This guidance informs executives and supply chain policy makers of key SCRM considerations.
All organisations need to consider some element of Cyber Supply Chain Risk Management (SCRM). If another party is involved in the delivery of a product or service to your organisation, there will likely be an introduced cyber security risk from that entity. Additionally, your organisation will transfer any untreated supply chain risk to your customers.
The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), has released two products to inform government, critical infrastructure and large organisations, about key cyber security issues related to Cyber Supply Chain Risk Management.
Organisations can use this guidance to:
- enable a discussion at multiple levels in the organisation.
- frame the correct questions with relation to SCRM.
- understand what is meant by the term 'high risk vendor' and 'extrajudicial direction'.
This guidance informs cyber security practitioners, procurement officers, and supply chain decision makers with a more detailed discussion of the key cyber SCRM elements.
Cyber supply chain guidance
- Australian Critical Infrastructure Centre, Protecting your critical infrastructure asset from foreign involvement risk, https://www.homeaffairs.gov.au/nat-security/files/cic-best-practice-guidance-supply-chains.pdf
- Department of Finance Buying for the Australian Government procurement policy https://www.finance.gov.au/procurement/procurement-policy-and-guidance/buying/
- UK National Cyber Security Centre, Supply Chain Security Collection https://www.ncsc.gov.uk/guidance/supply-chain-security
- NIST, “Framework for Improving Critical Infrastructure Cybersecurity” https://www.nist.gov/cyberframework/framework
Cyber security guidance
- The Australian Government Information Security Manual (ISM) assists in the protection of information that is processed, stored or communicated by organisations’ systems. It can be found at https://www.cyber.gov.au/ism
- The Strategies to Mitigate Cyber Security Incidents complements the advice in the ISM. The complete list of strategies can be found at https://www.cyber.gov.au/publications/strategies-to-mitigate-cyber-security-incidents
- ACSC Managing security when engaging MSPs https://cyber.gov.au/business/publications/msp-risk-for-clients/
- MSP – managing risk to customers https://www.cyber.gov.au/publications/msp-risk-for-msp
- MSP Better Practice Principals https://www.cyber.gov.au/publications/msp-better-practice-principles