assuring the security of the supply chain - designing best practices for cybersecurity in supply...
TRANSCRIPT
![Page 1: Assuring the Security of the Supply Chain - Designing best practices for cybersecurity in supply chains](https://reader036.vdocuments.us/reader036/viewer/2022062515/55c398a3bb61ebca718b45a7/html5/thumbnails/1.jpg)
Assuring the Security of the Supply ChainDesigning best practices for cybersecurity in supply chains
Ollie Whitehouse, Technical Director
![Page 2: Assuring the Security of the Supply Chain - Designing best practices for cybersecurity in supply chains](https://reader036.vdocuments.us/reader036/viewer/2022062515/55c398a3bb61ebca718b45a7/html5/thumbnails/2.jpg)
Agenda
Supply Chains and the Cyber Challenge
Regulatory (FCA) Outsourcing Requirements
Historic Approaches
Models for the Future – our maturity model2
![Page 3: Assuring the Security of the Supply Chain - Designing best practices for cybersecurity in supply chains](https://reader036.vdocuments.us/reader036/viewer/2022062515/55c398a3bb61ebca718b45a7/html5/thumbnails/3.jpg)
3
Supply chains…
• Software: common-off-the-shelf (COTS) and proprietary
• Equipment: the routers, servers, tablets, phones, storage, multi function devices, the doors, conditional access devices, building management system etc.
• Services: business process outsourcing, data processing, IaaS, PaaS, SaaS, people, other generic terms like data feeds, cloud and managed service etc.
![Page 4: Assuring the Security of the Supply Chain - Designing best practices for cybersecurity in supply chains](https://reader036.vdocuments.us/reader036/viewer/2022062515/55c398a3bb61ebca718b45a7/html5/thumbnails/4.jpg)
4
Supply chains…
![Page 5: Assuring the Security of the Supply Chain - Designing best practices for cybersecurity in supply chains](https://reader036.vdocuments.us/reader036/viewer/2022062515/55c398a3bb61ebca718b45a7/html5/thumbnails/5.jpg)
5
Supply chains cyber risk ..
![Page 6: Assuring the Security of the Supply Chain - Designing best practices for cybersecurity in supply chains](https://reader036.vdocuments.us/reader036/viewer/2022062515/55c398a3bb61ebca718b45a7/html5/thumbnails/6.jpg)
6
Supplier tiers..
Tiers of suppliers.... need to focus on tier 1 and 2 initially ..
the tier a supplier exists inwill be dictated by the business criticality of the what they supply
![Page 7: Assuring the Security of the Supply Chain - Designing best practices for cybersecurity in supply chains](https://reader036.vdocuments.us/reader036/viewer/2022062515/55c398a3bb61ebca718b45a7/html5/thumbnails/7.jpg)
7
Supplier tiers..
Tiers of suppliers have tiers of suppliers
it is an exponential problem creatinginadvertent centralized hot pockets of data or function for certain roles (legal, HR etc.) or sector niches
![Page 8: Assuring the Security of the Supply Chain - Designing best practices for cybersecurity in supply chains](https://reader036.vdocuments.us/reader036/viewer/2022062515/55c398a3bb61ebca718b45a7/html5/thumbnails/8.jpg)
8
Supply chains cyber risk ..
![Page 9: Assuring the Security of the Supply Chain - Designing best practices for cybersecurity in supply chains](https://reader036.vdocuments.us/reader036/viewer/2022062515/55c398a3bb61ebca718b45a7/html5/thumbnails/9.jpg)
9
Suffice to say
Suppliers are increasingly operatingbusiness critical functions
![Page 10: Assuring the Security of the Supply Chain - Designing best practices for cybersecurity in supply chains](https://reader036.vdocuments.us/reader036/viewer/2022062515/55c398a3bb61ebca718b45a7/html5/thumbnails/10.jpg)
10
Today it is a challenge for customers
Suppliers today need to show good will in order to support supply chain cyber maturity programs..
Legacy contractual cover is typically weak beyond compliance against standards such as ISO27001..
Cost of contract renegotiating is typically high..
If a supplier is unique or niche then commercial leverage evaporates..
![Page 11: Assuring the Security of the Supply Chain - Designing best practices for cybersecurity in supply chains](https://reader036.vdocuments.us/reader036/viewer/2022062515/55c398a3bb61ebca718b45a7/html5/thumbnails/11.jpg)
11
FCA outsourcing regulatory requirements
• Senior Management Arrangements, Systems and Controls
• SYSC 8.1: General outsourcing requirements
• SYSC 13.7.9: Geographic location considerations
• Threshold Conditions
• COND 2.4: Appropriate resources
• COND 2.5: Suitability..
.. then there is the DPA etc…
Handbookhttp://fshandbook.info/FS/
![Page 12: Assuring the Security of the Supply Chain - Designing best practices for cybersecurity in supply chains](https://reader036.vdocuments.us/reader036/viewer/2022062515/55c398a3bb61ebca718b45a7/html5/thumbnails/12.jpg)
12
FCA outsourcing regulatory reality
At the time of authorisation, a firm’s regulated activities must be supported by IT services which are effective, resilient and secure and have been appropriately designed to meet expected future as well as current business needs so as to avoid risks to our (the FCA’s) objectives.
Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions, July 2014https://www.fca.org.uk/static/documents/barriers-to-entry-third-party-technology-considerations.pdf
![Page 13: Assuring the Security of the Supply Chain - Designing best practices for cybersecurity in supply chains](https://reader036.vdocuments.us/reader036/viewer/2022062515/55c398a3bb61ebca718b45a7/html5/thumbnails/13.jpg)
13
FCA outsourcing regulatory reality
Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions, July 2014https://www.fca.org.uk/static/documents/barriers-to-entry-third-party-technology-considerations.pdf
The firm must have undertaken sufficient preparatory work to provide reasonable assurance that each OSP will deliver its services effectively, resiliently and securely.
![Page 14: Assuring the Security of the Supply Chain - Designing best practices for cybersecurity in supply chains](https://reader036.vdocuments.us/reader036/viewer/2022062515/55c398a3bb61ebca718b45a7/html5/thumbnails/14.jpg)
14
FCA outsourcing regulatory reality
Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions, July 2014https://www.fca.org.uk/static/documents/barriers-to-entry-third-party-technology-considerations.pdf
The firm has established appropriate arrangements for the on-going oversight of its OSPs and the management of any associated risks such that the firm meets all its regulatory requirements.
![Page 15: Assuring the Security of the Supply Chain - Designing best practices for cybersecurity in supply chains](https://reader036.vdocuments.us/reader036/viewer/2022062515/55c398a3bb61ebca718b45a7/html5/thumbnails/15.jpg)
15
FCA outsourcing regulatory reality
Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions, July 2014https://www.fca.org.uk/static/documents/barriers-to-entry-third-party-technology-considerations.pdf
Above all, a regulated firm should be clear that it retains full accountability for discharging all of its regulatory responsibilities. It cannot delegate any part of its responsibility to a third party.
![Page 16: Assuring the Security of the Supply Chain - Designing best practices for cybersecurity in supply chains](https://reader036.vdocuments.us/reader036/viewer/2022062515/55c398a3bb61ebca718b45a7/html5/thumbnails/16.jpg)
16
FCA protection considerations
Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions, July 2014https://www.fca.org.uk/static/documents/barriers-to-entry-third-party-technology-considerations.pdf
![Page 17: Assuring the Security of the Supply Chain - Designing best practices for cybersecurity in supply chains](https://reader036.vdocuments.us/reader036/viewer/2022062515/55c398a3bb61ebca718b45a7/html5/thumbnails/17.jpg)
17
FCA protection considerations
Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions, July 2014https://www.fca.org.uk/static/documents/barriers-to-entry-third-party-technology-considerations.pdf
![Page 18: Assuring the Security of the Supply Chain - Designing best practices for cybersecurity in supply chains](https://reader036.vdocuments.us/reader036/viewer/2022062515/55c398a3bb61ebca718b45a7/html5/thumbnails/18.jpg)
18
FCA protection considerations
Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions, July 2014https://www.fca.org.uk/static/documents/barriers-to-entry-third-party-technology-considerations.pdf
![Page 19: Assuring the Security of the Supply Chain - Designing best practices for cybersecurity in supply chains](https://reader036.vdocuments.us/reader036/viewer/2022062515/55c398a3bb61ebca718b45a7/html5/thumbnails/19.jpg)
19
FCA protection considerations
Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions, July 2014https://www.fca.org.uk/static/documents/barriers-to-entry-third-party-technology-considerations.pdf
![Page 20: Assuring the Security of the Supply Chain - Designing best practices for cybersecurity in supply chains](https://reader036.vdocuments.us/reader036/viewer/2022062515/55c398a3bb61ebca718b45a7/html5/thumbnails/20.jpg)
20
FCA protection considerations
Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions, July 2014https://www.fca.org.uk/static/documents/barriers-to-entry-third-party-technology-considerations.pdf
![Page 21: Assuring the Security of the Supply Chain - Designing best practices for cybersecurity in supply chains](https://reader036.vdocuments.us/reader036/viewer/2022062515/55c398a3bb61ebca718b45a7/html5/thumbnails/21.jpg)
21
Current approach to the supply chain
today only the most mature
![Page 22: Assuring the Security of the Supply Chain - Designing best practices for cybersecurity in supply chains](https://reader036.vdocuments.us/reader036/viewer/2022062515/55c398a3bb61ebca718b45a7/html5/thumbnails/22.jpg)
22
This is not enough…
Resilience
![Page 23: Assuring the Security of the Supply Chain - Designing best practices for cybersecurity in supply chains](https://reader036.vdocuments.us/reader036/viewer/2022062515/55c398a3bb61ebca718b45a7/html5/thumbnails/23.jpg)
23
What does cyber resilience mean?
We will have incidents both of internal and external origin
we will contend with accidents and malicious acts
we will face an evolving set of threats requiring agility
We will build services for the business which are appropriately secure and resilient
… which frustrate threat actors and reduce likelihood of accidents
… which minimize the impact of any incident whilst being useable
We will be in a position to detect incidents in a timely fashion
… whilst being able to answer who, what, when and how … and then recover
![Page 24: Assuring the Security of the Supply Chain - Designing best practices for cybersecurity in supply chains](https://reader036.vdocuments.us/reader036/viewer/2022062515/55c398a3bb61ebca718b45a7/html5/thumbnails/24.jpg)
24
How we deal with risk today• Elements / Tenants: CIA and Parkerian Hexad etc.
• Models / Indexes: custom or off the shelf.
• Taxonomies / Frameworks: FAIR, NIST RMF, OCTAVE, TARA, EBIOS, ISO/IEC 13335-2, SP800-30 etc.
• Standards / Regulation: ISO/IEC 27001, PCI, FCA/PRA, SOC-1, SOX etc.
• Maturity Models: recognizing risk isn’t static nor do we need to be perfect
• Audit: tell us the gaps against regulation, standards, taxonomies etc.
![Page 25: Assuring the Security of the Supply Chain - Designing best practices for cybersecurity in supply chains](https://reader036.vdocuments.us/reader036/viewer/2022062515/55c398a3bb61ebca718b45a7/html5/thumbnails/25.jpg)
25
How we deal with risk today
C AIthis priority is good for your sensitive data
C = confidentiality, I = integrity or A = availability
![Page 26: Assuring the Security of the Supply Chain - Designing best practices for cybersecurity in supply chains](https://reader036.vdocuments.us/reader036/viewer/2022062515/55c398a3bb61ebca718b45a7/html5/thumbnails/26.jpg)
26
How we deal with risk today
CA Ithis priority is good for your buildings management system
![Page 27: Assuring the Security of the Supply Chain - Designing best practices for cybersecurity in supply chains](https://reader036.vdocuments.us/reader036/viewer/2022062515/55c398a3bb61ebca718b45a7/html5/thumbnails/27.jpg)
27
How we deal with risk today
N I Cthis priority is good for high frequency trading
A
N = nonrepudiation
![Page 28: Assuring the Security of the Supply Chain - Designing best practices for cybersecurity in supply chains](https://reader036.vdocuments.us/reader036/viewer/2022062515/55c398a3bb61ebca718b45a7/html5/thumbnails/28.jpg)
28
Biggest challenges today are still
• Where will my organizations data or the ability to significantly impact my business end up (logically and physically)?
• Who will have access to it?
• What is my suppliers ability to protect themselves in the first instance?
• What is their ability to detect an incident, respond and notify me?
• How cyber resilient is my supplier?
![Page 29: Assuring the Security of the Supply Chain - Designing best practices for cybersecurity in supply chains](https://reader036.vdocuments.us/reader036/viewer/2022062515/55c398a3bb61ebca718b45a7/html5/thumbnails/29.jpg)
29
A maturity model for the supply chain
Immature Early Starter Progressive Semi-Mature Mature
Cyber security strategy
Approach to risk management
Contractual cover / supplier relationship
Standards and validation
Overall cyber resilience
Reactive
Ad-hoc
None
Cyber Essentials
None
Regulatory (customer) driven
Conformance and audit driven
Minimal cyber security requirements
Cyber Essentials +ISO 27001
Ability to defend against some attacks
Regulatory, customer and maybe peer driven
Audit and proactive
Allows independent cyber security review
CE+, ISO plus paper validation
Ability to defend and detect common
incidents
Regulatory, customer, peer & threat driven
Audit, proactive with dynamic risk models
Independent validation / information
shared
CE+, ISO, paper & tech validation
Ability to defend, detect and respond to most
incidents
Regulatory, peer, customer, threat and
intelligence driven
.. plus continual validation of risk
models
… plus requires pro-active notification of
incidents
CE+, ISO, paper, tech & end-to-end ongoing
validation
Ability to defend, detect, respond and
gain intelligence
Impl
emen
tatio
n
NCC Group Supply Chain Cyber Security Maturity Model for Enterprise Risk Management
![Page 30: Assuring the Security of the Supply Chain - Designing best practices for cybersecurity in supply chains](https://reader036.vdocuments.us/reader036/viewer/2022062515/55c398a3bb61ebca718b45a7/html5/thumbnails/30.jpg)
30
CBEST in this context
As a critical supplier to the UK economy of an economic function it validates
• Level of threat awareness of the supplier i.e. tier 1 institution
• Their ability to protect their estate in the first instance
• Their ability to detect an incident, respond and notify in the second
• The end-to-end technical and soft defence countermeasure effectiveness including from vectors such as the Internet and trusted partners etc.
![Page 31: Assuring the Security of the Supply Chain - Designing best practices for cybersecurity in supply chains](https://reader036.vdocuments.us/reader036/viewer/2022062515/55c398a3bb61ebca718b45a7/html5/thumbnails/31.jpg)
31
So where is the best supply chain today?
Immature Early Starter Progressive Semi-Mature Mature
Cyber security strategy
Approach to risk management
Contractual cover / supplier relationship
Standards and validation
Overall cyber resilience
Reactive
Ad-hoc
None
Cyber Essentials
None
Regulatory (customer) driven
Conformance and audit driven
Minimal cyber security requirements
Cyber Essentials +ISO 27001
Ability to defend against some attacks
Regulatory, customer and maybe peer driven
Audit and proactive
Allows independent cyber security review
CE+, ISO plus paper validation
Ability to defend and detect common
incidents
Regulatory, customer, peer & threat driven
Audit, proactive with dynamic risk models
Independent validation / information
shared
CE+, ISO, paper & tech validation
Ability to defend, detect and respond to most
incidents
Regulatory, peer, customer, threat and
intelligence driven
.. plus continual validation of risk
models
… plus requires pro-active notification of
incidents
CE+, ISO, paper, tech & end-to-end ongoing
validation
Ability to defend, detect, respond and
gain intelligence
Impl
emen
tatio
n
NCC Group Supply Chain Cyber Security Maturity Model for Enterprise Risk Management
![Page 32: Assuring the Security of the Supply Chain - Designing best practices for cybersecurity in supply chains](https://reader036.vdocuments.us/reader036/viewer/2022062515/55c398a3bb61ebca718b45a7/html5/thumbnails/32.jpg)
32
Closing… CBEST is mature
But we can expect it to be trickle down in terms of what is looked at in the supply chain…
![Page 33: Assuring the Security of the Supply Chain - Designing best practices for cybersecurity in supply chains](https://reader036.vdocuments.us/reader036/viewer/2022062515/55c398a3bb61ebca718b45a7/html5/thumbnails/33.jpg)
33
Further reading / viewing…
http://www.slideshare.net/OllieWhitehouse/red-teaming-and-the-supply-chainhttps://www.nccgroup.trust/uk/our-research/cyber-red-teaming-business-critical-systems-while-managing-operational-risk/
![Page 34: Assuring the Security of the Supply Chain - Designing best practices for cybersecurity in supply chains](https://reader036.vdocuments.us/reader036/viewer/2022062515/55c398a3bb61ebca718b45a7/html5/thumbnails/34.jpg)
34
How we help our customers …
Red Team Assessments
STAR and CBEST
Phishing Assessments
Cyber Incident Response
Cyber Defence Operations
Regulatory Advice
Cyber Resilience
Risk & Governance
Supply Chain Assurance
Operational Support
![Page 35: Assuring the Security of the Supply Chain - Designing best practices for cybersecurity in supply chains](https://reader036.vdocuments.us/reader036/viewer/2022062515/55c398a3bb61ebca718b45a7/html5/thumbnails/35.jpg)
35
Final thought…
Maturity is happening globally in financial services…
Israeli Cyber Defense Management directive , March 2015
Prescriptive in comparison including 24x7x365 SOCs, incident rooms, mandatory reporting of cyber incidents etc…
http://www.bankisrael.gov.il/en/BankingSupervision/SupervisorsDirectives/ProperConductOfBankingBusinessRegulations/361_et.pdf?AspxAutoDetectCookieSupport=1
![Page 36: Assuring the Security of the Supply Chain - Designing best practices for cybersecurity in supply chains](https://reader036.vdocuments.us/reader036/viewer/2022062515/55c398a3bb61ebca718b45a7/html5/thumbnails/36.jpg)
36
EuropeManchester - Head Office
Amsterdam
Cambridge
Copenhagen
Cheltenham
Edinburgh
Glasgow
Leatherhead
London
Luxembourg
Munich
Zurich
AustraliaSydney
North AmericaAtlanta
Austin
Chicago
New York
San Francisco
Seattle
Sunnyvale
Ollie [email protected]