Securing the Supply Chain During

Periods of Instability: Five proactive

Global pressures on the REVIEW YOUR to ensure the SSL certificates are up to
1
supply chain increase SUPPLIERS’ INVENTORIES date and perform non-intrusive
surface scanning)
significantly during periods Keep up-to-date details of:
– identifying potential vulnerabilities in
of instability and conflict.
– the exact nature of services (e.g. software your supply chain and pushing vendors of
There is a heightened risk of design and build) software to prioritise prompt remediation
major business disruption
– the type of products (e.g. computer and – looking for new initiatives to assess
via cyber attacks that target supplier security, focusing on strong
network equipment)
suppliers. Another ‘NotPetya’ software security (e.g. Supply Chain Levels
– their main geographical locations.
type attack that targets one for Software Artifacts (SLSA), Software Bill
affected country could have of Materials (SBOM)).
an impact felt around the UPDATE SUPPLY CHAIN
2 INFORMATION RISK
rest of the world. FOLLOW A ROBUST
ASSESSMENTS 4 PROCESS WHEN
Organisations must review Keep the picture of risk across the supply TERMINATING SUPPLIER
their suppliers’ inventories, chain up to date, focusing especially on RELATIONSHIPS
potentially cutting back on suppliers in affected regions. Include lists of:
If a political or business decision is made to
their links with suppliers in – highest risk suppliers by criticality and cut operations in affected areas, ensure that in
affected regions. geographical location relation to terminated suppliers:
– recently acquired suppliers (where risk – all information is securely deleted
How could your organisation posture could still be undefined) using data sanitation techniques
be affected during periods – recently terminated suppliers. (e.g. cryptographic erase)
of instability and conflict, – all physical and network access is revoked
and what steps could you INCREASE EFFORTS TO – all user access (including cloud-based
take to understand the 3
MANAGE HIGH-RISK shared data) is removed.
potential threats and be SUPPLIERS OR THOSE WITH
better prepared? These tips UNDEFINED RISK POSTURE TEST YOUR INCIDENT
from the Information Security 5
Enhance management of high-risk RESPONSE PLAN
Forum can help you. suppliers by:
To prepare for a scenario where a key supplier
– ensuring all key contact information is is impacted or needs to be isolated, test
kept up to date response plans by:
About the ISF
– updating evaluation questionnaires with – creating and workshopping various
Founded in 1989, the specific security clauses (e.g. add in scenarios
Information Security Forum
cyber resilience)
(ISF) is an independent, not- – running tabletop cyber incident exercises.
for-profit association of leading – using continuous monitoring techniques
organisations from around (e.g. use open source intelligence
the world. It is dedicated to
investigating, clarifying and
resolving key issues in cyber,
information security and risk
management by developing
best practice methodologies, Discover the ISF Supply Chain Suite
processes and solutions that
www.securityforum.org
meet the business needs of
its members. ISF Members can visit www.isflive.org

+44 (0)20 3875 6868 | Information Security Forum