Q. Does your internal security program integrate with your contract management process to ensure that third party risks are identified and managed?
All organisations should consider supply chain risk management. If a supplier, manufacturer, distributor or retailer (i.e. businesses that constitute a supply chain) are involved in products or services used by an organisation, there will be a supply chain risk originating from those businesses. Likewise, an organisation will transfer any supply chain risk they hold to their customers.
For example effective cyber supply chain risk management ensures, as much as possible, the secure supply of products and services for systems throughout their lifetime. This includes their design, manufacture, delivery, maintenance, decommissioning and disposal. As such, cyber supply chain risk management forms a significant component of any organisation’s overall cyber security strategy.
Did you know that in many cases, supply chain risk will be the result of foreign control or interference, poor security practices, a lack of transparency, or enduring access?
One element that is generally not dealt with in any consistent or standardised way is personnel risks in the supply chain.
It matters in cyber because many breaches occur from the inside.
Embedding personnel vetting measures (such as suitability reviews and assessments) into the management of third parties (contractors, partners, and other service or product solution providers) are some of the best practices in managing third party risk.
Some contract conditions make sure that the people doing the work have had police checks – but is that enough in our day & age?
Consider having your suppliers, contractors and key management personnel to undergo a background ‘suitability clearance’.
This will be standard for 2 million Australians who work in critical infrastructure – be it security clearances, ASIC cards or a new Critical Infrastructure Suitability clearance – tailored to your sector.
Talk to us abut how we can assist in reducing your risks.
Additional information that maybe of interest: