• Tidak ada hasil yang ditemukan

2. Review of Related Literature

N/A
N/A
Info
Unduh - Bebas
Protected

Academic year: 2024

Membagikan "2. Review of Related Literature"

Copied!
4
0
0

Memuat.... (Lihat teks lengkap sekarang)

Unduh sekarang ( 4 Halaman )

Teks penuh

(1)

2. Review of Related Literature

There are a lot of existing literature that discusses the risks of third-party applications and solutions, there is however, little discussion on which phases in the vendor life cycle should the organization step-in to properly mitigate the information security risks that a vendor may introduce to their organization.

2.1 Review of Related Concept

2.1.1 Cybersecurity in a Supply Chain (CSC)

Cyber security in a supply chain (SC) provides an organization the secure network facilities to meet its overall business objectives. The integration of technologies has improved business processes, increased production speed, and reduced distribution costs. However, the increased interdependencies among various supply chain stakeholders have brought many challenges including lack of third-party audit mechanisms and cascading cyber threats. (Pandey, 2020)

CSC threat modelling process

The underlying process involves a systematic approach to identify the organization’s supply chain system, internal infrastructures, business processes, attack context, and relevant controls. (Pandey, 2020)

The proposed concept is useful in properly assessing the risks in a third-party solution from the point of view of an attacker.

Figure 2 - CSC Threat Modelling Process Figure 1 CSC Threat Modelling Process Diagram

(2)

2.1.2 Cloud Security Alliance, Cloud Controls Matrix

Cloud Security Alliance (CSA) in 2021, released the Cloud Controls Matrix. The Cloud Controls Matrix (CCM) is a cybersecurity control framework for cloud computing aligned to the CSA best practices, that is considered the de facto standard for cloud security and privacy. The accompanying questionnaire, CAIQ, provides a set of “yes or no” questions based on the security controls in the CCM. You can now download the CCM and CAIQ together. (Cloud Controls Matrix, n.d.)

Most outsourced solutions in the market today are cloud-based (SaaS to be precise), so this cloud controls matrix provides a good starting point for firms to properly assess proposed and existing third-party solutions and applications.

2.1.3 1OWASP Top 10 (2021)

OWASP top 10 is one of the trusted standards for securing web applications. For the target organization, 100% of the onboarded third-party applications have a web app, so it is worth looking at the changes in the latest version of the OWASP top 10.

A stand-out feature of the new OWASP top 10 is the inclusion of Insecure Design (A04:2021). This highlights the importance of imposing the minimum-security standards of the target organization to the vendor that will be creating the purchased application.

Lack of visibility (data flow diagram and application architecture) of an application often leads to undetected and unpatched vulnerabilities. (OWASP Top 10:2021, n.d.)

2.1.4 Mitre ATT&CK | Supply Chain Management

Mitre is a non-profit organization that develops several standards and frameworks for different fields including cybersecurity. Under supply chain compromise threat, one of the mitigating controls an effective supply chain management program.

A supply chain management program should include methods the assess the trustworthiness and technical maturity of a supplier, along with technical methods (e.g.,

1 OWASP Top 10 2021 | https://owasp.org/www-project-top-ten/

Figure 3 - Diagram showing the changes of OWASP top 10 from 2017 to 2021.

(3)

code-signing, bill of materials) needed to validate the integrity of newly obtained devices and components. Develop procurement language that emphasizes the expectations for suppliers regarding the artifacts, audit records, and technical capabilities needed to validate the integrity of the devices supply chain2

2.2 Review of Related Methodologies

2.2.1 Existing process of the target organization – PIA (Privacy Impact Assessment)

PIA or Privacy Impact Assessment is the current default information security questionnaire being used in the target organization. Although the questionnaire mainly contains data privacy and protection questions, it also has questions pertaining to the information security controls of an application such as 3rd party VAPT result, Security certification, and other security configurations required in connection to the organization’s ISP (Information Security Policy).

While this questionnaire serves the purpose of being a checkpoint for the application being onboarded, the gap lies on the onboarding process itself. If the vendor does not have the capability to comply with the organization’s minimum-security standards, the project team and the information security team has their hands tied since the business unit already signed the contract with the vendor and has no other option but to push through with the implementation. The end state is that the risks will be entered into a risk acceptance form.

Figure 4 - Target organization's current vendor onboarding process

2 MITRE ATT&CK | Supply Chain Management https://attack.mitre.org/mitigations/M0817/

Project team creates the BRD (Business Requirements Documents)

and submits it to the Purchasing Team

Purchasing validates the BRD and helps process the Vendor Selection Process.

Vendors each presents their products to purchasing and the project

team.

Project team selects a vendor and proceeds with the contract signing that is monitored by the legal

department.

Vendor creates / customizes the application

based on the business needs.

SIT / UAT Phase

Project team submits the project documentation to information security team for assessment. (PIA)

Project team proceeds with the go-live of the

application.

Purchasing adds the vendor to the accredited

vendors list.

(4)

2.2.2 Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (NIST Special Publication NIST SP 800-161r1)

Organizations are concerned about the risks associated with products and services that may potentially contain malicious functionality, are counterfeit, or are vulnerable due to poor manufacturing and development practices within the supply chain. These risks are associated with an enterprise’s decreased visibility into and understanding of how the technology they acquire is developed, integrated, and deployed or the processes, procedures, standards, and practices used to ensure the security, resilience, reliability, safety, integrity, and quality of the products and services3

As shown in Figure 4, NIST C-SCRM requires organizations to have a thorough review of the potential vendor of a system or application. It goes through several risk assessments and reviews to ensure that risks are identified, and the controls can be implemented at all levels.

3 NIST Special Publication NIST SP 800-161r1

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1.pdf Figure 5 - C-SCRM in the Procurement Process

Referensi

Unduh sekarang ( PDF - 4 Halaman - 453.11 KB )

Dokumen terkait

2. REVIEW OF RELATED LITERATURE 2.1 What’s Gerund - The Analysis Of Gerund Used In The Tempo Magazine

Washing dishes is my house work. Within the clause “Washing dishes”, the word “Playing” behaves as a verb; in particular the phrase “dishes” is the object of that verb. But

2. REVIEW OF RELATED LITERATURE 2.1 Novel - The Strategy of Jack Reacher to Find The True Shooter

Novel is kind of the literature, according to Rees (1973:106) says that novel is a fictitious prose narrative of considerable length in which characters and actions representative

2. REVIEW OF RELATED LITERATURE - The Analysis of Conjunction Used in teh Novel Eleventh Hour

When you attach a subordinate conjunctions in front of a main clause, use a comma, like.

2. REVIEW OF RELATED LITERATURE 2.1 Metaphor - The Analysis of Metaphors Found in Katy Perry’s Song Lyrics

my cry for help was the cry of the rat when a terrier shakes it Here, the cry of the rat modifies the main subject, my cry for help (7) Symbolism Metaphor.. It is a particular kind

2. REVIEW OF RELATED LITERATURE - The Analysis of the Main Characters of Delirium by Lauren Oliver

There are two order important terms to keep in mind of description people: protagonist and antagonist. Protagonist is the major character with whom we generally sympathize.

CHAPTER II REVIEW OF RELATED LITERATURE 2. 1 Theoretical Framework 2. 1. 1Speech as Social Interaction

Other types of speech act verbs can be used performatively only if they may be used in utterances that do not require an additional linguistic or nonlinguistic action

2. REVIEW OF RELATED LITERATURE 2.1 Novel - The Description of Telekinesis in Stephen Kings 's Novel Carrie

means that setting must be able to form the certain theme and plot with the place,. time, area, and certain people with

2. REVIEW OF RELATED LITERATURE 2.1. NOVEL - The Dream Of Becky Brandon Found In Mini Shopaholic

In comparison with simple character, complex character is more resemble to the real human life besides having some possibility of behavior and actions, he often gives a