Using NIST 800-161 to Meet Today’s Cybersecurity Supply Chain Risk Management Challenges

Amanda: Hello. Amanda: Hi everyone. Amanda: All right, people are coming in here. Amanda: Good morning and good afternoon everybody. Amanda: While we are waiting our classic while we are waiting question. Amanda: I’m throwing up the poll here. Amanda: We’re curious as to what prompted you to join us today in our webinar that we like to call using NIST 800-161 to meet today’s cyber security supply chain risk management challenges. Amanda: Say that three times fast. Amanda: That’s very long. Amanda: But we’re going to get to the bottom of it nonetheless. Amanda: We have two great people on here uh that are our very own prevalenteers. Amanda: We have Thomas Humphre who is an expert in this conversation and we have Scott Lang who will jump on later towards the end as well to discuss um key items that we think would help you. Amanda: A couple of things Everybody, we are recording this. Amanda: You’ll get it in your inbox tomorrow. Amanda: Uh we also are hoping to keep this interactive. Amanda: So, please utilize the chat for chatting and utilize the Q&A for actual questions for us to answer. Amanda: Um we very much enjoy any person that you know challenges any sort of thing that’s on the screen or has any questions. Amanda: So, keep it as lively as possible here. Amanda: Uh we’ll have one more poll question towards the end and save questions for the end as well unless anything truly truly pressing. Amanda: Um, anything else? Amanda: I think we are good here. Amanda: I think that’s about it. Amanda: So, I will have Thomas take it away and we will go ahead and get started. Thomas: Thank you very much, Amanda. Thomas: And yes, good day, good afternoon, good morning and good evening to everyone who’s on the call today. Thomas: Um, I’m I’m Thomas Hy and I’ll be with you to to go through and digest the NIST 800161 uh standard framework. Thomas: Um just before we do uh just very briefly about myself. Thomas: So I work in the content section of prevalence. Thomas: So helping to build uh assessments um supplier based assessments and uh uh surveys based on a range of key topics from information security to continuity um and bribery and everything else in between. Thomas: Um, I was previously an ISO auditor, so working with many companies all over the globe, um, but principally in in Singapore in the UK. Thomas: Um, as Amanda’s indicated, uh, any questions, feel free to put them across into the Q&A tab. Thomas: Um, and then hopefully, time permitting, at the end of the, uh, discussion today, at the end of the webinar, um, we should have time to, to answer a few of those. Thomas: So purpose of today and today’s agenda. Thomas: So I’ll be running through 800161 and specifically CSCRM. Thomas: Um you might notice there’s a few acronyms today. Thomas: Um anyone in the standards world knows we do love our our acronyms. Thomas: Um so I’ll be going through what SCSCRM is about and where it fits in from a risk management standpoint. Thomas: I’ll be talking about the relationship between this and the other uh families of of NIST standards. Thomas: There’s a few that I’ve picked out that are quite pertinent to to the area that we’re covering today. Thomas: What makes it successful? Thomas: Uh CRM, it’s looking at critical success factors and areas that the standards have identified that uh companies should hopefully aim to achieve and should implement if they want to see a successful and well-run uh risk management program. Thomas: And then finally, we take a look at cyber security supply chain related control. Thomas: So again, it’s bringing in some of that relationship with other NIST standards and and pointing out some of the changes uh some of the updates that the 800161 standard has made uh to those. Thomas: Um I’ll try and uh uh refrain from uh repeating the acronyms multiple times. Thomas: Um but um if if I do just uh just bear with me. Thomas: So let’s get started. Thomas: So CSC RM in risk management. Thomas: So as you can see from the top, this stands for cyber security supply chain risk management. Thomas: So what do we mean by this? Thomas: So as I’m sure many people are aware, there’s been an increase in cyber attacks over the last two certainly three years and certainly looking ahead across what many industry experts, security experts um and government agencies are saying, this is set to increase um in some cases exponentially. Thomas: One of the biggest areas that this is going to grow in is supply chain. Thomas: Um taking a look over some of the perhaps more notable uh uh issues uh threats that have come into the public eye not least the likes of log 4j solar winds other software and application attacks or attacks on application and software based organizations and it’s been quite clear from the outset what a rip effect some of these threats have caused um and how it’s opened that discussion more and more amongst organizations particularly around this greater need for supply chain visibility. Thomas: So what is CCRM all about? Thomas: It’s about enabling that visibility of cyber threats or cyber security threats across an organization supply chain and through the guidance of the standard of the framework is helping organizations to manage that exposure of cyber security risks throughout their supply chain. Thomas: So how they manage those threats, how they how they um uh uh build up the knowledge and awareness of those threats and put in appropriate controls and engagement through it supply base and through the supply chain to hopefully mitigate those risks and to minimize uh any uh exposure any any damage. Thomas: to products and services and brand and reputation. Thomas: Like many uh risk management or like all risk management frameworks, uh there’s obviously a strong link from a governance perspective. Thomas: And as we go through today and have a look at aspects of the 800161 uh uh framework, we’ll see that there’s a strong emphasis on on on governance on from top down senior management and building a structured program. Thomas: Um not just about how to respond to risks to how to build the wider framework through what NIST call frame assess respond and monitor. Thomas: So any good like any good risk management program driven from the top and built with a clear structure of of key risk management practices. Thomas: Um there are many areas that the standard covers that anyone who’s involved in in uh best practices around risk. Thomas: Thinking of ISO 31,000 for example, the NIST RMF risk management framework. Thomas: That’s just two of many uh structured frameworks out there. Thomas: A lot of this will be very familiar or that concept of identifying um through a cyclical approach of how you frame risks, how you establish that context for identifying risk, for making risk based decisions, identifying roles responsibilities in how you identify and how you manage through to the end um before progressing on the actual assessment of the risks. Thomas: So anyone who’s familiar with ISO 27,000 for example, it follows a similar pattern. Thomas: It’s that identification, that review of risk impacts, risk likelihoods, hoping getting you to a stage where you can identify uh overall risk ratings, risk criticalities, if you will. Thomas: of part of this of course then moves on to the response piece. Thomas: So the risk mitigation where you’ve identified cyber security threats or perceived threats um you’ve assessed their criticality and you’re now setting a pathway to help to address those through risk mitigation, risk treatments, engagements with your suppliers and hopefully their engagement with their suppliers and the wider supply chain. Thomas: And as we start to build through this process and look at how we respond and react to risks, the continual monitoring, continual improvement. Thomas: So looking at bringing down that risk exposure before it starts again. Thomas: So that integration of the supply chain risk management process into the wider enterprise risk management. Thomas: And this is actually quite key. Thomas: There’s a lot of different risk management methodologies out there and businesses handle risk in a lot of different ways from financial risk, business risk, operational risk, it or security risk privacy and so on and so forth and CCRM is no different in that regards. Thomas: So where organizations always already have a very clear structure and methodology um to identify respond assess monitor and deal with risk. Thomas: Um so CSRM should fit into this uh framework as well. Thomas: Now sometimes it can be quite easy when you’re looking at risk particularly when you’re looking at an area such as cyber security to say well this is to do with security this is information technology or ICT so this is an area that our IT department should be handling or this is an area that our governance and audit team should be handling it’s all about compliance and all about managing risk one of the key areas that the NIST framework emphasizes is that it should be about that engagement across all aspects of the business business. Thomas: So any area of the business that comes into contact with suppliers that comes into contact with the supply chain be it information security and privacy project management uh logistics procurement departments development teams who are developing particular applications and where there’s a reliance on outsourcing a particular aspect of the of of the development process. Thomas: So when we’re developing this risk management process that’s focused on on cyber security risk in the supply chain. Thomas: One of the key drivers here and one of the key enablers should be well how are we engaging all aspects of our business that use a supplier that actively engage with the supplier and as we see as we go through uh today’s webinar uh that emphasis on engagement across the business and building that culture of awareness um and through through training programs um and through different monitoring techniques. Thomas: That’s one of the critical ways to ensure a successful uh riskmanagement program. Thomas: And this is actually quite key to note that there’s a lot of repetition here from the NIST guidance that talks about that engagement um both at the initial level when you’re building a risk management program um but all the way through to when you get to monitoring and maturity and maturing your risk management process. Thomas: So when you’re building new techniques into for process for data analysis for automation it keeps coming back to making sure there’s that continual engagement across the business so that’s one of the first key things I’d ask to bear in mind uh everyone on the call it’s it’s thinking about all aspects of your organization of your business that has an interaction with suppliers or multiple suppliers and it’s it’s making sure that there’s sufficient knowledge communication awareness and engagement um across all of these areas if you want to ensure that successful program. Thomas: So let’s take a step back now. Thomas: So we’ve identified uh the initial output of what is this cyber security supply chain risk management um process and approach about building that risk management framework. Thomas: But what do we mean when you say cyber risks in supply chain? Thomas: So I’ve already identified two examples uh that were were were public um uh uh large issues for two large organizations in the log 4j and solar windsbased attacks uh and there have been multiple others through Microsoft um and and other other organizations that have been in the public eye. Thomas: There’s also been some that have been notable um in particular industries such as the healthcare industry in the US for example and there’s a lot of risk out there as we all know. Thomas: Um but if we tried to think more structurally about we’re not just talking about our immediate supplier but the wider supply chain. Thomas: So adversarial and non-adversarial threats. Thomas: So from an adversarial perspective, malware, targeted attacks, ransomware, data breaches, where we have the ability and the and the knowledge that our suppliers have other suppliers that are handling our data, that supplying services that go into a critical system that we’re going to be using. Thomas: Being keenly aware of, well, do they hold have access to any of our data? Thomas: Are they holding systems um that are not patched regularly that perhaps are are uh are older and and and are more susceptible to such attacks? Thomas: It’s those type of threats that we should be considering. Thomas: Non-adversarial and you could argue perhaps less from a from a a cyber security perspective but still very key here is non-adversarial such as environmental threats, geopolitical uh threats, legal threats as Well, from a sanctions perspective, if through that greater knowledge of understanding our supply chain and where our different suppliers sit, if there’s an increased risk of uh suffering from an environmental disaster or for a country being subject to legal sanctions for example, um then again these are key threats that we may need to consider. Thomas: Um and when I say consider, um as we see in a short while, consider in the sense of raising it within our own risk registers. Thomas: but also making sure we’re engaging our suppliers in the right way so that we’re asking the right questions and we are asking um uh the right areas in contracts and agreements to make sure that the appropriate controls are in place. Thomas: It’s also worth pointing out from a vulnerability perspective um threats and vulnerabilities um uh are quite wide ranging um certainly from an external perspective where you have those dependencies and supply chain single source suppliers. Thomas: If we’re engaging if our suppliers engaging with other organizations who provide a critical component that goes into a product or a system um and they’re the only organization that can supply that or they’re in an area um that is environmentally sensitive. Thomas: Um what other plans do we need to consider here from a continuity perspective, from a recovery perspective, from a stock perspective? Thomas: And then obviously perhaps one of the more uh common areas is vis ibility of those internal vulnerabilities particularly where there’s a lack of cyber security awareness for example there are aged systems that perhaps are not patched as regularly not maintained as regularly and some of this could also be the fact that we don’t have immediate visibility of this we may not have immediate visibility of the type of systems they’re they’re using may not even have visibility of whether fourth or fifth parties have access and what access they have to our data so it’s important to be able to understand these type of threats, these type of vulnerabilities to name but a few that we can then again have that discussion with our suppliers about and these are some of the key areas that NIST uh 800161 uh captures. Thomas: I mentioned there’s there’s close alignment with uh other NIST frameworks. Thomas: Um those of you who are aware of NIST as a wider organization, there’s quite an extensive uh list of uh uh standards, best practices, guidance. Thomas: Some of it is very specific, for example, for federal agencies in the United States. Thomas: Some are appropriate um uh regardless of whether you’re a particular agency or whether you’re just an an organization in the business. Thomas: 853 is a good example of that where it was initially developed from a federal perspective of finding more and more organizations or adopting 853 for information security and privacy controls uh as best practice. Thomas: ice and it’s seen more and more as a good best practice standard um and framework to adopt when you’re building a management system. Thomas: So what’s interesting about 161 is although the focus is on cyber security um and supply chain risk it’s taken uh many uh uh different NIST standards particularly those four that you can see on the screen uh cyber security framework uh 30 37 and 53 and it’s a opted those frameworks and taken critical concepts from them and it’s tailored its approach to affect those needs in supply chain risk management. Thomas: So one of the areas that we’ll see um towards the end of the presentation is how it’s taken aspects of the 853 information and privacy controls and enhanced them to add an element of well what does this control mean when we’re talking about supply chain risk management. Thomas: Um are there new controls that we need to consider that the current standard has not adopted or has not defined? Thomas: Um and so it’s taking a lot of that best practice that’s already established particularly from 30 and 37’s perspective um around uh how to build a riskmanagement process and approach and risk management life cycle as far as information systems and information security is concerned. Thomas: Um just briefly on the one at the top for those who may not be aware CSF the cyber security framework um has good links to areas such as 853 and other uh international standards, but it provides that structured approach for identifying, detecting, responding uh to cyber security risks um and and appropriate controls in place. Thomas: So, it’s interesting that this to have have obviously leveraged a lot of their best practice standards when they’ve developed this 161 and and and taken those core concepts and enhanced them um in most cases. Thomas: So having gone through but an example of what CCRM is about some sample of risks and that link uh within uh other NIST frameworks. Thomas: One of the biggest aspects that the frame that 161 touches on is critical success criteria. Thomas: So what makes a successful CSCRM? Thomas: So how can we determine success within our risk framework and the standard has identified four uh CSF’s critical success factors. Thomas: Well, they are saying well this should help to build that culture of continual improvement but also demonstrate particularly um higher up the chain in in in in in the management structure the success of this program. Thomas: This is why we’re approaching um identifying risks and managing supply chain in this manner and aligning it to our um uh enterprise uh risk management processes. Thomas: So the first critical success factor is cyber security within the acquisition process and there’s two key areas that are notable here. Thomas: One is the CCRM strategy and then also roles for CSCRM in acquisition or as part of the acquisition process. Thomas: So what do we mean here and what is N trying to say here? Thomas: So firstly it’s saying when you think about all steps of procurement of of the procurement process contract life cycle when you’re considering the strategic position of how you approach um acquisition of systems of products of services um and engaging with suppliers is building into that strategy how cyber risk and the supply chain is managed and is featured. Thomas: as part of that acquisition process. Thomas: So, it’s building into the strategic vision and the strategic approach of how we deal with our acquisition and it’s it’s making sure that key questions are asked, key due diligence is conducted so that when we acquire when we procure a new system, a new information um uh system or service or when we engage with a supplier, we’ve asked the questions the quite the correct due diligence that features and feeds back into those cyber security risks that we’ve identified at the top level. Thomas: When it comes to roles, the key ask here is establishing key roles that work within the acquisition process, acquisition department, procurement department to ensure that those right questions are asked. Thomas: So, it’s very critical as you would in project management for example to ensure that there’s someone who’s knowledgeable um and has experience um uh in information security to ensure that security controls have been considered and designed as part of system and software development. Thomas: And in the similar vein, it’s making sure that where there are cyber security risks where there are critical controls that need to be uh asked of suppliers who may be supplying a particular product or or application and just making sure that that due diligence has been uh uh ident identified and when it comes from a contractual perspective um making sure that the contracts calls out those necessary uh controls and security controls, privacy controls in some cases as well. Thomas: It could also be making sure that where there are best practice standards as part of business strategy for example uh the need to to to recognize ISO 27,000 NIST 853 SOCK 2 uh any other framework that may be seen as best practice from an industry perspective or from an organizational perspective. Thomas: It’s using those CSCRM roles and expertise and and maybe knowledge experts to ensure that those type of questions that type of due diligence is obtained from the suppliers. Thomas: If we know that the organization that we’re we’re procuring a particular system from is al already ISO 27,000 certified, they may have other certifications in place if we know that as part of that certification process and knowledge of ISO 27,000 already helped us identify that they managed their own supply chain and they they um impress um security controls on their own supply chain. Thomas: That then gives us further comfort, further um belief that the organizations, the suppliers are obviously doing best practices and hopefully adopting um uh best practices down the supply chain. Thomas: Second critical success factor. Thomas: So supply chain information sharing. Thomas: So use of memberships, use of uh collective knowledge, experience and capabilities. Thomas: So this comes into the likes of information sharing analysis centers. Thomas: So what is an ISAC? Thomas: Um some of them you may be familiar with. Thomas: Um one of the most prominent in the US is HSAC. Thomas: Uh which is predominantly for the healthcare industry. Thomas: There are others such as AISAC for the aviation industry and you find that there are a lot of industries that have developed their own information sharing centers where members from these organizations come together. Thomas: They discuss areas such as cyber security, such as data privacy and any other areas that are pertinent to the industry and being visible and mindful of these and becoming members of these areas or just having threat intelligence from um other similar organizations. Thomas: Um in some cases there may be uh not sector specific but more um uh countrywide um um ISAs as well. Thomas: One of the leading ones in the UK is CISP cyber information sharing partnership which is an ISAC which was developed by the national cyber security center the cyber security arm of the UK government. Thomas: And so you find there are some national international in some cases and very much industry specific um me uh uh uh sharing analysis centers and supply chain information sharing forms one key part of that. Thomas: So not only building and ensuring that supply chain risk management forms a core part of your acquisition process when you’re procuring your systems and and and and solutions. Thomas: But having that visibility of what’s happening in the indust ry is only going to improve the way you deal with risk management. Thomas: Um, and the use of information sharing analysis centers is one very good way uh of doing that. Thomas: There’s a lot of good information out there across multi multiple um uh sharing centers um and particularly when we’re thinking about uh new and emerging threats or if there are changes to a particular industry that you’re associated with and having that visibility at the early stage will only help when you come to continually review and try and improve uh the risk management process and your risk management approach. Thomas: Third one is around training and awareness. Thomas: So I mentioned at the uh from the outset that level of uh engagement across business uh building that culture um and this is seen as a critical success factor in in the 800161 standard and we talk about training and awareness. Thomas: There’s a few obviously aspects here. Thomas: So, we’re not just talking about um companywide and and visibility of what is a cyber security risk and how do you deal with the risk? Thomas: Obviously, those are important areas to be mindful of. Thomas: But it could also be well, how do you include CSCRM into project management? Thomas: Um are there functional specific trainings or role-based trainings that you can develop or other awareness programs internal marketing campaigns um and knowledge sharing um again to build that experience and capabilities internally. Thomas: So we’ve talked about the external arm of getting involved in memberships u maybe of of of uh uh information sharing uh centers such as Isax Hisaxis the NC’s in the UK but it’s also having that similar con uh communication and and similar involvement um and at an internal level as well. Thomas: Finally, for CS4, this is when it comes to the maturity element of the standard. Thomas: Um and it’s it’s actually very good personally for me to see this um because we don’t always see uh standards uh state quite clearly in terms of how do you build that maturity. Thomas: It’s all very well to build a risk management framework. Thomas: And hopefully uh you know we can get to a stage where we can repeat assessments or audits um at a supply level for example we can produce reports that tell us where we are from a risk perspective are risks increasing or decreasing um but NIST has identified what it calls three key practices foundational sustaining and enhancing practices which actually helps organizations build that level of maturity or hopefully you reach that stage of high maturity which is where we find those enhancing practices. Thomas: So let’s go through each of these in a bit more detail. Thomas: So when we talk about foundational practices, it’s what we’ve covered um in the early stages. Thomas: So it’s that establishing the SCRM perhaps you establish a project management office to formalize how the SCRM is being managed and it’s used from the monitoring perspective internally. Thomas: It’s creating risk management policy ies across the enterprise, the wider organization and having that structure. Thomas: Again, important to note that if you already have a clear and structured enterprise risk management framework to deal with operational risk and other aspects of risk, only helps make it easier so you don’t have to repeat um and rewrite the rule book again where you already have that clear policy and consistent processes in place. Thomas: Um it’s also about that having that dedicated resource whether they become knowledge experts across each aspect of the business that engages with suppliers whether it’s a collective team that that has that wider discussion on a monthly by annual annual basis but it’s setting that groundwork that foundation in place and once that’s in place we can then move to looking at sustaining practices so do you have threat informed security programs um have you become members of uh specialist interest groups or I uh Isacs. Thomas: Have you got a program to monitor your suppliers and deliver a clear training program? Thomas: Have you developed key supply chain controls and controls associated with cyber security into supply contracts? Thomas: And as part of that, does it add consideration for the wider supply chain? Thomas: So, not just controls you want your immediate supplier to carry out or to demonstrate that they have in place, but what controls you’d like them to demonstrate that they enforce or they impose on their own suppliers i.e. your wider supply chain and have you developed a set of metrics to taking all the different information the data that you collect from risks the type of risks the categories of risks the severity of risks uh can you build them up in such a way that allows you to provide metrics and to review metrics once we’ve got this in place and we’ve got a program that’s that’s continually evolving it’s continually improving um and it’s and it’s a repeatable process year one year. Thomas: We can then look at those enhancing controls. Thomas: So the ability to automate processes for example can you automate assessments that are being sent out on suppliers on a regular basis. Thomas: Can you automate how remediation is captured and processed and delivered um to suppliers and onto their own suppliers as well and your fourth and fifth parties? Thomas: Uh you using predictive adaptive strategies providing insight taking insights from various metrics and and ci metrics to adapt and and improve your risk management process. Thomas: So not responding after something’s happened or after the threat has been known but using a strategic approach and looking ahead of trends in the risk process, trends in the risks being found across the supply chain and adapting to it through the way you engage, the way you update contracts, the way you add amendments, and the way you ask additional due diligence if necessary. Thomas: And then finally, establishing or participating communities of practice. Thomas: And this can be from two areas. Thomas: I’ve already talked about the Isac, the external, if you will, aspect of memberships, but it’s the internal also that can be considered here. Thomas: So thinking about that engagement across wide aspects of the business. Thomas: If you have awareness and training and the culture of dealing with supply chain risk management say from the project management side your your information security teams your procurement teams and other teams it’s having a process of sharing that knowledge and those capabilities across all of those teams maybe there are champions across each of those business units that are there to not only support their business units but to respond back um to management up to senior management that again helped in that continual improvement of the risk management life cycle and and approach. Thomas: So four um crit critical success factors there and ending with NIST demonstrating how organizations are able to take what they have existing and build on it and continue to build and continue to evolve um to make it not only easier to manage certainly when you think of from an automation perspective. Thomas: If there are standard risk management processes that would normally be quite manual, by automating them, it frees up that resource to work on other areas. Thomas: Doing a deeper dive into risk analysis um and and and various metrics for example. Thomas: So having said that, let’s now move on to uh one of the key areas that has changed and and and sort of demonstrates uh where 161 has taken an existing standard in this case uh 853 um and and embellished it and enhanced it. Thomas: So just a quick recap 853 provides a set of information security and privacy controls. Thomas: There’s just in excess of a thousand controls in the current revision five um of that standard and it focuses very much on the need of any industry and any business. Thomas: The idea here is it’s expected that organizations take the standards and use the processes, the controls that are appropriate to that business. Thomas: And and the same applies here for 800161. Thomas: It’s important to note that there’s a lot of information here around how you build your risk framework, how you identify different controls. Thomas: Um, as you can see from the numbers below, 161 has taken 95 of those 853 controls and enhanced them in some capacity. Thomas: There are 67 controls where they’ve added flowdowns. Thomas: I’ll explain what that means short while. Thomas: And there’s two new controls. Thomas: It’s obviously not expected that every organization adopts all 95 control enhancements and all 67 control flowdowns for example and for that matter even two new controls. Thomas: It’s very much dependent on the risks that have been identified where they’ve been ident identified and what are the most appropriate controls that are used to uh to meet the needs of the organization to hopefully mitigate remediate um those risks and lower the exposure. Thomas: So 800161 takes a set of security privacy controls and enhances them to supply chain specific requirements. Thomas: We’ll have a look at one sample that includes both a control enhancement as they’ve added further guidance and terms of this is what what 853 has said and this is what we’re adding to it. Thomas: But also includes a flow down where the flow of information and the expectation is these are controls that you should pass on to your supply chain and that’s a key difference here. Thomas: So we’ve got control enhancements that a supplier should be using or that you may want to impress upon the supplier but then gives clear indications of where in some cases that same control which will identif fight for enhancement. Thomas: There’s aspects of that control or that control entirely should be pushed down onto the supply chain where appropriate where there are fourth, fifth and and and further parties where appropriate. Thomas: And then lastly, we’ll have a look at two brand new controls that are added into existing areas of 853. Thomas: Now, before we continue, just might be worth pointing out that the the 53 standard does already have a supply chain risk management uh section all on its own and it’s has a set of um 15 I think 15 or 16 or so controls all around supply chain risk management. Thomas: So it’s already got one isolated piece but it focuses on only key aspects and particular aspects of supply chain risk management. Thomas: There still is the wider expectation of where you still look at the various controls the access controls, the data security controls, encryption, so on and so forth. Thomas: Um, and and you go by what the standard has set is. Thomas: We haven’t added any additional elements around what does this mean from a supply chain. Thomas: And that’s the difference here. Thomas: It’s where 161 has taken those controls and said you do this, but this is how we then add um additional requirement. Thomas: So let’s take a look at one. Thomas: So control enhancements. Thomas: So controls used to enhance or address supply chain risk and control flow down. Thomas: So where controls have been identified and where the requirements should flow down to further subtier contractors. Thomas: So this is an example. Thomas: So AC1 under 853 was all around access control and establishing an access control policy um establishing the key due diligence and key requirements for user registration, user dregistration use of privileged accounts and maybe other enhanced accounts if you’re dealing with sensitive information. Thomas: And as you can see here, there’s a supplemental SCRM CSCRM guidance that states enterprises should spec specify and include in agreements take into consideration the actual language access control policies for their suppliers, developers, integrators, system providers and any other ICT or OT oper ational technology related service providers um that have access control policies including both physical and logical access to the supply chain and information systems. Thomas: So as well as saying you should be developing an access control policy and you clearly state how you approach uh access to different systems whether it’s sensitive systems less insensitive systems that but you should also be imposing these as part of the contractual requirement. Thomas: Um so as part of contractual agreement are you capturing uh for your supplier um the need to have clear controls for how you deal with uh privileged access for example or role based access? Thomas: As you can see at the end it then also says enterprise should require the prime contractors to implement this control and flow down this requirement to relevant subtier contractors. Thomas: So if you think of that scenario where you have your supplier and they’re de developing a particular system, maybe a critical system that interacts with your own business data or maybe your own customers data and in turn they have various subcontractors and suppliers who may have access to that data as part of their delivery of a component. Thomas: And this is just emphasizing where you have those such scenarios when you’re looking at the access for those systems and where asking there needs to be a careful control of who can access what type of person can access, how frequently you adjust the access or review the access. Thomas: These are the type of controls we expect you to then flow down to those subcontractors. Thomas: Um, now obviously some of this it needs to be taken that there could be various ways to demonstrate this. Thomas: Again going back to organizations that have certifications, we’re certified to 27,000. Thomas: We have SOCK 2 certification. Thomas: We have other certifications around various other uh standards um and and frameworks. Thomas: This can be one method to demonstrate where we have these controls. Thomas: We’re asking them from a contractual perspective where we can demonstrate through the application of these best practice standards and frameworks mentioned. Thomas: There’s two new controls as well. Thomas: Um as you’ve seen uh earlier on um with 95 apologies with 95 control enhancements and of course 67 control flowdowns. Thomas: Unfortunately, I won’t have time to cover every single one, but hopefully that gives you an indication of where 161 has taken um existing best practice controls and added their own element to it to say this is how you deal with it in relation to uh your suppliers and your supply chain. Thomas: I mentioned there’s two further uh controls, two new controls that are added in. Thomas: One of them is in supply management and one of them is in maintenance. Thomas: So MA8 it’s a brand new control in 161 maintenance monitoring and information sharing and SR13 supplier inventories. Thomas: So let’s have a quick look at the two controls here. Thomas: So the first one the enterprise monitors the status of systems and components and communicates out ofbound and out of specification performance of those systems and components to suppliers develop ers if they’re system integrators, uh any other service providers who may be external, any other IT or OT oper ational technology related service providers. Thomas: There’s a lot of communication that could be going on here. Thomas: And so what this is asking about is when you’re looking at maintenance um of of critical systems of critical system components, whether system components that are failing that are listed as maybe out of specification based on um the way it’s performing particular after or as part of that maintenance process. Thomas: How’s that information being shared? Thomas: How’s that information being gathered and delivered to you um as the business and this is in some parts also comes back to understanding the providence of the supply chain and of the individual systems that you’re procuring where you know there’s a wider supply chain. Thomas: You can see from the in the original component or set of components to the final system or product being mindful of that full end to end uh uh life cycle of the system will make it easier um and certainly through discussion through performance reviews through uh uh contractual agreements to understand where systems um become out of spec become out of service or out of maintenance um and where they do go wrong that there’s enough communication in that and information sharing um not only to yourself but to any other developers, service providers that need to know about this so they can correct the issues that they can address the issues. Thomas: So you’re not left with uh information system um or or or or components that are seen as vulnerable and seen as weak because there’s been some issues from those outspec uh components. Thomas: Supply inventory is quite an extensive one. Thomas: The control um on the face of it seems quite simple. Thomas: Develop, document and maintain an inventory of suppliers. Thomas: Um the standard does go into a lot more detail in terms of what does that mean. Thomas: The purpose here is saying you’re not just talking about do you know your five 10 key suppliers, your tier ones, your tier twos, but have you tiered them? Thomas: Have you broken down into various sections? Thomas: Have you understood the relationship between multiple suppliers? Thomas: Have you built up an inventory so you can track the relation between those multiple suppliers and from tier ones, twos, threes, and if there are any other tiers or priorities of suppliers? Thomas: So it’s getting companies to think how you develop that clear list so you can have a full view of your supply chain. Thomas: Um depending on your methodology of doing this it could be easy or or very very difficult and obviously depending on the size of the supply chain certainly the use of of of of tools of systems to help you do this can sometimes provide an easier picture as opposed to trying to do it from a manual perspective or using Excel sheets and other other systems. Thomas: Um it’s talking about thinking about developing that wider view um that that diagrammatic view of your full suppliers and your supply base. Thomas: Um and so hopefully you should be able to get a a clear view of uh the wider supply chain. Thomas: So those are only two new controls that the 860161 has has added in. Thomas: So Let’s step back a bit and let’s let’s look at some of the key aspects that that the 161 has called out. Thomas: The first is defining that structure of the risk management process and incorporating cyber security in your SCRM. Thomas: So the need to identify firstly those cyber security supply chain risks capturing them within your enterprise risk management program. Thomas: It’s where you have that defined approach from managing risk, making sure that that includes your supply chain risks as well. Thomas: Establishing clear roles and responsibilities across all aspects of the organization that are interact with suppliers. Thomas: And I say this could be uh one, two, this could be every aspect of your business. Thomas: Um but it’s really getting to grips with making sure there’s clear accountability and responsibilities and knowledge and awareness for what’s cyber security risks are associated with those suppliers that those those uh business units and functions are dealing with. Thomas: Document processes to enable monitoring, management and information sharing across the organization. Thomas: So again, it comes back to making sure you’ve got a clear governance plan in place from a strategic perspective as well. Thomas: You’ve got a clear approach in how you address risk um throughout the full end to end life cycle. Thomas: How deal with uh a remediation, how you capture controls from a contractual perspective um and and a and an an agreement perspective um and how and the type of information that you want your own suppliers to demonstrate to you that they’re doing due diligence on their suppliers and ultimately your your wider supply chain continued improvement providing ongoing awareness and training. Thomas: So again, One of the key aspects we saw from a critical success factor uh that 161 provides a particular attention to this and it’s building that culture of awareness of not only cyber security risks but how they fit into the suppliers that the organization is engaged with and the wider supply chain supply chain and that could be role specific, it could be functional specific, it could be companywide in some cases um but particularly uh As is true with all trying training, it’s that continual updating of that training. Thomas: It’s where new and emerging risks come into it where there are changes in the supply chain uh uh program, risk management program or approach and it’s making sure there’s that continual communication across all all members. Thomas: Establish metrics for reporting and analyzing threat intelligence. Thomas: So signing up to um ICE act organizations where appropriate. Thomas: Um having visibility from interested parties and specialist groups that could provide you information around the threat landscape in particular where there are uh perceived new threats occurring in particular industries or more wider. Thomas: And also internal metrics and looking at the full scope of how you’re managing risks and establishing risks and and working out a series of metrics that you’re able to then report back up to senior management and then continually reviewing the supply chain risks and adjusting the program. Thomas: Again, comes back to um uh when you’re thinking about the maturity and maturity rating scale, going back to sustaining your program, enhancing your program. Thomas: Do we need to start automating processes? Thomas: Um do we need to look at different insights from the mayor’s metrics that we’re capturing that are ables us to um proactively um enhance an aspect of the risk management program or or to engage suppliers in a different way um and and and building up all that information and knowledge sharing both externally but also internally of that collective knowledge experience and capabilities. Thomas: So those are the two key areas I’d certainly like everyone to take away and to think about. Thomas: So the way you’re structuring your risk management program and in particular around cyber security, the use of of uh standards such as 161 um in collaboration with the likes of 53 um and you can even use it across other standards as well um such as 27,000 because we’re still talking about the wider risk management process. Thomas: And once it gives you that visibility of which controls are appropriate, how do we use controls from a supply chain contractual perspective. Thomas: Excuse me. Thomas: Um, and making sure we’ve got that structure in place and then that continual um um ongoing approach. Thomas: Before we go to the question and answers, um I’ll now turn it across to Scott um who I believe has a a short um uh piece to cover. Scott: That’s right. Scott: Uh thanks Thomas. Scott: Next slide please. Scott: Uh thanks everybody for you know taking time out of your days to you know listen in as Thomas dropped some serious knowledge on on uh on the NIST framework specifically 161. Scott: You know one of the big takeaways for me and and Thomas as you advance to the next slide is the complexity of not just understanding the NIST requirements but putting them in practice in your enterprise. Scott: You know I I think the three biggest challenges that we see organizations trying to tackle or to address with a thirdparty risk management program or supplier risk management program is uh kind of first and foremost um the manual nature of the analysis uh the collection and you know the general management of controls uh third-party controls via spreadsheets. Scott: The second big challenge uh that we see is how out ofd that information typically is. Scott: You know once you’ve engaged an auditor or perform some level of uh assessment and monitoring on your own perhaps via spreadsheets whatever it’s suddenly out of date the minute you execute it. Scott: And the third big takeaway from from from our perspective in in uh you know as organizations consider how to put in place these types of um controls and frameworks is that so many different people throughout the enterprise need to be involved and engaged you know in that process. Scott: And unfortunately you know they’re all using their own siloed approaches and perhaps you know have their own very specific requirements for data or information in order to report on that supplier and this really kind of brings that together. Scott: Uh but you know you can’t do it manually and you can’t do it in silo. Scott: So you know that’s kind of the value that prevalent brings to the equation here is that we have very specific questionnaires assessments uh built into our platform that allow you to issue those questionnaires to your third parties and then um you know automatically analyze that information, present it and automate it in such a way that you know is a much cleaner, simpler, efficient approach to to addressing those requirements. Scott: Uh, next slide please Thomas. Scott: And you can go one more uh beyond that one as well. Scott: Um, you know, we see see these risks happening, third party risks, supplier risks, vendor risk, whatever term you want to use for it at multiple different stages of the life cycle. Scott: And you know, those risks as they present themselves each have solutions and each require a separate benefit or outcome from it. Scott: And you know, like I said, This is how prevalent can help you uh you know deliver business value and make a business case for investing in a platform to automate the collection and analysis of this information using a NIST assessment questionnaire you know as your foundation. Scott: But it all starts with sourcing and selection right understanding uh the risks that a supplier brings to your environment um you know inherently how to treat that risk how to categorize vendors bas on that risk, how to assess them uh according to what what you want to accomplish and then see through the continuous monitoring and SLA performance monitoring all the way to the point where we have to offboard that that particular vendor. Scott: So it’s a life cycle based approach requires automation and discipline and and you know that’s where we can help. Scott: Next slide please Thomas. Scott: You know what we’ve done is you Thomas mentioned this a few moments ago during his presentation but we’ve taken several NIST frameworks 853 800 161 71 66 uh many of them and we’ve distilled out what we think are some of the top uh controls subcontrols uh that have to be addressed right off the bat in a cyber supply chain risk management perspective. Scott: Uh and we’ve put together some mapping of that uh of those top 15 controls in this document that you see in front of you. Scott: And then as part of the follow-up to the webinar today, you’ll get a link to download that checklist. Scott: So you will get it you’ll get the recording excuse me, and more. Scott: And it really summarizes how to very um you know, efficiently um you know, determine the most important control criteria and you know, assess against it to achieve some maximum benefit. Scott: So again, that’s what that’s all I wanted to share with you today. Scott: Thomas, I’ll pitch back over to you, I guess, Amanda, uh to open it up for questions. Scott: Um and uh you know, we can go from there. Amanda: Yeah, thanks so much. Amanda: So, I’m going to go ahead and launch this final poll here. Amanda: It’s it’s very straightforward. Amanda: Are you looking to augment or establish a therapy risk management program in the remainder of the year or are you even gearing up for 2023 and you’re getting ready to, you know, set yourself up for success in that aspect here? Amanda: Uh, we have a bunch of questions. Amanda: I honestly don’t know if we’re going to get to many of them, but luckily all of you left your full names. Amanda: So, if we don’t, we’ll be sure to try to get those questions answered here. Amanda: But for in the meantime, I’m just going to really start at the top. Amanda: Um and the first question is for Thomas. Amanda: Um would you address the data literacy issue and its impact with respect to risk? Thomas: Uh okay interesting question. Thomas: Thank you Amanda and thank you for whoever has asked that question. Thomas: Um impact with respect to risk. Thomas: Um I’m I’m ass sure sorry excuse me. Thomas: Um I’m assuming you’re referring to um with the to the wider um supply chain or I guess we may be referring to internally as well. Thomas: Um I mean there’s there’s a couple of things here um to uh uh consider consider. Thomas: Um I guess the first is when you’re getting that data back. Thomas: Um well yeah one of one of the dangers um that that we see quite often actually is You send out a lot of information to suppliers, you’ve identified a lot of course controls and that’s caused a lot of risks to come back and it’s that mindfield of well what do we do next? Thomas: How do we interpret what is uh relevant? Thomas: Um what is um you know how how do we address each one in turn? Thomas: And this is where it’s so important uh for from 161’s perspective to establish that foundation of um not only uh obviously identifying risks and identifying um uh you know how how we treat them but that cultural awareness as well. Thomas: But by having more and more people particularly from different business units that um let’s be honest not every business unit not every function in an organization is going to be uh savvy on cyber security um or or data privacy and information security for that matter. Thomas: And so the more from a training perspective that we can um that as an organization you can um train the right individuals that sits across the right uh levels of the business. Thomas: When risks do come back or when risks are identified, you’ll then have obviously a much better chance to really ensure that the approach that you take to address those risks and to to to manage them to mitigate them um you know you’re getting the best success for those areas. Thomas: Um and I think this is obviously why it’s It’s important from this perspective that there’s that continual collaboration more so than I guess others that it’s the knowledge sharing that we’re trying to uh uh improve here across the business. Thomas: So you know there’s more confidence in terms of how risks are addressed um and how we understand where those risks have come from and why they’re risks. Thomas: That’s pretty critical. Amanda: Yeah. Amanda: Perfect. Amanda: So we have about six more questions left. Amanda: I’m going to continue on. Amanda: The ones that ask the questions I advise you to just hang a little bit longer or we will keep this recording so at least you can look at it another time but I think this is probably just the best idea for now. Amanda: So the next question is would you recommend requiring or advising suppliers to do NIST audits? Thomas: Recommend requiring or advising suppliers. Thomas: Um so look I guess I I mentioned from the outset that that particular when you think of 853 It’s it’s a standard that’s evolved so much that you know it’s not only pertinent to federal agencies in the United States but globally it’s it’s seen as a massive best practice standard in the sim almost in the similar vein as as the ISO standards. Thomas: So um yes um I I I would always recommend organizations to look at it um a as as a starter just because of the level of depth uh NIST goes into in terms of um implementing controls and having those best practices. Thomas: Like all other frameworks, it does update um on a regular basis. Thomas: So it should always be put in as a consideration for those organizations that are where cyber security is critical and and and where there’s a heightened need to um uh uh you know to assess uh suppliers from a from a security perspective. Thomas: So for me, yes, it’s always a good one to to focus on. Thomas: Um there are obviously other standards out there. Thomas: Um but one of the benefits of NIST is it does go into a level of detail that other frameworks don’t um take you from a technical perspective. Amanda: Well, another person is wondering if you personally know of any good training for NIST 800-161 um at all um that’s maybe a little bit better than the free publications um from NIST itself. Thomas: Sure. Thomas: Um um unfortunately I am not. Thomas: So yes, as you mentioned, obviously all of these NIST publications are free, but it’s it’s it’s sometimes feels like reading a large a large novel in many cases, which from a technical perspective is not always good. Thomas: Um there will be courses out there. Thomas: Um there’s not any large notable ones I’m I’m I’m aware of, but that’s that’s something I’m I can certainly share um with with Amando and and those who may be interested. Thomas: um um later on. Amanda: That’ll be awesome. Amanda: Thanks, Thomas. Amanda: All right, streaming this along here. Amanda: So, next one is for an organization that is at the initial stages, how would you recommend starting a supply chain risk management program without trying to boil the ocean from the start? Amanda: Do you start says, do you start for example with it, then gradually build it into other areas of the business or in your experience, what do you find works best? Thomas: So, yes, it It’s it’s not always going to be although although um yeah it’s not always going to be practical to um uh attack it from every angle immediately particularly if you’re business with a lot of different units and each of them interacts with suppliers to some capacity. Thomas: Um yes certainly um there there will be areas where I think it’s easier to establish particularly if you’re establishing it right from the get-go. Thomas: I mean I mentioned at the start um that that that that you know where you already you have a structure enterprise risk management program that should make it easier to embed supply chain risk into the business if you’re literally starting from scratch. Thomas: Uh I guess yes certainly cyber security and information security teams ICT teams IT teams and functions uh would be a good place to start and then to leverage that framework and look at other other key aspects but ideally from from the get-go if if you can involve um at least from an awareness perspective um because one of the one of the one of the struggles here is always getting the buy in it can be a big struggle particularly where um you are involving a lot of business units. Thomas: So at the earliest stage if you can involve um multiple partners or or business unit heads um so that they visibility but yes it doesn’t hurt starting off with one unit first or one function first and then building out from there. Amanda: Thanks so much, Thomas. Amanda: Um, unfortunately, we we do have to run. Amanda: There’s other people that have other meetings to attend here, but thank you all so much for your time. Amanda: If you have other pressing questions, the handful that is left, please do reach out to us at [email protected]. Amanda: Um, if you are really needing those questions answered or feel free to please join us at the next session. Amanda: Um, but so sorry we weren’t able to use all these questions and and answer them right off the bat here, but we’re happy that you guys engaged and thanks so much and we will see you at the next one. Amanda: Thanks Thomas and Scott so much for your time today. Thomas: Take care everyone. Amanda: Bye.