NCSC Supply Chain Cyber Security Guidance

Stage 1: Before You Start

According to the NCSC guidance, the goal of stage 1 is to, “Gain knowledge about your own organisation’s approach to cyber security risk management.” This initial planning stage entails understanding:

• The risks your organisation is exposed to;
• Who in the organisation should be involved in supply chain cyber security decisions; and
• How the organisation should evaluate risk.

Understand why your organisation should care about supply chain cyber security

According to a recent industry study, 45% of organisations have experienced a third-party data or privacy breach in the past 12 months. Consider some recent examples, and the impact those security incidents caused:

Toyota – financial and operational losses

In February 2022, Toyota shut down operations in Japan after a major plastic supplier, Kojima Industries, suffered a data breach. Kojima had remote access to Toyota manufacturing plants, greatly increasing Toyota’s risk. As a result of the temporary shutdown, Toyota suffered financial and operational losses.

SolarWinds – lawsuits, fines, loss of customer trust

Russian state actors hacked into the Orion software product which was then pushed out to SolarWinds customers as part of a series of regularly planned updates. This effort gave the cybercriminals access to thousands of company’s systems and data. SolarWinds is facing lawsuits, fines, congressional testimony and more, and will impact their customers’ trust in them for years to come.

Answer these key questions:

• Can your organisation remain resilient in the face of a supply chain cyber disruption?
• Can you identify the target of a cyber attacker? Is it data?
• Can you identify the most likely attack path for a cyber attacker?

If the answer to any of these questions is “no,” then you must assess the weak points in your cyber supply chain and build a plan to mitigate those risks.

Identify the key players in your organisation

Having the right people in place to support supply chain cyber security will help drive the changes required.

Participants can include representatives from procurement and sourcing, risk management, security and IT, legal and compliance, and data privacy teams. The reason that so many teams should be engaged as part of the supply chain cyber risk management process is that each department tends to focus on the risks that matter to them.

IT security and privacy teams must determine what controls are in place to protect data and access to systems, if the supplier was breached, what the impact was, and if there is undue risk from fourth parties.

Procurement teams may want to if the supplier’s financial or credit history raises any concerns, or if the supplier carries a reputational problem with them.

Compliance and legal teams will want to know if the supplier has been flagged for data privacy, environmental, social and governance, bribery or sanctions.

Risk management teams will want to know if the supplier is in a region prone to natural disasters or geo-political instability.

First, establish a RACI matrix to define who in the organisation is:

• Responsible for managing risks
  Accountable for results
• Consulted with
• Kept informed about the process and results

Finally, gain buy-in from senior executives and the board by:

• Presenting a consolidated view of current risk exposure to the organisation from the supply chain
• Communicating current risk status and reduction efforts
• Identifying where exec support is needed

Understand how your organisation evaluates risk

A common way to categorise risk is through a “heat map” that measures risk on two axes: Likelihood of occurrence and impact to operations. Naturally, risks that rate high on both scales (e.g., the upper-right quadrant) should be prioritised higher than risks that rate lower.

Stage 2: Develop an Approach to Assess Supply Chain Cyber Security

Stage 2 guidance says to “Creating a repeatable, consistent approach for assessing the cyber security of your suppliers.” This stage involves:

• Knowing which assets the organisation should protect;
• Defining what the ideal security controls should be to protect the asset; and
• Determining how to assess suppliers and handle non-compliance.

Prioritise your organisation’s “crown jewels”

Determine the critical aspects in your organisation that you need to protect the most.

Create key components for the approach, which include:

• security profiles to be assigned to each supplier
• questions to determine the security profile of each supplier
• cyber security requirements for each profile
• management plans to track suppliers’ compliance with security requirements
• clauses relating to cyber security to insert into supplier contracts

Prior to creating the supplier’s security profile, consider the inherent risks they expose the company to. Consider this framework when calculating inherent risk:

• Criticality to business performance and operations
• Location(s) and related legal or regulatory considerations
• Level of reliance on fourth parties (to avoid concentration risk)
• Exposure to operational or client-facing processes
• Interaction with protected data
• Financial status and health
• Reputation

Using the insights from this inherent risk assessment, your team can automatically tier and profile suppliers; establish specific contractual clauses to enforce standards; set appropriate levels of further diligence; determine the scope of ongoing assessments; and define remediations in the case of non-compliance.

For tracking compliance with security requirements, consider standardising assessments against Cyber Essentials, ISO, or other commonly-adopted information security control frameworks.

Stage 3: Apply the Approach to New Supplier Relationships

At Stage 3, NCSC guidance recommends embedding “new security practices throughout the contract lifecycle of new suppliers, from procurement and supplier selection through to contract closure.” This involves monitoring adherence to contractual provisions and maintaining the team’s awareness of their responsibilities during the process.

Educate the team

Ensure that the people who will be involved in assessing suppliers are trained in cyber security.

Consider requiring employees responsible for supplier relationships to achieve individual security certifications, or support the organisation’s Cyber Essentials or ISO 27036-2 certifications.

Embed cyber security controls throughout the contract’s duration

Consider cyber security throughout the contract lifecycle: from decision to outsource, supplier selection, contract award, supplier delivery to termination. Think what practices can be introduced to make sure this happens for every acquisition.

This guidance requires organisations to be aware of risks at every stage of the supplier lifecycle, including:

• Conducting pre-contract due diligence by gaining cybersecurity insights or data breach history on potential suppliers prior to making selection decisions
• Scoring and categorising suppliers so you know how to triage them and what ongoing due diligence is needed
• Validating assessment results with real-time cyber monitoring data
• Centrally tracking all contracts and security-related contract attributes
• Measuring supplier effectiveness, including KPIs, KRIs, and SLAs against compliance measures to make sure those vendors are meeting contractual requirements
• Winding down relationships in a way that ensures contract adherence, data destruction, and that final items are checked off

Monitor supplier security performance

Conduct supplier cybersecurity assessments at the time of onboarding, contract renewal, or at any required frequency (e.g., quarterly or annually). Ensure that assessments are backed by workflow, task management, and automated evidence review capabilities.

Then, continuously track and analyse external threats to third parties by monitoring the Internet and dark web for cyber threats and vulnerabilities. Monitoring sources should include: criminal forums; onion pages; dark web special access forums; threat feeds; paste sites for leaked credentials; security communities; code repositories; vulnerability databases; and data breach databases.

Correlate all monitoring data to assessment results and centralise in a unified risk register for each vendor, streamlining risk review, reporting and response initiatives.

Stage 4: Integrate the Approach into Existing Supplier Contracts

In Stage 4, NCSC recommends reviewing “your existing contracts either upon renewal, or sooner where critical suppliers are concerned.” The guidance assumes some level of contract lifecycle management.

Identify existing contracts

Risk assess your contracts

Support your suppliers

Review contractual clauses

Centralise the distribution, discussion, retention and review of vendor contracts so that all applicable teams can participate in contract reviews to ensure the appropriate security clauses are included. Key practices to consider in managing supplier contracts include:

• Centralised storage of contracts
• Tracking of all contracts and contract attributes such as type, key dates, value, reminders and status – with customised, role-based views
• Workflow capabilities (based on user or contract type) to automate the contract management lifecycle
• Automated reminders and overdue notices to streamline contract reviews
• Centralised contract discussion and comment tracking
• Contract and document storage with role-based permissions and audit trails of all access
• Version control tracking that supports offline contract and document edits
• Role-based permissions that enable allocation of duties, access to contracts, and read/write/modify access

Report progress to the board

Start by determining the different between key performance indicators (KPIs) and key risk indicators (KRIs) and how they are related.

• Key Performance Indicators (KPIs) measure the effectiveness of functions and processes.
• Key Risk Indicators (KRIs) indicate how much risk the organisation faces and which risk treatments to apply.

When it comes to measuring KPIs and KRIs, categorise them like this:

• Risk measurements help to understand the risk of doing business with a supplier, as well as associated mitigations
• Threat measurements overlap somewhat with risk and give a more complete and validated view risk
• Compliance measurements define whether suppliers are compliant with your internal controls requirements
• Coverage measurements answer the question, “Do I have full coverage of my supplier footprint and are they tiered and treated accordingly?”

Then, be sure to tie results back to contract provisions to provide complete governance over the process.

Finally, ensure your team is fluent in understanding what type of information the board should see. This approach should enable your team to:

• Present a consolidated view of current risk exposure to the organisation from the supply chain
• Communicate current status of critical suppliers supporting major company efforts
• Show inherent and residual risk from threat intelligence sources to demonstrate progress in reducing risk over time
• Identify where executive support is needed

Stage 5: Continuously Improve

The final stage of the NCSC guidance says to “Periodically refine your approach as new issues emerge will reduce the likelihood of risks being introduced into your organisation via the supply chain.”

Evaluate the approach and its components regularly

Continuously review the organisation’s supply chain cybersecurity program
at every stage of the supplier’s lifecycle. Key areas to review include:

• Roles and responsibilities (e.g., RACI)
• Supplier security profiles
• Risk scoring and thresholds based on the organisation’s risk tolerance
• Assessment and monitoring methodologies based on third-party
  criticality
• Fourth- and Nth-party involvement in delivering critical services
• Sources of continuous monitoring data (cyber, business,
  reputational, financial)
• Key performance indicators (KPIs) and key risk indicators (KRIs)
• Governing policies, standards, systems and processes to protect
  systems and data
• Compliance and contractual reporting requirements against
  service levels
• Incident response processes
• Internal stakeholder reporting
• Risk mitigation and remediation strategies

Maintain awareness of evolving threats and update practices accordingly

Maintain awareness of emerging threats and use the knowledge acquired to update your supply chain cyber security accordingly.

Continuously track and analyse external threats to third parties by monitoring the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information.

Correlate all monitoring data to assessment results and centralise in a unified risk register for each vendor, streamlining risk review, reporting and response initiatives.

Monitoring sources should include:

• Criminal forums; thousands of onion pages; dark web special access forums; threat feeds; and paste sites for leaked credentials — as well as several security communities, code repositories, and vulnerability databases
• Public and private sources of reputational information, including M&A activity, business news, negative news, regulatory and legal information, operational updates, and more
• Financial performance, including turnover, profit and loss, shareholder funds, etc.
• Global news sources
• Politically exposed person profiles
• Global sanctions lists

Collaborate with your suppliers

Develop remediation plans with recommendations that suppliers can follow to reduce residual risk. Provide a forum for suppliers to upload evidence and communicate on specific remediations with a secure audit trail for tracking remediations to a close.