NCSC releases guidance on cyber security in the supply chain – Lexology

Review your content’s performance and reach.
Become your target audience’s go-to resource for today’s hottest topics.
Understand your clients’ strategies and the most pressing issues they are facing.
Keep a step ahead of your key competitors and benchmark against them.
add to folder:
Questions? Please contact [email protected]
The National Cyber Security Centre (“NCSC“) has published guidance for medium and large organisations on how to assess and improve cyber security in their supply chains. The guidance is a supplement to the NCSC’s supply chain principles.
Preliminary steps
The first step in the NCSC’s five-step plan is to take stock of your organisation’s current approach to cyber security risk management. This involves understanding the potential threats to and vulnerabilities in your supply chain, identifying the key people in your organisation, and understanding your organisation’s risk appetite.
Develop an approach to assess supply chain cyber security
When developing an approach to assess the resilience of your suppliers’ cyber security measures, the NCSC notes that it is important that the process is repeatable and consistent. The NCSC recommends creating multiple tiered supplier security profiles, with greater measures put in place for suppliers with access to critical aspects of your business.
Apply the approach to new supplier relationships
Once an approach is adopted, employees working with suppliers need to understand and be trained on your organisation’s new cyber security processes. They can then begin to implement these controls into your supply chain, starting with new suppliers.
From the outset of the relationship, the NCSC recommends that you consider whether it is necessary to carry out a cyber security risk assessment and/or conduct supplier due diligence. New supplier contracts should include an obligation on the supplier to comply with your organisation’s cyber security controls, and compliance with such provisions should be monitored throughout the contract’s duration. Once the contract reaches its conclusion, there should be an effective offboarding process which shuts down the supplier’s access to your organisation’s systems.
Integrate the framework into existing contracts
Integrating new controls into your existing relationships can seem like a daunting task. To make the process easier, the NCSC suggests filtering out the relationships which: (i) require little or no data; (ii) are purely for the supply of goods; (iii) have very limited time left to run; and/or (iv) do not involve the IT elements typically associated with a cyber attack. .
The NCSC also recommends carrying out a risk assessment, and ranking the remaining suppliers in accordance with the risk profiles you identified earlier in the process. This will help you to prioritise and focus on high risk suppliers. When considering whether a vendor is high risk, the NCSC suggest you consider the following factors:
Continuous improvement
New cyber security threats and trends emerge on a regular basis. The NCSC advises keeping up to date with new developments and continuously reviewing your processes in order to reduce the likelihood of new risks being introduced into the business through your organisations supply chain. It also recommends taking a collaborative approach with your suppliers, to help them identify and cure any potential vulnerabilities.
add to folder:
If you would like to learn how Lexology can drive your content marketing strategy forward, please email [email protected].
© Copyright 2006 – 2022 Law Business Research



Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top

Adblock Detected

Please consider supporting us by disabling your ad blocker

Refresh Page