It's a fact: enterprises are becoming more demanding of their supply chains, especially with the process outsourcers to whom they give their valuable data and on whom they rely. As more and more data moves offsite and into the cloud, this is one industry trend I expect to see accelerating rapidly so I thought I'd get the conversation started here.
Business process outsourcing (BPO) is a subset of outsourcing that involves contracting the operations and responsibilities of specific business functions (or processes) to a third-party service provider. The basic idea is that BPO helps increase a company's flexibility and improve its operating results by taking things that are "non core" out of the mix, turning fixed costs into variable costs, and improving business processes. That sounds great, and business process improvements are always necessary, but every coin has two sides, and the other side of this particular coin is the risk inherent in outsourcing in an era of APTs and insider threats. How do you ensure that all the right controls are in place when you're outsourcing parts of your business (and some of your valuable data) to third parties?
According to a best practices report issued by the Supply Chain Risk Leadership Council (SCRLC), effective supply chain security and protection includes basic standards for not only for physical security, but also for access controls, personnel security, education and training, procedural security, information technology (IT) security, business partner security, and conveyance security from the point of origin to final destination within the supply chain. From 10,000 feet, the SCLRC has it covered. However, the devil is in the details and the world has changed enormously since that particular report was issued. From what customers and prospects tell me, today's best practices in supply chain management must include more sophisticated security intelligence, including the ability to discover and thwart both APTs and insider threats (including potential cloud security threats that result from outsourcing to cloud service providers or to BPOs who use 3rd party cloud services as their own infrastructure).
For anyone looking for a best practices recipe that will help mitigate the risk in BPO, I think the National Institute of Standards and Technology NIST got it right with the following 10 supply chain risk management practices:
1. Uniquely identify supply chain elements, processes and actors. Knowing who and what is in an enterprise's supply chain is critical to gain visibility into what is happening within it, as well as monitoring and identifying high-risk events and activities. Without reasonable visibility and traceability into the supply chain, it is impossible to understand and therefore manage risk and to reduce the likelihood of an adverse event.
2. Limit access and exposure within the supply chain. Elements that traverse the supply chain are subject to access by a variety of actors. It is critical to limit such access to only as much as necessary for those actors to perform their roles and to monitor that access for supply chain impact.
3. Establish and maintain the provenance of elements, processes, tools and data. All system elements originate somewhere and may be changed throughout their existence. The record of element origin along with the history of, the changes to and the record of who made those changes is called "provenance." Acquirers, integrators and suppliers should maintain the provenance of elements under their control to understand where the elements have been, the change history and who might have had an opportunity to change them.
4. Share information within strict limits. Acquirers, integrators and suppliers need to share data and information. Content to be shared among acquirers, integrators and suppliers may include information about the use of elements, users, acquirer, integrator or supplier organizations as well as information regarding issues that have been identified or raised regarding specific elements. Information should be protected according to mutually agreed-upon practices.
5. Perform supply chain risk management awareness and training. A strong supply chain risk mitigation strategy cannot be put in place without significant attention given to training personnel on supply chain policy, procedures and applicable management, operational and technical controls and practices. NIST SP 800-50, Building an Information Technology Security Awareness and Training Program, provides guidelines for establishing and maintaining a comprehensive awareness and training program.
6. Use defensive design for systems, elements and processes. The use of design concepts is a common approach to delivering robustness in security, quality, safety, diversity and many other disciplines that can aid in achieving supply chain risk management. Design techniques apply to supply chain elements, element processes, information, systems and organizational processes throughout the system. Element processes include creation, testing, manufacturing, delivery and sustainment of the element throughout its life. Organizational and business processes include issuing requirements for acquiring, supplying and using supply chain elements.
7. Perform continuous integrator review. Continuous integrator review is an essential practice used to determine that defensive measures have been deployed. Its purpose is to validate compliance with requirements, establish that the system behaves in a predictable manner under stress and detect and classify weaknesses and vulnerabilities of elements, processes, systems and any associated metadata.
8. Strengthen delivery mechanisms. Delivery, including inventory management, is an essential function within the supply chain, which has a great potential for being compromised. In today's environment, delivery can be physical such as hardware or logical such as software modules and patches.
9. Assure sustainment activities and processes. The sustainment process begins when a system becomes operational and ends when it enters the disposal process. This includes system maintenance, upgrade, patching, parts replacement and other activities that keep the system operational. Any change to the system or process can introduce opportunities for subversion throughout the supply chain.
10. Manage disposal and final disposition activities throughout the system or element life cycle. Elements, information and data can be disposed of at any time across the system and element life cycle. For example, disposal can occur during research and development, design, prototyping or operations/maintenance and include methods such as disk cleaning, removal of cryptographic keys and partial reuse of components.
The ultimate takeaway here is that managing your supply chain risk is a business imperative. The loss of trust stemming from a security breach can devastate your business, even if the breach occurred because of the actions of someone in your supply chain. Customers don’t give a hoot exactly where the process failed. They decided to do business with YOUR company, so they will hold YOU ultimately responsible.
If your organization is embracing the cloud and believe in BPO, what are you doing to protect your valuable data?