A complete and mature organizational cybersecurity infrastructure requires the use of a governance framework such as COBIT 4.1 aligned with a security control framework such as ISO/IEC 27002:2005. This provides a process to manage the complex security control lifecycle for the organization(Wolden, Valverde, & Talla, 2015, p. 51). Risk management is a part of this framework and assists in developing plans to mitigate and transfer risk to a tolerable level. This includes the risk associated with utilizing third party vendors.
The COBIT 4.1 governance framework controls acquisition through domain AI5: Procure IT Resources with control objectives(ITGI, 2008, p. 40):
- 1 Procurement control
- 2 Supplier contract management
- 3 Supplier selection
- 4 IT resources acquisition
These map directly to the ISO/IEC 27002:2005 controls(ITGI, 2008, p. 40):
- 1.5 Confidentiality agreements
- 1.5 Confidentiality agreements
- 2.3 Addressing security in third-party agreements
- 8.2 Exchange agreements
- 5.5 Outsourced software development
NIST has a very detailed publication entitled NIST SP 800-161: Supply Chain Risk Management Practices for Federal Information Systems and Organizations that offers excellent guidance for any organization to use in reducing supply chain risk. The processes are meant to be integrated into the existing SDLC lifecycle and risk management processes(Boyens et al., 2015, p. 13). There are several quality governance frameworks available and any suitable framework will enhance the risk management strategies and reduce cyber incidents.
Reference
Boyens, J., Paulsen, C., Moorthy, R., Bartol, N., & Shankles, S. (2015). NIST special publication 800-161: Supply chain risk management practices for federal in-formation systems and organizations. Gaithersburg: National Institute of Standards and Technology.
Boyson, S. (2014). Cyber supply chain risk management: Revolutionizing the strategic control of critical IT systems. Technovation, 34(7), 342-353.
CREATE.org. (2016). NIST Cybersecurity Framework: the Supply Chain and Third Parties. Retrieved 4/22/2018, from https://create.org/news/nist-cybersecurity-framework-supply-chain-third-parties/
Silowash, G., Cappelli, D., Moore, A., Trzeciak, R., Shimeall, T. J., & Flynn, L. (2012). Common sense guide to mitigating insider threats 4th edition: CARNEGIE-MELLON UNIV PITTSBURGH PA SOFTWARE ENGINEERING INST.
Verizon RISK Team. (2017). 2017 Data Breach Investigations Report. (10th Edition).
Wade, J. W. (1965). Strict Tort Liability of Manufacturers. Sw. LJ, 19, 5.
Wolden, M., Valverde, R., & Talla, M. (2015). The effectiveness of COBIT 5 information security framework for reducing cyber attacks on supply chain management system. IFAC-PapersOnLine, 48(3), 1846-1852.