Secure Your Supply Chain
Learning Objectives
After completing this unit, you’ll be able to:
- Describe the responsibilities of an organization in assessing suppliers’ level of cyber risk.
- List key skills needed to protect the application development process.
- Describe the zero-trust approach to security.
Assess Suppliers’ Cyber Risk
In the module, Cybersecurity Risk Management, you learned how to think like a business leader and how to foster internal and external partnerships. You also learned about strong cyber hygiene practices, implementing strong authentication, and protecting against phishing. In this module, you learn about the remaining five tenets of the WEF guide, starting with securing your supply chain.
Third-party risk management is an issue that keeps many chief information security officers (CISOs) awake at night. It’s a good idea as a leader to keep an up-to-date inventory of what data is shared with what entities, under what conditions. There are several steps you can take to mitigate the risk of compromise of sensitive information:
- Conduct due diligence on the backgrounds of vendors. This includes stipulating the security checks run on the third-party’s employees
- Limit third-party access in accordance with need. Share only the information the third party needs to perform its function, and regularly review information-sharing agreements.
- Contractually bind vendors to security policies. Data-sharing agreements should clearly state what policies the vendor must follow and the consequences if they do not.
- Establish a cadence for audit and review of the third-party relationship, based on the criticality and risk of the relationship.
Secure the Software Development Lifecycle (SDLC)
The pieces that make up an organization’s SDLC are a key aspect of the supply chain. In order to secure the SDLC, savvy security teams enable developers to write secure code from the onset, embedding security-by-design practices in the full lifecycle of the project and product development. You can learn more about this approach in the Trailhead module, Application Security Engineer Responsibilities. In addition to securing the development lifecycle, savvy cybersecurity leaders also think about how to protect their data no matter where it flows, a concept known as a zero-trust approach to security.
Implement a Zero-Trust Approach to Security
In the past, organizations typically deployed a perimeter-based approach to security, in which they treated the organization’s network as a trusted zone, placing the primary security defenses, such as firewalls and antivirus protection, at the edges. Today, cybersecurity leaders recognize the need to adopt a zero-trust approach that does not assume that an organization is safe and sound within the confines of its own “secure” corporate network. A zero-trust approach places control around the data assets themselves. You can learn more about this approach in the Trailhead module, Network Security Planning.
Sum It Up
In this unit you’ve learned how organizations protect sensitive data no matter where it is stored. They do this by assessing and auditing third party relationships, securing the SDLC, and moving toward a zero-trust approach to network security. Next, let’s turn to how organizations can prevent, monitor, and respond to cyber threats.
Resources
-
External Site: WEF: The Cybersecurity Guide for Leaders in Today’s Digital World
-
External Site: U.S. Chamber of Commerce: Assessment of Business Cyber Risk
-
External Site: Forbes: Why Third-Party Cyber Risk Management Matters for Modern Businesses
-
External Site: NIST: Third-Party Personnel Security National Institute of Standards and Technology
-
PDF: NIST: Best Practices in Vendor Selection and Management
-
Trailhead: Cyber Resilience Program Development