The United Kingdom National Cyber Security Centre (NCSC) – a part of GCHQ – has published updated guidance to help organisations effectively assess and gain confidence in the cyber security of their supply chains.
The latest guidance is intended to help organisations implement the NCSC’s 12 supply chain security principles across five stages:
1) Before you start
2) Develop an approach to assess supply chain cyber security
3) Apply the approach to new supplier relationships
4) Integrate the approach into existing suppler controls
5) Continuously improve
Gain knowledge about your own organization’s approach to cyber security risk management
Create a repeatable, consistent approach for assessing the cyber security of your suppliers
Embed new security practices throughout the contract lifecycle of new suppliers, from procurement and supplier selection through to contract closure
Review your existing contracts either upon renewal, or sooner where critical suppliers are concerned
Periodically refine your approach as new issues emerge will reduce the likelihood of risks being introduced into your organization via the supply chain
The NCSC Supply Chain Cyber Security Checklist
Download this 12-page checklist to evaluate your supplier risk management program against recommended best practices for implementing the NCSC guidance.
Meeting NCSC Supply Chain Cyber Security Requirements
Here's how Prevalent can help you address the requirements noted in UK National Cyber Security Centre Guidance for Supply Chain Cyber Security.
NCSC Guidance | Best Practice Considerations |
---|---|
Stage 1: Before You Start According to the NCSC guidance, the goal of stage 1 is to, “Gain knowledge about your own organisation’s approach to cyber security risk management.” This initial planning stage entails understanding:
|
|
Understand why your organisation should care about supply chain cyber security |
According to a recent industry study, 45% of organisations have experienced a third-party data or privacy breach in the past 12 months. Consider some recent examples, and the impact those security incidents caused: Toyota – financial and operational losses In February 2022, Toyota shut down operations in Japan after a major plastic supplier, Kojima Industries, suffered a data breach. Kojima had remote access to Toyota manufacturing plants, greatly increasing Toyota’s risk. As a result of the temporary shutdown, Toyota suffered financial and operational losses. SolarWinds – lawsuits, fines, loss of customer trust Russian state actors hacked into the Orion software product which was then pushed out to SolarWinds customers as part of a series of regularly planned updates. This effort gave the cybercriminals access to thousands of company’s systems and data. SolarWinds is facing lawsuits, fines, congressional testimony and more, and will impact their customers’ trust in them for years to come. Answer these key questions:
If the answer to any of these questions is “no,” then you must assess the weak points in your cyber supply chain and build a plan to mitigate those risks. |
Identify the key players in your organisation Having the right people in place to support supply chain cyber security will help drive the changes required. |
Participants can include representatives from procurement and sourcing, risk management, security and IT, legal and compliance, and data privacy teams. The reason that so many teams should be engaged as part of the supply chain cyber risk management process is that each department tends to focus on the risks that matter to them. IT security and privacy teams must determine what controls are in place to protect data and access to systems, if the supplier was breached, what the impact was, and if there is undue risk from fourth parties. Procurement teams may want to if the supplier’s financial or credit history raises any concerns, or if the supplier carries a reputational problem with them. Compliance and legal teams will want to know if the supplier has been flagged for data privacy, environmental, social and governance, bribery or sanctions. Risk management teams will want to know if the supplier is in a region prone to natural disasters or geo-political instability. First, establish a RACI matrix to define who in the organisation is:
Finally, gain buy-in from senior executives and the board by:
|
Understand how your organisation evaluates risk |
A common way to categorise risk is through a “heat map” that measures risk on two axes: Likelihood of occurrence and impact to operations. Naturally, risks that rate high on both scales (e.g., the upper-right quadrant) should be prioritised higher than risks that rate lower. |
Stage 2: Develop an Approach to Assess Supply Chain Cyber Security Stage 2 guidance says to “Creating a repeatable, consistent approach for assessing the cyber security of your suppliers.” This stage involves:
|
|
Prioritise your organisation’s “crown jewels” Determine the critical aspects in your organisation that you need to protect the most. Create key components for the approach, which include:
|
Prior to creating the supplier’s security profile, consider the inherent risks they expose the company to. Consider this framework when calculating inherent risk:
Using the insights from this inherent risk assessment, your team can automatically tier and profile suppliers; establish specific contractual clauses to enforce standards; set appropriate levels of further diligence; determine the scope of ongoing assessments; and define remediations in the case of non-compliance. For tracking compliance with security requirements, consider standardising assessments against Cyber Essentials, ISO, or other commonly-adopted information security control frameworks. |
Stage 3: Apply the Approach to New Supplier Relationships At Stage 3, NCSC guidance recommends embedding “new security practices throughout the contract lifecycle of new suppliers, from procurement and supplier selection through to contract closure.” This involves monitoring adherence to contractual provisions and maintaining the team’s awareness of their responsibilities during the process. |
|
Educate the team Ensure that the people who will be involved in assessing suppliers are trained in cyber security. |
Consider requiring employees responsible for supplier relationships to achieve individual security certifications, or support the organisation’s Cyber Essentials or ISO 27036-2 certifications. |
Embed cyber security controls throughout the contract’s duration Consider cyber security throughout the contract lifecycle: from decision to outsource, supplier selection, contract award, supplier delivery to termination. Think what practices can be introduced to make sure this happens for every acquisition. |
This guidance requires organisations to be aware of risks at every stage of the supplier lifecycle, including:
|
Monitor supplier security performance |
Conduct supplier cybersecurity assessments at the time of onboarding, contract renewal, or at any required frequency (e.g., quarterly or annually). Ensure that assessments are backed by workflow, task management, and automated evidence review capabilities. Then, continuously track and analyse external threats to third parties by monitoring the Internet and dark web for cyber threats and vulnerabilities. Monitoring sources should include: criminal forums; onion pages; dark web special access forums; threat feeds; paste sites for leaked credentials; security communities; code repositories; vulnerability databases; and data breach databases. Correlate all monitoring data to assessment results and centralise in a unified risk register for each vendor, streamlining risk review, reporting and response initiatives. |
Stage 4: Integrate the Approach into Existing Supplier Contracts In Stage 4, NCSC recommends reviewing “your existing contracts either upon renewal, or sooner where critical suppliers are concerned.” The guidance assumes some level of contract lifecycle management. |
|
Identify existing contracts Risk assess your contracts Support your suppliers Review contractual clauses |
Centralise the distribution, discussion, retention and review of vendor contracts so that all applicable teams can participate in contract reviews to ensure the appropriate security clauses are included. Key practices to consider in managing supplier contracts include:
|
Report progress to the board |
Start by determining the different between key performance indicators (KPIs) and key risk indicators (KRIs) and how they are related.
When it comes to measuring KPIs and KRIs, categorise them like this:
Then, be sure to tie results back to contract provisions to provide complete governance over the process. Finally, ensure your team is fluent in understanding what type of information the board should see. This approach should enable your team to:
|
Stage 5: Continuously Improve The final stage of the NCSC guidance says to “Periodically refine your approach as new issues emerge will reduce the likelihood of risks being introduced into your organisation via the supply chain.” |
|
Evaluate the approach and its components regularly |
Continuously review the organisation’s supply chain cybersecurity program
|
Maintain awareness of evolving threats and update practices accordingly Maintain awareness of emerging threats and use the knowledge acquired to update your supply chain cyber security accordingly. |
Continuously track and analyse external threats to third parties by monitoring the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information. Correlate all monitoring data to assessment results and centralise in a unified risk register for each vendor, streamlining risk review, reporting and response initiatives. Monitoring sources should include:
|
Collaborate with your suppliers |
Develop remediation plans with recommendations that suppliers can follow to reduce residual risk. Provide a forum for suppliers to upload evidence and communicate on specific remediations with a secure audit trail for tracking remediations to a close. |
Align Your TPRM Program with ISO, NIST, SOC 2 and More
Download this guide to review specific requirements from 11 different cybersecurity authorities, identify TPRM capabilities that map to each requirement, and uncover best practices for ensuring compliance.
Use these best practices to address requirements across all 5 stages of guidance from the UK...
Learn strategies for mitigating risks stemming from cyberattacks and vulnerabilities against your IT vendors.
An effective C-SCRM program can help your organization make informed decisions and select suppliers that take...