Most places have supply chains, upstream (you serve suppliers wo then serve other suppliers of suppliers) and downstream (towards your market). Vulnerabilities in a supply chain can introduce vulnerabilities to your assets. Those risks can be terrorism, or cyber-attacks. So says the official Centre for the Protection of National Infrastructure (CPNI) which last year brought out an 11-page guide ‘security in the supply chain’. Here’s a digest of it.
Guide in brief
– map all tiers of upstream and downstream supply chains to the level of each contract;
– risk score each contract;
– do due diligence or accreditation of suppliers (and potential suppliers) and through contracts;
– adopt proportionate measures to mitigate risk;
– do audit and compliance monitoring; and
– have contract exit arrangements.
Download the document at: www.cpni.gov.uk.
Cannot be outsourced
As CPNI point out, supply chain security risk can never be outsourced to the upstream or downstream suppliers; it will always remain owned by the business. They advise that Security works with other departments, such as procurement (‘simply to list all contracts and sub-contracts’) and IT. That said, you can’t expect a facilities manager in charge of a catering contract to understand the security risks; Security has to speak to FM so risks are ‘unpicked through detailed dialogue’. Such work may bring business benefits, such as countering fraud, or adding to business continuity and resilience. The guide says: “The investment of time, effort and money needs to be proportionate to the potential impact of the risks being mitigated. This requires a board level judgment which can only be taken if the board itself properly understands the risks in the first place. It will also be affected by the maturity of the organisation’s existing approach to security risk mitigation, by the complexity of its supply chain and by the prevailing threat picture.”
Holistic
You may only have to do a review of work already done on the risks; or it’s been ignored until now. CPNI urge a holistic approach; that is, the risks are interlocking: a physical security breach may be caused by a human failing or cyber-attack, or a physical an insider may steal electronic data. And as the guidance says, there’s little point in looking at your supply chain if you don’t take a sound approach to managing internal security risks. Do you ask contractors to work to the information security management standard ISO 27001; and if so, do you inspect them, or take what they say on trust? And don’t forget ‘residual risk’; does the contractor have network access for example even after the contract is done? As with risk management generally, it’s a process; through the various stages of a contract, from developing a statement of requirements’ to bid to services delivered.
Photo by Mark Rowe: Port of Belfast, dawn.
