisation is:

  • Responsible for managing risks
  • Accountable for results
  • Consulted with
  • Kept informed about the process and results

Finally, gain buy-in from senior executives and the board by:

  • Presenting a consolidated view of current risk exposure to the organisation from the supply chain
  • Communicating current risk status and reduction efforts
  • Identifying where exec support is needed

Evaluating risks

A common way to categorise risk is through a “heat map” that measures risk on two (2) axes: Likelihood of occurrence and impact to operations. Naturally, risks that rate high on both scales (e.g., the upper-right quadrant) should be prioritised higher than risks that rate lower.

NCSC Guidance Stage 2: Develop an Approach to Assess Supply Chain Cyber Security

Stage 2 guidance says to “Create a repeatable, consistent approach for assessing the cyber security of your suppliers.” This stage involves:

  • Knowing which assets the organisation should protect;
  • Defining what the ideal security controls should be to protect the asset; and
  • Determining how to assess suppliers and handle non-compliance.

Prior to creating the supplier’s security profile, consider the inherent risks they expose the company to. Consider this framework when calculating inherent risk:

  • Criticality to business performance and operations
  • Location(s) and related legal or regulatory considerations
  • Level of reliance on fourth parties (to avoid concentration risk)
  • Exposure to operational or client-facing processes
  • Interaction with protected data
  • Financial status and health
  • Reputation

Using the insights from this inherent risk assessment, your team can automatically tier and profile suppliers; establish specific contractual clauses to enforce standards; set appropriate levels of further diligence; determine the scope of ongoing assessments; and define remediations in the case of non-compliance.

For tracking compliance with security requirements, consider standardising assessments against Cyber Essentials, ISO, or other commonly-adopted information security control frameworks.

NCSC Guidance Stage 3: Apply the Approach to New Supplier Relationships

At Stage 3, NCSC guidance recommends embedding “new security practices throughout the contract lifecycle of new suppliers, from procurement and supplier selection through to contract closure.” This involves monitoring adherence to contractual provisions and maintaining the team’s awareness of their responsibilities during the process.

This guidance requires organisations to be aware of risks at every stage of the supplier lifecycle, including:

  • Conducting pre-contract due diligence by gaining cybersecurity insights or data breach history on potential suppliers prior to making selection decisions
  • Scoring and categorising suppliers so you know how to triage them and what ongoing due diligence is needed
  • Validating assessment results with real-time cyber monitoring data
  • Centrally tracking all contracts and security-related contract attributes
  • Measuring supplier effectiveness, including KPIs, KRIs, and SLAs against compliance measures to make sure those vendors are meeting contractual requirements
  • Winding down relationships in a way that ensures contract adherence, data destruction, and that final items are checked off

Conduct supplier cybersecurity assessments at the time of onboarding, contract renewal, or at any required frequency (e.g., quarterly or annually). Ensure that assessments are backed by workflow, task management, and automated evidence review capabilities.

Then, continuously track and analyse external threats to third parties by monitoring the Internet and dark web for cyber threats and vulnerabilities. Monitoring sources should include: criminal forums; onion pages; dark web special access forums; threat feeds; paste sites for leaked credentials; security communities; code repositories; vulnerability databases; and data breach databases. Correlate all monitoring data to assessment results and centralise in a unified risk register for each vendor, streamlining risk review, reporting and response initiatives.

NCSC Guidance Stage 4: Integrate the Approach into Existing Supplier Contracts

In Stage 4, NCSC recommends reviewing “your existing contracts either upon renewal, or sooner where critical suppliers are concerned.” The guidance assumes some level of contract lifecycle management and managing KPIs and KRIs.

Contract lifecycle management

Centralise the distribution, discussion, retention and review of vendor contracts so that all applicable teams can participate in contract reviews to ensure the appropriate security clauses are included.

Key practices to consider in managing supplier contracts include:

  • Centralised storage of contracts
  • Tracking of all contracts and contract attributes such as type, key dates, value, reminders and status – with customised, role-based views
  • Workflow capabilities (based on user or contract type) to automate the contract management lifecycle
  • Automated reminders and overdue notices to streamline contract reviews
  • Centralised contract discussion and comment tracking
  • Contract and document storage with role-based permissions and audit trails of all access
  • Version control tracking that supports offline contract and document edits
  • Role-based permissions that enable allocation of duties, access to contracts, and read/write/modify access

KPI and KRI management

An important part of review contracts is measuring key performance indicators (KPIs) and key risk indicators (KRIs). To enable an efficient review of contractual KPIs and KRIs, categorise them like this:

  • Risk measurements help to understand the risk of doing business with a supplier, as well as associated mitigations
  • Threat measurements overlap somewhat with risk and give a more complete and validated view risk
  • Compliance measurements define whether suppliers are compliant with your internal controls requirements
  • Coverage measurements answer the question, “Do I have full coverage of my supplier footprint and are they tiered and treated accordingly?”

Then, be sure to tie results back to contract provisions to provide complete governance over the process.

Finally, ensure your team is fluent in understanding what type of information the board should see. This approach should enable your team to:

  • Present a consolidated view of current risk exposure to the organisation from the supply chain
  • Communicate current status of critical suppliers supporting major company efforts
  • Show inherent and residual risk from threat intelligence sources to demonstrate progress in reducing risk over time
  • Identify where executive support is needed

NCSC Guidance Stage 5: Continuously Improve

The final stage of the NCSC guidance says to “Periodically refine your approach as new issues emerge will reduce the likelihood of risks being introduced into your organisation via the supply chain.”

Continuously track and analyse external threats to third parties by monitoring the Internet and dark web for cyber threats and vulnerabilities. Monitoring sources should include: Criminal forums; of onion pages; dark web special access forums; threat feeds; and paste sites for leaked credentials; breach databases — as well as several security communities, code repositories, and vulnerability databases.

Results of assessments and continuous monitoring should be collated in a single risk register with heat map reporting that measures and categorises risks based on likelihood and impact. Develop remediation plans with recommendations that suppliers can follow to reduce residual risk. Provide a forum for suppliers to upload evidence and communicate on specific remediations with a secure audit trail for tracking remediations to a close.

Next Steps: Download the Comprehensive NCSC Supply Chain Cyber Security Checklist

NCSC requirements can help provide structure and best practices recommendations to mitigate the risks of supply chain cybersecurity attacks. Prevalent offers a central, automated platform for assessing and continuously monitoring risks in concert with your broader cybersecurity risk management programme.

For more on how Prevalent can help, visit our NCSC solutions page, download the comprehensive NCSC Supply Chain Cyber Security Checklist, or contact Prevalent today to schedule a personalised demonstration.

Tags:
Share:
Leadership scott lang
Scott Lang
VP, Product Marketing

Scott Lang has 25 years of experience in security, currently guiding the product marketing strategy for Prevalent’s third-party risk management solutions where he is responsible for product content, launches, messaging and enablement. Prior to joining Prevalent, Scott was senior director of product marketing at privileged access management leader BeyondTrust, and before that director of security solution marketing at Dell, formerly Quest Software.

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo