and Procedures
Supply Chain Security Policies
Similar to most of other business domains, supply chain security elements include, but not limited to: physical security, access control, employees, users and custom- ers’ security, education and training awareness, procedural and workflow security, information protection and documentation security, partners’ communication and transportation security, risk management and disaster recovery, etc. The value or importance of each one of those elements may vary from one case or business to another. Unlike security policies in other business department, security policies in supply chain should go beyond the business premises to partners and communica- tion or channels with supply chain partners.
Several US entities contribute to creating supply chain security policies such as:
the Department of Defense (DOD), Department of Homeland Security, National Institute of Standards and Technology (NIST), Office of Management and Budget,
21
Federal Energy Regulatory Commission, and General Services Administration (GSA). Due to the international nature of supply chain security, international orga- nizations such as: International Organization for Standardization and International Electrotechnical Commission (ISO/IEC), World Customs Organization (WCO), International Civil Aviation Organization (ICAO), International Maritime Organization (IMO), and Universal Postal Union (UPO) contribute also to policies and standards in this area.
One noticed security-related policy in supply chain in the USA and most other countries is the issue of keeping all or most of the supply chain within national bor- ders. In some sensitive government organizations in the USA, this is a must policy in IT procurements. In some other cases, if international suppliers are allowed either preferences are given to certain countries or some countries are excluded in particu- lar (e.g., China, Russia, or India) from the selection.
Another important policy component is related to the vetting process. With dif- ferent variations based on the nature of the organization and the procurement proj- ect and details, vetting can occur at different levels to cover most of the supply chain components. For example, many government organizations require certain levels of security clearance for all those workers, from the contractor or supplier side, in the procurement project. As part of the vetting process, suppliers may receive credits or liabilities based on their compliance or lack of compliance to security policies or requirements or in cases when some security vulnerabilities were discovered within their responsibilities.
US NIST described the following important principles when it comes to supply chain security policies:
• Security breaches are inevitable: Make your supply chain security policies as if security breaches will occur; be proactive rather than responsive.
• Security problems are not only technical or IT related; but also have social, human, training, and management aspects. Training is an important element in any security framework to educate people on security issues, regulations, con- trols, and protection mechanisms.
• Security is comprehensive; all what it takes is to find one vulnerability or weak- ness in one component: (e.g., technical, network, management, human, training, and security weaknesses or problems).
• Resilience: Supply chain should provide the required products and/or services under normal and stress or failure circumstances.
Here are few examples of US Supply chain security policies:
• Supply chain security policies (SAFE Port Act of 2006): This act requires test- ing all US-bound cargo containers and scanning of all containers for radiation at the 22 busiest US ports.
• Secure Freight Initiative (SFI): US Department of Energy and US Customs requires 100% scanning of US-bound cargo at selected ports.
K0169: Knowledge of Information Technology (IT) Supply Chain Security and Risk…
Supply Chain Security Requirements and Procedures
Security problems in the supply chain should not be seen as IT problems only as they can seriously impact different functions in the supply chain. Security require- ments should not also be seen as surplus; necessary only with government contracts or when we must comply with certain regulations or standards.
System analysts and team preparing procurement requirements may view secu- rity requirements as an extra overhead and time/budget limitations may impact such views. However, enterprise- level security requirements and policies should be developed that can be implemented, easily across all organization projects. In some cases, projects or their components can be classified under several security-related categories (e.g., low, medium, and high). Based on which category such project or component falls, certain security requirements can be pulled and applied from orga- nization existing template.
When it comes to best practices and procedures in supply chain security, sharing information and experience between the different private and public sectors is important. On the other hand, in many cases, for information classification issues, government sectors are reluctant to share or provide such information. There are also several attempts of building national or global digital or online threat intelli- gence monitoring systems to keep all members informed of latest malwares, hack- ing attempt, or breaches, etc.
Supply Chain Risk Management Policies
In supply chain activities, several risk categories may occur. Here are few examples or categories of such risks:
• Vetting process problems: Direct or indirect service providers in the supply chain may leak sensitive information of expose some system vulnerabilities.
• Poor or negligent information security practices by contractors or suppliers.
• Vulnerabilities within suppliers’ premises, managements, practices, etc.
• Suppliers’ usage of unverified or improper third-party software or systems.
• Suppliers have no proper security, access controls, or auditing systems.
Supply chain risk management policies and processes are identified, established, and managed by organizational stakeholders and any assigned employees.
Cross-functional communication or reporting mechanisms: While supply chain is a single business functional component, security and risk management issues are not; they cut across every major function and business area. Team in risk manage- ment should have the required technical and functional knowledge to be able to collect and plan for organization-wide risk management requirements. If the differ- ent business functions do not communicate and collaborate effectively especially with issues related to security and risk, small problems can eventually grow to be serious ones.
23