Page 23 - CDM Cyber Warnings February 2014
P. 23
most organizations focus only on a small subset of their
suppliers, typically based on contract size.
This practice is clearly outdated, considering the fact that
cyber criminals are using the supply chain to compromise
large, well-protected global organizations they wouldn� t
otherwise be able to break into. In response, organizations
need to extend their practice of conducting regular risk
assessments to include all of their suppliers, and - if possible
– even supplier�s suppliers. Performing vendor risk
assessments has become a very popular practice over the
For instance, when it comes to understanding security past 12 months. While gathering data about a supplier�s
measures implemented by cloud service providers, most business and information security practices provides some
organizations have to rely on service level agreements and peace of mind, it doesn't guarantee a higher level of
responses to vendor risk assessment surveys. This approach security, especially if a vendor stretches the truth.
is based on trust rather than monitoring the effectiveness
of the actual security practices. That�s why the Cloud Nonetheless, performing a standardized vendor risk
Security Alliance promoted the concept of a Cloud Audit. management process as part of normal business operations
This provides a common interface and namespace that is an important step in securing the supply chain.
allows cloud computing providers to automate the Audit, Unfortunately, by including all suppliers in manual
Assertion, Assessment, and Assurance via an open, questionnaire-based risk assessments, organizations
extensible, and secure interface and methodology. In reality quickly reach limitations as it relates to operational
we�re still a long way from being able to monitoring efficiency and scalability.
suppliers� security practices in near real time.
To avoid having to hire legions of contractors or full-time
To prevent supplier vulnerabilities from placing an staff, organizations are turning to software to help
organization at risk remains a daunting task. It automate the data gathering process and calculation of
encompasses performing risk assessments that require risks scores. Specifically, Vendor Risk Management tools
information sharing about threats related to unsanctioned are being used by more and more organizations to address
services and technologies used in daily business operations the information sharing risk component of overall supply
(e.g., social media platforms, productivity tools such as chain risks.
Evernote), as well as application vulnerabilities.
This leads us to the next attack vector in the supply chain:
When it comes to sharing information with suppliers and vulnerabilities of authorized or unauthorized technology
the management of associated risks, a recently released deployments.
report by the Information Security Forum (ISF), an
international association that focuses on cyber security Vulnerability management has long been a required
issues and information risk management, notes that while preventive measure. However, trends such as the
�sharing information with suppliers is essential for the consumerization of technology, �bring your own device �
supply chain to function, it also creates risks.� (BYOD), and emerging regulatory mandates that prescribe
Furthermore, the report reveals that �of all the supply chain more frequent testing are pushing vulnerability assessment
risks, information [sharing] risk is the least well managed." processes to their breaking point. In today�s fast moving
In fact, when it comes to assessing information sharing risk, threat environment, vulnerability management deployed
CYBER DEFENSE MAGAZINE - ANNUAL EDITION 23
