Security Think Tank: Measuring security maturity in the supply chain

Experts provide valuable advice on how organisations can measure the security maturity in their supply chains and apply the results to improve their overall security posture.

How can organisations measure the security maturity in their supply chains and apply the results to improve their overall security posture?











Form strong relationships with security suppliers


Measuring security in supply chains is inherently difficult due to their "third party" nature. Various contracts will be governing the relationship and it is a careful balancing act to negotiate around what is formalised within the contract and what makes for a pragmatic safeguard, writes Dani Briscoe, research services manager at The Corporate IT Forum.


Understanding the maturity of your own security model is key and members in the public sector are following the Information Assurance Maturity Model and Assessment Framework (HMG IAMM), with the majority of private sector members following ISO27001. Some 88% of members responding to the tISS security strategy survey are working towards, or have achieved compliance with this standard, with 70% of these same members looking to enforce this certification or their own policies on their partners and suppliers. Appetite to achieve this is there; how this will play out in practice is undoubtedly a topic for future member discussion.

A good place to start is to ensure that internal security models are as mature as possible. One member organisation with a mature IS department has a service model with three areas: operational IS; project advice; and policy compliance (Governance in IS Report, May 2010), while others have internal auditors regularly checking internal and external audit points. This saves both time and cost when external auditors visit.

Externalisation of internal standards and policies, particularly if you are the "elephant in the jungle", is probably easier for large organisations. Having a larger impact and a certain amount of leverage can ensure that a supplier "plays ball" with you. Consequently though, issues around security breaches and failures have a potentially bigger impact on the brand.

Understanding risk across the organisation, as well as through the supply chain, is integral to evaluating and identifying the weakest points; having specific processes in place to mitigate these is a crucial step. A 360-degree approach to ensure that not only is the big picture understood, but that the supply chain buys in to the process throughout, can be successful. The experiences gained and the approaches taken in coming to terms with de-perimeterisation have already laid the groundworks for setting and measuring security throughout the chain.

With confidence in the internal security model, the picture now changes to what can be agreed contractually with the supplier. Most contracts will carry clauses for protecting data and assurances over processes, but ensuring that there are sensible and actionable consequences to not delivering on security is essential.

Risk is something that concerns members when discussing suppliers and many are struggling with how to manage this currently. What is the scope with risk for suppliers and how much time should be spent on this? An increasing number of regulations and legislation are increasing the impact that risk has. Priority is also an issue - ensuring that both the supplier and the organisation have the same expectations is important (although can be true of all aspects of the contract) ensuring that both sides have the same priorities should lead to a successful supplier relationship.





Adopt a common security assurance approach


Modern supply chains are complex, highly ordered systems linked by information. For an organisation relying on its supply chain, both physical and information security aspects are important. Unfortunately, from the information perspective, there are many standards available, which differ on the level of focus (high-level or detail) and what is mandatory or not, making measurement of controls and maturity problematic, writes Adrian Davis, principal research analyst at the Information Security Forum (ISF).


The challenges are to create an information security baseline for use by all buyers and providers in a supply chain; establish a consistent method of measuring maturity against that baseline; and provide a method for comparing maturity across the organisations in the supply chain.

To meet these challenges, the ISF has released the external supplier common baseline and associated maturity assessment tool; ISO is drafting ISO/IEC 27036 information security in external relationships, which includes the ISF common baseline; and the Common Assurance Maturity Model (CAMM) has recently been announced. At the heart of all these approaches is a set of mandatory and risk-driven arrangements or controls and a method to measure implementation.

Buyers and providers in supply chains should adopt one of these approaches. This promotes the setting of a consistent expectation of information security between them by specifying a known baseline in contracts or service level agreements.

A regular measurement cycle, supported by a tool, should be agreed. The results should be shared and used to establish a maturity level. The provider can then work to maintain or improve its maturity, while the buyer can either ask for improvements or monitor the provider. Aggregation of the results across providers will indicate trends, highlight hotspots where problems may be found or emerge. Such aggregation will allow the buyer to make an informed judgement on the risks in its supply chain and hence inform its risk posture and risk appetite.





Ensure suppliers' IT systems are accredited

Increasingly companies are coming to realise that the security of their IT systems can be compromised by their suppliers' IT systems - in other words the downstream supply chain IT. One of the obvious routes to find out if your supplier's IT systems are secure is to ensure that the suppliers have ISO 27001 accreditation for their IT systems, writes Peter Wenham, committee member of the BCS Security Forum strategic panel and director of information assurance consultancy Trusted Management.


However just because a company has ISO 27001 accreditation doesn't necessarily mean their systems are as secure as yours and short of asking for the supplier's statement of applicability and an auditor's opinion you aren't really going to find out how secure their systems are.

Alternatively, you could do your own audit and if you're a very big company, with an IT audit group, then that is certainly something you could do. However, SMEs or even smaller large companies usually don't have the resources to do this.

Another route is to see whether the supply chain has accreditation to any of the other security standards such as PCI-DSS. PCI-DSS is a rigorous security test of the IT systems against a defined set of standards, whereas ISO 27001 certifies that a company has an information security management system in place.

What else can a company do? One thing is to look to see if your supply chain company has an ICO number which shows that it has registered with the Information Commissioner's Office (ICO). Another thing you can do is to go to the ICO website and look at the personal information audit information and then ask your supplier to complete a PIA form for the information of interest.

Finally, of course, you can include a set of security standards you would expect the company to adhere to into your contract. These would typically be added as an annex with a simple clause in the contract pointing to them. To do this, however, you need to be fairly specific and define what it is you are looking for and how you intend to measure it - whether it is purely going to be contractual; whether you would be looking for some annual statement of compliance, perhaps issued by a senior board member of the company; or whether you would be looking for an audit opinion on compliance with the contract, i.e. something that if things went wrong you could take to court of law and know that you would be in a good position to sue.





Build a clear picture of the supply chain and use latest security standards


Obvious and easy as it may sound, key to measuring security maturity of the supply chain is to first establish a clear picture of what comprises the supply chain - who the suppliers are and what is the level of sensitivity of information exchange and business processes that they are involved in. The findings of this analysis will provide the basis on which to take the necessary measures to determine and improve organisations' security posture, writes Alessandro Moretti, volunteer member from Switzerland of the (ISC)2 Board of Directors, and a senior risk and security executive in financial services.


Often, information security departments assume that the due diligence on how the corporate assets will be protected by third parties has already been done at the time of signing the contract with the suppliers and hence ascertain their security posture on that basis. This approach restricts improvement, as security is not static but an evolving function.

At best, information security departments use the Statement on Auditing Standards (SAS) 70 or its equivalent to evaluate the security control processes and activities that suppliers use, which contributes towards assessing their organisation's overall security posture. At worst, information security departments undertake the old school style of supplier assessment using standards such as the British Standard (BS) 5750 for quality assurance and the 270001, which do not include all the controls and processes to accurately gauge the security maturity of suppliers and therefore the security posture of organisations.

Information security departments should be migrating from SAS 70, BS 5750 and 270001 to the more robust and all-encompassing standards - Statement on Standards for Attestation Engagements (SSAE) 16 and International Standard on Assurance Engagement (ISAE) 3402, which were launched in June this year. In addition, supplementing these standards with the Service Organisation Control (SOC) 2 reporting framework is important - SOC 2 provides visibility on controls used by suppliers for security, availability, processing integrity, confidentiality and privacy.

Finally, it is worth mentioning that while these standards should be used, the criteria to assess the security maturity of certain types of suppliers should be modified as necessary. For instance, the level of security maturity required of cloud service providers is substantially higher than most other suppliers. Therefore, it is wise to supplement assessment frameworks such as SSAE 16 with those being developed by the Cloud Security Alliance for data governance.





Don't overlook data leakage during penetration testing


In 2008, I had the honour to deliver a keynote at the E-COPP Security event, hosted by Loughborough University. This presentation discussed the aspect of cyber crime and the associated threats that were impacting the interconnected world, users, and global organisations. The theme of this presentation was really all about sending out a battle cry that cyber crime, cyber fraud, and the potential of cyber warfare should be expected to grow, in what was then the coming years of 2009, 2010 and onward, writes John Walker, member of London Chapter ISACA Security Advisory Group and director of Communications Common Assurance Maturity Model.

However, I was somewhat knocked off-balance to find that a very senior academic, involved in the world of cybersecurity, expressed that he disagreed with my assessment, and stressed that such computer crimes were actually in decline.

The underpinning of this opposing opinion that "cyber conflict" was actually in decline was based on the low levels of detection and visibility of cyber adversity, with statistics tending to demonstrate that things were getting better. It looked like, for some reason, all of the bad guys had been out to their local outfitter, and had purchased a brand new white hat! This, of course, was certainly not the case - the reason was that it was around this time when the "insecurity" industry started to go deeper underground, and rather than rattling their cybertronic tools, they were being much more gentle, and sensitive, and were starting to evolve into the new world of cloaked operational activities - their intent was no longer to boast of their dark-skilled computer prowess, but were much more focused on the mission of gathering gilt.

In this year of 2011, I feel we are aware that the progressive path of cyber conflict has been in a continued state, and now also encompassing the interests of the hacktivism community, adding their lot into the pot of the darker world of cyber conflict.

But all that said, what really worries me is when I see images of some young hacker, who has literally just left school, linked to the profiles of some of the organisations which have suffered incursion, and compromise.

Now this is just yet a suggestion, but could it be that these successful incursions are not so much about smart hacking techniques, but more a case of leveraging passive tools to target low-hanging, exposed fruit which makes available logical intelligence which can be harvested by a "footprinting" activity (as per the Cuckoos Egg - Cliff Stoll - re nix shadow password files being exploited offline).

I feel one area which gets overlooked is that of the potential attacker running some Black Hat tools to gather masses of information in the form of DNS records, files and content obtained from metadata, which may be extracted in the form of data leakage - and you may take it from me, based on first-hand experience, post analysis and extraction of such meta-objects, these can provide information on internal users, file structure, OS type and version, applications, servers, e-mail addresses, user names, IP addresses, printers, internal servers and, at times, hard coded files (as I have discovered, in one case, complete with user ID and password).

Further analysis of the above can even evidence as to how some users are working within that environment - for example, using privileged accounts for routine BAU operations, which may then assist a would-be hacker to design his/her vectors of attack against targeted individual users. The other benefit of such passive footprinting is that because it is based on data leakage and extracting metadata from published or obtained objects, it tends to be very silent, and doesn't tend to set off any alarms.

The conclusion is an easy one - if more organisations evaluated their own perimeters of operations, seeking out any actual or possible opportunities for passive data leakage, in my opinion, there would be a significant reduction in successful inclusions. So when you next commission a penetration test, just consider adding in a little consideration for data leakage - trust me, it makes a lot of sense.





Make risk management a supply chain management core competency


Political turmoil across the Middle East and Northern Africa and the after-effects of the environmental disaster in Japan highlighted how more than just supply/demand mismatches can cause widespread instability that cripples supply chain organisations. While supply chain risk is a growing challenge for supply chain management (SCM) organisations, Gartner research finds that few SCM groups have formalised their risk management strategies and processes, writes Dwight Klappich, research vice-president at Gartner.


More than 41% of 257 respondents in North America to Gartner's 2011 Supply Chain User Study said that increased supply chain risk contributes significantly to their organisations' supply chain complexity. Only 4% identified risk as the most important contributor to complexity. Only 14% of respondents are positioned to effectively exploit risk, while 86% avoid or reluctantly tolerate supply chain risk. Only 18% of respondents said they have formalised supply chain risk management and 50% have no intention of doing so. However, 25% are actively pursuing formalisation, while the remaining 25% are considering formalising it more than a year in the future.

Supply chain risk management is like advice to eat healthily and exercise - it is something people understand they should do, they have plenty of information about the benefits of doing so and ways to approach it, but it is inconvenient, hard to stick with, and thus overlooked. Business incentive systems are not structured to reward for risk management competency because business focus remains on cost reduction and efficiency. In many cases, a resilient organisation might be slightly more costly and less efficient, but significantly more effective in responding to problems.

These findings highlight that, while risk is a growing problem, most supply chain organisations are ill-prepared and need to invest more time, money and resources to position themselves to better deal with increasingly likely disruptions. Supply chain organisations should consider the following:

• Make risk management a supply chain management core competency;

• Assess your supply chain vulnerability, and develop measurements and risk mitigation strategies and action plans;

• Formalise risk management governance and response mechanisms, even if your initial steps are rudimentary;

• Integrate risk management principles into supply chain planning processes like sales and operations planning;

• Incorporate resiliency into supply chain design, in addition to focusing on post-disaster recovery;

• Incorporate supply chain risk management into your business continuity planning.






Introduce CAMM standard to support due diligence and business level trust


We live in a connected world, whichever way you look at it, and many organisations now use third parties to acquire services or products they need to succeed. Furthermore, these suppliers may use a number of sub-suppliers, and as a result the supply chain can become rather long and to get to the end of it may become a difficult task, writes Vladimir Jirasek, Common Assurance Maturity Model steering group member.


Security should support business and that means securing the supply chain. This is especially important when the suppliers work with the company's mission-critical data, or supply products/services that support the company's information management processes. The question is how to measure the information security risks in the supply chain end to end. There have been a few attempts to answer this question and provide organisations with information security maturity tools. Good examples are COBIT and ISF BMAT tools and SOGP 2011. Now there is a new initiative that is very close to releasing a final product: Common Assurance Maturity Model (CAMM). I have been lucky to be part of the core team working on the model and delivering key components.

The standard builds on existing international standards and adds key components - maturity, transparency, objective criteria and impact-focused scoring. We designed CAMM to be flexible, yet easy to use. The standard will allow business managers, CIOs and CISOs to make informed decisions when choosing suppliers of services to trust with company information. However, it is important to say that CAMM, and any other standard, cannot replace due diligence process; it merely makes the processes easier and repeatable.

I have also seen many security professionals who are wary of any third party supplier immediately assign them with the label "untrusted". I believe this attitude is wrong. If the business has decided that an external supplier is needed to support a process then inherently there must be a level of trust between the two organisations that the security team has to support. Security teams can use CAMM to support business level trust with data from assessments and advise business people on levels of risk related to choosing supplier A or B. However, the decision is ultimately for the business to make.

The CAMM is now finalising the standard and tools and preparing a pilot with a major organisation. Follow @CommonAssurance on Twitter to keep informed.





Develop a simple and repeatable approach to risk assessment

Global economic uncertainty acts as a catalyst for organisations to adopt a more innovative and agile IT approach. Whether a business is looking to enter market space, support expansion or fulfil cost and time-to-market objectives, outsourcing and utilising third-party services is now playing directly to the innovation agenda and economic mood. Naturally, as the uptake of these services increases, so do the associated risks, writes Avtar Sehmbi, member of ISACA London Chapter's Security Advisory Group.

Risk assessment - keep it simple

There is a significant danger of exclusion when employing complex risk management processes. Taking the time to produce a fundamentally simple and repeatable risk assessment approach is key. Using the tiered approach - starting with generic checklists and moving down to detailed and more honed assessment questionnaires - is simple yet effective. This mechanism also keeps costs down by using resources more efficiently. For example, this may include junior resources issuing initial checklists to gather information, followed by specialised and experienced personnel conducting tailored final assessments to reach risk score conclusions.

Scope of assessment - people


Ethics, awareness and physical security play a big part in maintaining organisational and data security. As data traverses diverse organisational cultures and security landscapes, it should be acknowledged that people are the first defence against a security breach and have significant influence over the protection of data assets. Focus here can reduce the likelihood of an insider threat and breach from occurring. It is important to cover the non-technical security domains when conducting a risk assessment. Basing checklists on industry standards can help to cover a wide range of security domains, and achieve a more rounded understanding of the outsourcing/third party supplier's security posture.

The risk appetite


Understanding the levels of risk a business is willing to take is crucial to the risk management process. This is a two-way conversation between security and business management. Security managers need to understand the business needs, intentions and goals to define the security objectives and overall risk appetite. However, it must be accepted that the appetite may vary between initiatives depending on business benefit against risk.

Create accountability


Focus efforts on getting clear ownership of residual business risks. Business decision-making comes with responsibility and accountability, and this also includes risk ownership. Remember that third-party/outsourcing organisations cannot own an organisation's risks, so all residual risks should be assigned to appropriate business management.

Factor for when things go wrong


Security breaches will occur - it is a matter of "when" not "if" - so understand clearly who has responsibility for reporting and incident response when things go wrong. This may include establishing procedures during the engagement definition process. Also consider worst case scenarios such as how to handle changes in business strategy and the mechanisms for exiting arrangements with third parties.

Hook into the business


Organisations do not intuitively "think security" at the point of considering outsourcing a service, but do think "contracts and SLAs". Therefore, proactively engaging with procurement, legal and operational IT teams is a good way to get involved early in the process. It can help to influence contractual terms, which is particularly important when seeking the right to carry out future compliance audits of the third-party/outsourcing organisation.

Don't reinvent the wheel


Learn from others who have been there first. It is an easy way to understand an outsourcer/third party's security track record, and provides insight on how they have dealt with any security issues in the past.

Track compliance

Consistency is key when monitoring compliance. Regular auditing can help to identify developing issues, allow time to prepare, plan and manoeuvre appropriately.

Start all over again


Risk assessment is a cyclical process: assess risk, understand appetite, mitigate risk, create residual risk ownership and evaluate compliance - start again.

Read more on IT risk management