Trusting Your Supply Chain
20th September 2019
There were concerning developments that suggested that the global battle on cyber threats may become a regionalised affair.
This focuses on multiple media reports in the United States back in 2017, where federal agencies are to be prohibited from using Kaspersky Lab antivirus software. There were alleged claims that the Russian secret services had some form of backdoor access using the software, allowing visibility to the content within and configuration of end-user devices.
A number of US retailers announced their intention to stop selling the antivirus software.
This matter prompts us to think about the effectiveness of the security controls that we may have implemented within our businesses.
Is a recognised antivirus enough anymore?
Simply having a recognised antivirus/malware protection tool in place is sufficient for most people. And ensuring that our users are aware of the need to regularly update definition files and scan for new issue is about as far as we should need to go.
But actually, this development should have prompted us to look at the “integrity” of our implemented security controls – can they be trusted to provide the protection that we expect?
Whilst, as far as we are aware, there is nothing to substantiate the claims about Kaspersky Lab in this era of “fake news”, specific high-risk or regulated sectors who may be concerned with state-sponsored interference or industrial espionage should be reminded of the importance of properly evaluating the vendors and partners who contribute to their security framework.
Within Annex A of the information security standard ISO27001:2013, control A.15.1.2 requires us to address security within supplier agreements, whilst A.15.1.3 notes that agreements with suppliers shall address the risks associated with information and communication technology services.
For users of our InfoSaaS risk management solution, a quick reference to the Statement of Applicability will identify which assets have these controls assigned.
InfoSaaS can protect you and your suppliers
Your organisation needs to determine how it will identify external relationships and assets, whilst selecting suitable suppliers and how you will manage the relationship moving forward.
Using outsourced products and services introduces risks. These risks need to be identified, assessed and managed by your organisation.
This is where our Supply Chain Management will support you.
The world is always changing, and we need to ensure that the protection we provide to the valuable data of our organisations, personnel and customers is keeping up.