Supply Chain Risk Mitigation
Table of Contents
Table of Contents
Supply Chain Risk Mitigation. 2
Software Vulnerability Assessment. 3
Procurement Policy List and Testing Recommendations. 5
Supply Chain Cyber Security Risk. 7
Supply Chain Threats/Mitigation. 11
Overview
Introduction
Companies and their partners have continued to become interconnected; thus, cybersecurity threats tend to endanger all these individuals involved. One business may get protected by a very sophisticated security tool, but one can never be sure that the suppliers are using the same method for their protections. Thus, organizations get advised never to ignore the supply chain and cybersecurity risk threats during the protection of the company’s sensitive dat. Moreover, the security threat in the supply challenge tends to pose a massive problem since some partners cannot be able to control what happens in the other partner’s field. However, individuals can apply some measures to ensure their security in the entire process. Thus, the paper will explore the supply chain and the security threats faced in the process. Moreover, it will look at the procurement measures that the organization can adopt to help secure their systems. Furthermore, the paper will help conduct a software vulnerability assessment and procurement policies.
Software Vulnerability Assessment
Application Software that Could Present Vulnerabilities |
Application software designed for end-users may cause massive risks to a company and can bring to breaches, Loss of data or even loss of confidence by the costumers. There are software’s that tend to get overlooked in organizations but poses a lot of threat. |
Application suite which includes LibreOffice, iWork, Microsoft offices: can lead to data loss. |
Enterprise software: address organizations needs like data flow in departments, and process. |
Enterprise infrastructure software: mostly helps in supporting organization software systems. |
Enterprise infrastructure software may include email servers, databases, systems for managing security and network. Softwares Poses a lot of security breaches and loss of data. |
Application Platform as service: they act as a cloud-based application that offers deployment and development for the organization. |
Information workers software’s like analytical software’s, resource management, personal information systems, emails and time management. |
Simulations software used for training purposes can also pose a risk for an organization. |
When having the vulnerability assessment first principle is to understand the organization risks. |
The second principle is to have the ability for the company to get reports for vulnerability from outside parties. |
Training developers in the organization on how to write and test secure codes. |
Ensure there are secure code practices |
Ensuring there is error checking for all software developed in house. |
Ensure that the organizations used up to date and trusted softwares. |
Use extensively reviewed and standardized algorithms within the organization. |
Separation of non-production and production softwares and systems. |
Ensure firewalls for the web application. |
Make sure some processes address and accept reports for software vulnerabilities. |
Have softwares like ISO applications that help in vulnerability assessment. |
Integrate principles for secure coding to SDLC using the appropriate software’s. |
Frequently perform automated application security test. |
Have SOC 2 compliance by having the principle of trust service like security, availability. |
Add rows if needed. |
Procurement Policy List and Testing Recommendations
Procurement Policy Concerns | Specific Testing Recommendation to Address Each Policy Concern |
Does the vendor provide any cybersecurity certifications with the product? | For a vender to address this, they should always provide an ISO certificate on any software, and the organization should verify that the license that comes with the software is legal and cannot pose any future security risks.
|
Does the vendor provide access to the source code for the product? Are there other security issues in source code to be addressed? | Provision of the source code should get looked in two ways: foremost if the organization entirely purchases the product for its commercials use, the vendor should provide the source code to the organization to individual a situation where they can breach the contract and resale the software. Secondly, if the organization only hires or reses the software, it cannot get provided with the full source code but should be responsible for the work of after sell services. |
What is the guaranteed frequency of security updates to be provided for the product? | The vender should always provide a contract where it details how it will provide updates, and the agreement should be legally binding to ensure that all parties do not breach it. |
What is the implementation process for software updates/upgrades? | For any software update or upgrade, either of the party must inform the other before being the process. Next, the organization should ensure it has a backup of all data in the software to avoid a situation where data might get lost during the process. Additionally, the vendor should provide documented guidelines showing how it will implement the process. |
Is the software getting purchased verified by by the IT agents? | Any software getting purchased should always get verified and should go through a security check to ensure it is safe from any security threat. |
Are there any information services to be provided to the technical support of the new software? | During the procurement chain, the supplier should provide all the technical details and security issues regarding the software to technical support. |
Is any new agreement likely to conflict with any existing contracts? | Furthermore, the organization should look at all the contact it has with the current supplier and other suppliers to see if they conflict with the current contract to avail any illegal deal. |
Does the vender have any issue with the review of the software acquisition form? | Additionally, the organization should inquire on whether the vender has any security issues if the software acquisition form gets reviewed. |
Who specifies the IT-related software’s and also authorizes the purchases | The procurement policy should always have a detailed explanation of the one who specifies the software to get purchased and also the one who authorizes purchases. |
Provision of receipt for acknowledgement of the purchase? | The organization should always ensure it receives the acknowledgement receipt for the purchase. |
What happens if the software gets declined or changed? | The head of the IT department should always provide an explanation to the managers for any decision made about new software’s. |
What is the role of the IT department in the installation of the software? | The IT department should never install any software unless it gets involved in its specification. The software should never get installed by staff, and any third-party contractor should always get approval by IT head. The contractor should comply with the existing guidelines and regulations. |
Supply Chain Cyber Security Risk
All organizations first build frameworks for their supply chain since it helps them clear the environment by which they supply chain moves along. The connectivity between organization vender and the supply chain tends to be high and sensitive. Sensitivity comes in since if the string were insecure, it would lead to a possible attack. Thus, it’s always essential to understand how each product gets related to the outside world. Company’s priority has and will still be maintaining the safety and reliability of all vital infrastructures. This is because of the high connectivity between systems and the assets and the cycle of product delivered.
Over the years, there have emerged new threats known as cybersecurity which have posed as a vital risk to the reliability and quality of most infrastructures. Cybersecurity challenges have come from phishing hacking denial of services with its systems. However, there has emerged a new area of cybersecurity. The field has come from the supply chain where the integrity of most software’s and hardware’s is getting compromised during the supply chain. Software’s may have several challenges like it may get tampered with, or may contain unstable, rogue or failing functionality. In the supply chain, a lousy code may get inserted to the software before it reaches its utility storage. Moreover, back doors and killer switches can get built-in some software’s or hardware’s to enable them to get remotely accessed where data gets stolen, or even the system get disabled. All these situations can know to happen in the supply chain where traditionally it wasn’t considered as a venerable place.
Furthermore, the procurement field has a specific reason to look at cybersecurity threats seriously. Although procurement and its online mode have many advantages, it has also seen a growing figure when it comes to digital vulnerabilities as a result of cybersecurity threats. The supply tends to get trusted with a lot of sensitize data like names, phone numbers, social security, address and security numbers. If at any chance this ting were to move to the wrong hand the company may suffer the loss of custom, closure, federal investigation and bankruptcy. Thus procurement officials should take care since cyber-attack could breach purchase orders and invoices, which will allow attackers to control and disrupt the business (Colicchia et al., 2019). Supply chain poses a lot of security concerns like inventory theft, smuggling where goods get smuggled in the supply chain and also physical device tampering by individuals in the chain.
In risks involved in the supply chain, several mitigations measures can get put in places. Foremost, the government can put in place cybersecurity initiatives and policy review that would direct funding that could help in finding ways to help in supply chain risk (Colicchia et al., 2019). Additionally, it would aid in building resilient cyber systems that would help in ensuring security from supply chain attacks. Furthermore, institutions can implement ways that would help in vulnerability management in the supply chain. Additional, institutions should concentrate on look at things involved in the supply chain to find out the risk areas like where the software got coded. Moreover, the organizations should employ enough experts that understand cyber risk so that they can help defend against the threat and find ways that make the organizations cyber resiliently.
Additionally, organizations should team up with cybersecurity firms to get useful and automated malware protection against threats. Moreover, cyber firms should have principles where they create software that helps in supply chains protection. Besides, firms should adopt a small supplier base where they will have control of their suppliers (Koberg & Longoni, 2019). Moreover, they should have a culture where they conduct audits on the supplier’s firms to find where they abide by the given security protocols. Besides that, the system in the supply chain should have security features built into systems. The features include check digits which detect and keeps track of unauthorized logins into a code. Moreover, there should have test processes to harden the security of the systems. Lastly, the firms should conduct education to employees, have security policies and also adopt sophisticated system administration.
There several best practice in the supply chain. Some of the activities and practices involve getting to know all the actors, processes and elements in a supply chain to be aware of what is happening in the supply chain (Wang et al., 2017). Moreover, organizations should limit the exposure and access within the chain. Furthermore, the information should get shared in strict limits and also there should be a regular supply chain training management and awareness. Besides that, firms should use defensive design for their software and process, and they should also strengthen their delivery mechanism.
Acquisition Alignment
The purchase process for software goes through several stages. Before the purchase begins an officer in the concerned department reviews the need for software in their department. The individual writes to the IT department requesting for specific software (Eikelboom et al., 2017). After the request, the IT head of department reviews there requires to see if it’s viable and whether they are any need for the software. After the assessment, the It department official submits an email to request for the software to the senior management where one writes about the name and the department the softer is a need, its justification, the product, how it will get used and its price.
After the top management has received the request from the IT department, it reviews it and decides on where to reject or approve the applications. In the stage, they may ask for more information from the concerned department and more clarification. However, if the request is approved, and the necessary audit conducted, the departments concerned starts the procurements and acquisition of the software. The process begins by looking at the various suppliers if the company does not have a specific supplier. Furthermore, it evaluates the most cost-effective purchase and then goes ahead to acquire the software form the most suitable supplier.
Additionally, the IT department, the concerned department and the supply communicate the delivery and installation methods. In the stage, the supplier together with the IT department conducts the necessary testing like cybersecurity test, the vulnerability of the system to see whether it have any problems or it can cause any harm to the organization. Additionally, if the product proves to be effective, the staff in the concerned department gets trained on how to use the system, and it gets fully deployed for implementation and standard service (Perry, 2017). Lastly, the organization make regular contact with the supplier to ensure there is the maintenance of the software and daily updates for the software.
Supply Chain Threats/Mitigation
Supply Chain has faced and will always face risk. Organizations have tried to look for the way they can mitigate from the current emerging threat from cybersecurity. The number of software’s and items from the supplier to an organization has proved to contain a lot of risks, during the chain distribution to the organization (Machado et al., 2018). operational and information technology depends on well distributed and interconnected supply chain procedures to offer cost-effective and appropriate solutions to organizations. C-SCRM have come to help in assessing identifying and mitigating the risks involved in the distribution channels and tends to cover the whole process of system development life cycle.
For organizations to mitigate the risks in the supply chain, they need to asses thing both from its internal and external factors that tend to get involved in the supply chain. Through assessment, the business analyzes the impacts that could occur. Thus, analysis enables it to get prepared, be able to predict and understand the effects of any disruption. Additionally, the business monitors and assesses its current suppliers; this makes it possible to understand the market through the supply chain where it suitably mitigates from risks found. Furthermore, to minimize the supply chain risks, the company should reduce concentrating on one line of supply. This will enable it never to lack supplier in case one of the chains gets to face a threat.
Additionally, the business needs to work with its suppliers since useful corroboration and communication enable individuals to exchange ideas where they can find risk in the chain and mitigate them. Besides that, it’s essential for the business to continually be addressing cyber threats in the supply chain (Yu et al., 2018). Regular monitoring of the supply chain keeps the company ahead of any risks since it can detect them before they cause any harm. Thus, the company should implement appropriate cybersecurity measures at all the stages of the supply chain since it cannot be sure where an individual risk will come from.
References
Colicchia, C., Creazza, A., & Menachof, D. A. (2019). Managing cyber and information risks in supply chains: insights from an exploratory analysis. Supply Chain Management: An International Journal.
Eikelboom, M. E., Gelderman, C., & Semeijn, J. (2018). Sustainable innovation in public procurement: the decisive role of the individual. Journal of Public Procurement
Koberg, E., & Longoni, A. (2019). A systematic review of sustainable supply chain management in global supply chains. Journal of cleaner production, 207, 1084-1098.
Machado, S. M., Paiva, E. L., & da Silva, E. M. (2018). Counterfeiting: addressing mitigation and resilience in supply chains. International Journal of Physical Distribution & Logistics Management.
Perry, D. (2017). Status Report on Major Equipment Procurement. The School of Public Policy Publications, 10.
Wang, L., Foerstl, K., & Zimmermann, F. (2017). Supply Chain Risk Management in the Automotive Industry: Cross-Functional and Multi-tier Perspectives. In Dynamic and Seamless Integration of Production, Logistics and Traffic (pp. 119-144). Springer, Cham.
Yu, K., Cadeaux, J., Luo, N., Qian, C., & Chen, Z. (2018). The role of the consistency between objective and perceived environmental uncertainty in supply chain risk management. Industrial Management & Data Systems.
.