Preserving capacity, General Tom Lawson, Chief of the Defence Staff, Keys to Canadian SAR
Issue link: http://vanguardcanada.uberflip.com/i/1401409
www.vanguardcanada.com AUGUST/SEPTEMBER 2021 45 Maintaining Cybersecurity Resilience Across the THE LAST WORD BY WAYNE DORRIS T he security threat landscape is in a constant state of flux, as cybercriminals work hard to develop tactics to overcome organizations' defences. One popular route into a secured network is via the supply chain and history is not short of examples of successful cyberattacks which were achieved by this method. In fact, software company SolarWinds recently fell victim to a supply chain attack, which re- sulted in global repercussions. Threat ac- tors typically target companies within the supply chain, as these tend to have less so- phisticated and robust defences. How can organizations be sure that they aren't inadvertently leaving themselves open to attackers, who may gain access via the wider ecosystem? To build trust in these relationships, they need to know that their system supplier continuously assesses and counters these risks – not only within their own systems, but also those of their sub-suppliers. It's critical to know how solution manufacturers control and main- tain their entire supply chain and ensure all products have a safe journey from indi- vidual components to completed product. Evaluating and choosing the right partner Supply chain security begins with choos- ing partners through a rigorous evaluation process. This should include an analysis of critical areas, such as each company's information security policies and quality and sustainability management process- es. As a minimum, the company should be certified by a third party according to ISO 9001 or IATF 16949 and ISO 27001 A.15 or NIST SP-800 161. This is only the beginning. Sub-suppli- ers' processes should also be assessed for risk management, as well as their produc- tion facilities and processes. Site visits should be made and followed up with on- site audits to check if the company meets the security requirements and standards set for approved vendor qualification. As part of the evaluation of a potential new partner, suppliers should conduct an in- depth analysis of the organization's finan- cial position and ownership structure. It may be useful to choose certain companies to be appointed as strategic sub-suppliers, especially for critical com- ponents. Investing time in building these ENTIRE SUPPLY CHAIN relationships will improve trust and ensure that all parties are committed to achiev- ing long-term goals, particularly when it comes to upholding security processes. Regular supplier audits provide reassurance and add value The best way for your supplier to ensure sub-supplier compliance to the specified requirements is to conduct regular on- site audits, yearly or bi-yearly. These can be supplemented by quarterly business reviews, to follow up on performance against expectations and collaboratively discuss any changes that need to be made. The audit process should be thorough and conducted on every site within the supply chain, from the component sup- plier to the distribution center. Individuals with malicious intent can physically introduce threats into a net- work or directly to the products, there- fore the audit process should also include assessments of the physical facilities, par- ticularly the quality assurance procedures and associated machinery. This will ensure that products are not tampered with, or unauthorized individuals are allowed ac-