CHAPTER 25: SUPPLY CHAIN SECURITY

Even if your own organisation’s security is sound, you can still be vulnerable to attack through any of your suppliers or partners if you do not take adequate precautions to ensure that your supply chain is sufficiently secure. Such precautions are typically in the form of conducting due diligence and reviewing contracts, both of which should be done with care – if you do not get these right first time, it can prove costly.

Due diligence

Performing due diligence can be the difference between buying an IT asset or buying an IT liability. Mergers and acquisitions can introduce new vulnerabilities, such as when acquiring a system or network that has not been appropriately configured and potentially already breached. Engaging a new service provider or striking a new partnership carries similar risks.

When looking to acquire another organisation or engage a service provider or supplier, ask questions like:

• How much does the organisation rely on its IT infrastructure, and does the nature of your possible future relationship depend on data transfers and/or service availability?

• Does the organisation maintain its IT infrastructure properly, and can it prove this, such as with appropriate documentation?

• Can the organisation provide reasonable assurances that appropriate technical and organisational measures are in place to protect its IT infrastructure and any data transfers that might take place between you?

• Does the organisation have a known history of security incidents, and if so, can it demonstrate that those incidents are unlikely to repeat themselves?

Reviewing SLAs

For suppliers and service providers, you should also take the precaution of carefully reviewing your contracts or service level agreements (SLAs), and make sure that they provide guarantees of adequate security and legal compliance. Even if the terms and conditions offer little or no room for negotiation (which is common), you can still check for points like:

• Is the SLA clear about roles and responsibilities for both supplier and customer, including relationships such as between data controller and processor?¹⁰

• Is the SLA specific about what services are and are not included?

• Does the SLA clearly identify relevant benchmarks and metrics?

• Does the SLA specify what the disputes and problem resolution process is, including escalation processes where necessary?

• What assurances in terms of security does the supplier offer?

Bear in mind that this is a non-exhaustive, generic list, and more specific checks will depend on the nature of the service being offered. For a Cloud service provider, for instance, you need to make sure that the data you supply is confidential by default.

Cloud-specific challenges

Be aware that Cloud-related breaches are often not caused by the service provider but through customer error. In other words, the issue often is not a weak infrastructure on the provider’s side, but poor practices like not changing default passwords or deploying inadequate access control. A particularly common issue, especially with bring your own device (BYOD) users, are automated backups to a Cloud service that has not been properly secured with appropriate access controls. With automated tools, criminals can and do search the Internet for such files in the Cloud that contain confidential data and download them.

_______________

¹⁰ Under the GDPR and similar privacy laws, the data controller determines the purposes and means of processing the data, and is legally responsible for protecting that data, even if it outsources the processing activities. The data processor does the actual processing, but must do so on the controller’s instructions only.