code. Malicious code can also be introduced after the software has been developed and distributed through the download of corrupted patches. The organization should also be concerned with its own users who may have malicious intent or could just be uninformed users who click on a malicious internet link or open a suspicious e-mail. Recommendations to Address Supply Chain Cyber Security ConcernsSince the organization is likely to be purchasing COTS software or contracting a softwarecompany to deliver a product, the organization may struggle to directly influence the security concerns during the Software Development Life Cycle (SDLC). There are actions that any organization can take to address cybersecurity concerns potentially introduced through the supply chain. Many concerns can be influenced directly with the supplier of the software. First, the organization needs to ensure that all required security standards, terms and conditions are explicitly identified in all Requests for Proposals (RFPs). The RFP should identify minimum objectives and thresholds for the level of security expected to be built in to the software. The RFP should identify the organizations requirements regarding the confidentiality, integrity and availability of the systems and data. Some areas to be considered could be 1) back-up and restoration capabilities; and 2) expected up-time. The organization will assess the supplier’s
SUPPLY CHAIN RISK MITIGATION FINAL REPORT8organization to determine what level of security has been implemented in their systems. The organization will evaluate the vendor’s cybersecurity plan and determine if it meets the requirements that the organization has determined are needed. If the supplier is also the developer, verify that they follow a valid SDLC process and determine how security vulnerabilities are identified and addressed throughout the process. When dealing with third-party vendors, the organization should request to audit the vendors policies and processes for ensuring the cybersecurity of the products being offered. If a vendor is not able, or is not willing to meet the organization’s security and procurement standards, then the organization will excludethem from competition. Only focusing on the actions of the suppliers when addressing supply chain concerns would be a mistake as there are internal actions that the organization should take as well. Internalprocesses need to be developed that address how the organization will procure software. The procurement process needs to be developed not only by the procurement personnel, but also in coordination with representatives from leadership and subject matter experts from IT, engineering, legal, operations and security. The organization must have an internal process that isregularly reviewed and updated. The organization needs to develop and maintain current and relevant cybersecurity policies and procedures to continue to prevent unauthorized access to its systems. Implementing a thorough change control process will help to mitigate threats that could
You've reached the end of your free preview.
Want to read all 14 pages?
- Summer '19
- Computer Security