Supply Chain Risk Management (SCRM): Concepts and Mitigations

As a cybersecurity professional in today's interconnected business landscape, you'll face an increasingly complex challenge: securing not just your organization's assets, but its entire supply chain ecosystem. Supply chain attacks have emerged as one of the most sophisticated threats to enterprise security, making Supply Chain Risk Management (SCRM) a critical competency for CISSP candidates.

While you are not expected to be a supply chain expert for the CISSP exam, understanding the fundamentals of SCRM is crucial. This guide will walk you through the essential concepts of supply chain risk management, focusing on the key aspects covered in the CISSP exam's Security and Risk Management domain.

Let's explore how to identify, assess, and mitigate supply chain risks effectively while preparing you for your CISSP certification journey.

What is Supply Chain Risk Management?

In the context of information security, Supply Chain Risk Management (SCRM) focuses on identifying, assessing, and mitigating risks associated with the acquisition of products and services from external suppliers and providers. As third-party relationships become increasingly complex, understanding and managing supply chain risks has become a critical component of an organization's overall security strategy.

Every organization has security dependencies with external entities—vendors, suppliers, customers, contractors—and risk management must apply to all of them. For example, if an organization moves to the cloud, that becomes an inherent risk in their risk management process. Even though a cloud service provider is responsible for storing data, owners remain accountable for that data.

This risk management process includes:

• Governance review
• Site security review
• Formal security audit
• Penetration testing
• Adherence to security baseline
• Evaluation of hardware and software
• Adherence to security policies
• Development of an assessment plan
• Identification of assessment requirements
• Preparation of assessment and reporting templates

Remember a crucial principle: accountability cannot be outsourced. While you may delegate certain responsibilities to vendors and suppliers, your organization remains accountable for protecting its assets and data. If your organization needs to be compliant with certain laws and regulations, you must ensure your suppliers have the required controls in place to meet these compliance requirements.

Service Level Management in Supply Chain

In SCRM, we learned that organizations must identify, assess, and mitigate risks associated with external suppliers while maintaining accountability for their assets and data. One of the primary ways organizations achieve this is through structured service level management throughout the supplier relationship lifecycle.

When organizations acquire products or services, they're not just adding value—they're also introducing new risks to their environment. Even well-known brands and established products carry inherent risks that must be evaluated during the procurement process.

This structured approach to managing supplier relationships and risks manifests through three key components:

Service Level Requirements (SLR)

With the acquisition of a service, additional organizational requirements must be considered, and this is done through a document called an SLR. Specifically, an SLR outlines:

• Detailed service descriptions
• Detailed service level targets
• Mutual responsibilities

The SLR is a very important document during the procurement process, as it defines the security services and service level targets that each potential supplier can be evaluated against. When a winning supplier is selected in the procurement process, the SLR will then be used to inform the requirements that will be documented in the SLA.

Service Level Agreement (SLA)

After a service is acquired, it’s imperative that an SLA be put in place between the customer and the service provider. One important note: even though the agreement is between a service provider and a customer, the customer remains accountable for all customer data being processed by the provider. SLAs are addendums to the contract and are therefore enforceable. SLAs often include expectations and stipulations related to:

• Service Levels (performance levels)
• Governance—the customer and the service provider know who is responsible for what.
• Security—expected security controls put in place by the service provider that speak to the topic of accountability and responsibility. Accountability can never be outsourced; thus, the security controls needed to protect customer data must be very clearly defined by the customer and put in place to exact specifications by the service provider.
• Compliance with all laws and regulations that relate to the customer’s industry or where the customer conducts business.
• Liability/Indemnification when any element of the SLA is not met or is below threshold standards.

To understand how a service provider is performing on behalf of a customer, and particularly to identify how well expectations defined in the SLA are being met, a service provider will provide service level reports on an ongoing basis.

Service Level Reports

Service level reports are issued by a vendor or service provider to a client and provide insight and information about the service provider’s ability to deliver services as defined by the SLA. The service level report compares anticipated and agreed upon service levels with actual service levels and documents the effectiveness of security controls, which allows the customer—the owner—to gain assurance that expectations are being met.

A service level report might contain any of the following components:

• Achievement of metrics defined in the SLA
• Identification of issues
• Reporting channels
• Management
• Third-party SOC reports, which provide independent verification and assurance that the terms of the SLA are being met.