Earlier, I posted some thoughts about the newly released Automotive ISAC recommendations for cybersecurity.
In this post, I'm going to focus on the risk assessment and risk management recommendations. The Automotive ISAC offers the following recommendations for risk assessment and management:
All of these recommendations are important. But the one that is most overlooked (by far) in my experience is the recommendation to monitor the security compliance of critical suppliers. Let's face it, your suppliers' security will have an impact on your security. Failure to consider supplier and partner security can lead to a core network compromise - just ask Target: their network compromise was the result of an HVAC contractor.
So this sounds great, but how do you do it? At Rendition Infosec we recommend that you assess employer security with your contracts. Suppliers aren't likely to just turn over their security data to you unless you have contract provisions requiring it. Obviously, the bigger your organization is, the bigger contracting stick you can wield. But if you are the big fish and small fish want to do business with you, evaluate their security.
Some potential discussion points for suppliers:
All of these are indications about their security and things you should be looking for.
We've all heard the old adage "a chain is only as strong as it's weakest link." It's time to recognize that our supply chain is also only as strong as its weakest link.
In this post, I'm going to focus on the risk assessment and risk management recommendations. The Automotive ISAC offers the following recommendations for risk assessment and management:
All of these recommendations are important. But the one that is most overlooked (by far) in my experience is the recommendation to monitor the security compliance of critical suppliers. Let's face it, your suppliers' security will have an impact on your security. Failure to consider supplier and partner security can lead to a core network compromise - just ask Target: their network compromise was the result of an HVAC contractor.
So this sounds great, but how do you do it? At Rendition Infosec we recommend that you assess employer security with your contracts. Suppliers aren't likely to just turn over their security data to you unless you have contract provisions requiring it. Obviously, the bigger your organization is, the bigger contracting stick you can wield. But if you are the big fish and small fish want to do business with you, evaluate their security.
Some potential discussion points for suppliers:
- Ask for the results of the last penetration test they did. If they give you a Nessus scan report, run away... Fast.
- Ask what they've done to remediate vulnerabilities identified.
- Send an email to security@supplier-domain.com and see who answers. How long does it take to get an answer?
- Ask about the products deployed in their SOC. How is the SOC staffed?
All of these are indications about their security and things you should be looking for.
We've all heard the old adage "a chain is only as strong as it's weakest link." It's time to recognize that our supply chain is also only as strong as its weakest link.
Now let’s see if they’ll figure out after a couple of purchases that I need brake ducts, camber bolts, fender flairs, a front skirt, and the biggest wing I can fit on the trunk more than I need RainX. Take that, Angry Birds! flat rate lock n key las vegas
ReplyDelete