The Call for Supply Chain Security

Cybersecurity is a complicated business.  Just look at any of the various cybersecurity frameworks (i.e. NIST SP 800-53, ISO-27001/27002, PCI-DSS, HIPAA Security Rule), or infographic showing the CISO’s role, and you will appreciate the complexity. See: https://rafeeqrehman.com/ciso-mindmap/ 

One of the more recent developments in the cybersecurity industry is the governance concept of supplier relationship management (SRM).  In cybersecurity terms, this means ensuring your suppliers have good cybersecurity hygiene.  Some of the increased motivation for SRM can be attributed to the Target, Inc. data breach event in 2013 which involved their HVAC supplier.  Adding to the increased interest, the International Standards Organization (ISO) also acted in 2013 to add “Supplier Relationships” to their core information security domains. From the start in 2003, the HIPAA security regulation also included business associate (BA) agreements for suppliers providing service to covered entities such as hospitals. Now in 2019, even the General Data Protection Regulation (GDPR) has added a requirement for “Managing the Personal Data Supply Chain.”

Third-party Compromise

In late November and early December of 2013, Target experienced a data breach when criminals gained unauthorized access to Target’s computer network and began to exploit security weaknesses.  Target hired a third-party computer forensics firm to investigate the data breach.  The investigation revealed criminals stole 40 million credit and debit card numbers and 70 million records of personal information.

The origin of the criminal access to the Target computer network was Target’s third-party refrigeration contractor, Fazio Mechanical.  Criminals started by phishing a Fazio Mechanical employee which resulted in the successful deployment of malware onto Fazio’s network.  The malware captured keystrokes and took screen captures. Using the malware, criminals were able to obtain the Target-issued network access credentials that Fazio Mechanical had and used to access the Target network.  See: https://www.zdnet.com/article/anatomy-of-the-target-data-breach-missed-opportunities-and-lessons-learned/ for greater details.  This supplier-based security breach event led to greater focus on SRM within the cybersecurity industry.

Cybersecurity Frameworks and Regulations

In the HIPAA Security regulation, suppliers are referred to as business associates (BAs).  HIPAA Security authors were astute to identify that only HIPAA Security requirements for covered entities, such as hospitals, were not enough.  They rationalized adherence to HIPAA security controls needed to be transferred to the third-party vendors and suppliers handling protected health information (PHI).  HIPAA security controls require the hospital to have a business associate agreement in place with the suppliers so suppliers know they must also meet the HIPAA Security requirements.  This means the BAs are contractually and legally obligated to protect the protected healthcare information (PHI) they handle in the course of doing business with covered entities.

The ISO-27001 framework added a “Supplier Relationship” domain in 2013.  The domain requires organizations to put a supplier management program in place to ensure all parties work in unison to protect the confidential information each party exchanges and possesses in the course of conducting business.

The ISO “Supplier Relationship” domain has the following requirements:

15.1: Information security in supplier relationships

There should be policies, procedures, awareness to protect the organization’s information that is accessible to IT outsourcers and other external suppliers throughout the supply chain, agreed upon within the contracts or agreements.

15.2: Supplier service delivery management

Service delivery by external suppliers should be monitored and audited against the contractual agreements. Service changes should be controlled.

Like ISO-27001, GDPR also recognized the need for SRM to ensure personally identifiable information (PII) is protected by all entities including any sub-processors handling personal data.  Under GDPR, organizations across the supply chain of data controllers, processors, and sub-processors must be managed according to the “DPP5-Manage the Personal Data Supply Chain.”  The DPP5 provision seeks to ensure:

  • All entities handling PII are identified: (Controllers, Processors, Sub-Processors),
  • Sub-processor agreements are in place and contain their GDPR data protection obligations,
  • Sub-processors are managed, audited periodically, and provide evidence of compliance, and
  • Supply chain partners are included in the organization’s data protection impact assessment (DPIA).

SRM Solution

At this point, you may be wondering about the components of a good Supplier Relationship Management program to ensure good cybersecurity hygiene while also addressing compliance within cybersecurity frameworks and regulations.  Herein are a few thoughts on how to get started.

  1. Obtaining and maintaining senior management support and adequate resources to provide proper oversight of suppliers handling sensitive information and/or accessing sensitive information via remote access.
  2. Ensuring supplier agreements have language obligating suppliers to have minimum base level cybersecurity controls in place.
  3. Establishing clear agreement language on the type of data, such as personal data or intellectual property, which will be exchanged with, stored, and processed by the supplier.
  4. Providing data handling instructions such as requiring data to be exchanged and stored in an encrypted format, limited access to sensitive data based on job role, and quarterly access attestations. Data handling instructions are often associated with the sensitivity of the data or the classification of the data (i.e. internal use only, confidential, customer-confidential, restricted).
  5. Agreeing on the method to be used for the secure exchange of information. Ensuring all parties know it is not acceptable to use public file sharing sites.
  6. Obtaining evidence from suppliers that they have the minimum base level controls in place via:
    1. Cybersecurity controls questionnaires annually and with control evidence; and
    2. Onsite cybersecurity controls assessments every two (2) years or alternating with annual control questionnaires.
  7. Educating employees within both organizations on the secure file transfer standardized method and asking employees to alert management of any instances where the agreed upon secure file exchange method is being circumvented.
  8. Hosting annual supplier cybersecurity meetings to collaborate and ensure established control baselines are working effectively or in need of enhancement.
  9. Establishing clear agreement language on what the supplier will do with the sensitive data once the relationship is terminated.  An attestation of destruction is a common contract stipulation.

Summary

The information security of the supply chain is an increasingly important element of a holistic cybersecurity program. Suppliers are an extension of the business and are often provided with access to the organization’s network and may store and process the organization’s confidential data. As a result, organizations are best served by establishing base-level data and system control requirements for suppliers.  Further, organizations should deploy a process of periodically assessing the suppliers’ compliance status.

Some supplier management programs even provide suppliers with an annual scorecard based on the supplier’s efforts to meet or exceed control requirements and compare scores, to other suppliers. Suppliers with an inadequate score may be removed from the supplier list or put on a remediation plan requiring the supplier to fix control inadequacies. The scorecard can be a motivator for some suppliers and may even have a positive impact on the supplier’s future business with the organization.

Proactive supplier management programs take a partnership approach with suppliers and includes quarterly supplier checkpoint meetings.  Successful supplier meetings foster collaboration and establish a safe and friendly environment where information security challenges can be discussed openly, collaboratively, and confidentially.  With a partnership approach, all parties take a vested interest in the success of their joint efforts to secure data and information systems.

About the author: EDGE Cybersecurity Senior Consultant and fractional CISO, Tom Bray, CISM, is a business-driven cybersecurity leader with extensive experience across banking, manufacturing, healthcare, and technology industries.  He enjoys working with organizations to align cybersecurity control capabilities to business objectives, improve cybersecurity governance processes, and optimize investments in technical control tools. Tom is a contributing member of the West Florida Cyber Security Alliance and ISACA West Florida Chapter.

Endnotes:

  1. Kassner, M.; “Anatomy of the Target data breach: Missed opportunities and lessons learned,” ZD Net, 2 February 2015, https://www.zdnet.com/article/anatomy-of-the-target-data-breach-missed-opportunities-and-lessons-learned/
  2. Cooke, I.; “Assurance Considerations for Ongoing GDPR Conformance,” ISACA Journal, Volume 1 2019
  3. Rafeeq Rehman; “CISO Mindmap 2024”, https://rafeeqrehman.com/ciso-mindmap/
Posted in Articles, Cybersecurity and tagged , ,

Leave a Comment