Poor supply chain risk management, or a total lack thereof, will have a negative impact on the long-term success of any organization.
Supply chain risk management is the focus of Pitfall #14 in my eBook, Security Program Pitfalls and Prescription to Avoid Them.
Supply chain risk management is not just for organizations in manufacturing, defense, or pharmaceutical verticals. The supply chain of any organization could impact delivery of computers for newly hired personnel, other hardware or infrastructure required to support the organization’s internal operations, telecommunication service levels, professional services, or even supplies that are necessary to support daily services provided to customers.
The year 2020 highlighted the importance of supply chain risk management due to the global impact of the COVID-19 pandemic. Laptops were in short supply. Infrastructure devices were backordered. Professional services were impacted. To ensure your organization is protected, to the greatest extent possible, supply chain controls should be defined and implemented. Safeguards should be used to protect against supply chain risks to systems, systems components, or system services. This is necessary to limit the harm or consequences from supply chain related risk events.
A supply chain risk management component of the overall risk management program should be implemented. Processes should be defined to manage risks associated with the development, acquisition, maintenance, and disposal of systems, system components, or system services. Once documented, this information should be reviewed and updated at least annually. Any changes to your organization or business operations should be addressed during these reviews.
Ensure your risk management and vendor management programs facilitate the processes needed for effective supply chain risk management. Suppliers and third-party partners that provide information systems, components, or services should be identified, prioritized, and assessed. Artifacts should be collected and maintained to serve as evidence of control effectiveness.