may 15,2013 scrm presentation · cyber)supply)chain)riskmanagement) is)an)emerging)discipline) •...
TRANSCRIPT
Advancing The Cyber Supply Chain Risk Management Toolset
Dr. Sandor Boyson, Director, Supply Chain Management Center
Welcome To The Dangerous New World Of The Cyber Supply Chain
Cyber Supply Chain Risk Management Is An Emerging Discipline
• In 2011, we ran a focus group of top federal IT supply chain policy makers and managers at College Park to discuss the state of the art.
• ParCcipants came from DOD, DHS, NSA, FCC and major vendor companies such as Intel and MicrosoK.
• Of the 19 parCcipants, 8 had been working in this field for two years or less.
Advancing The Body Of Knowledge
• The R.H. Smith Supply Chain Management Center has been conducCng mulC-‐year research for the NaConal InsCtute Of Standards & Technology (NIST).
• First, we surveyed over 200 IT vendors of all sizes in about their management of cyber risks. -‐47% of companies reported never using a Risk Board or other execuCve mechanism to manage IT risks. -‐45% have no IT risk management plan at all.
Phase Two Advances
• …Then our team built a Cyber Supply Chain Framework that incorporated our corporate survey results and other research.
• We used this Framework to review 60 public & private sector SCRM IniCaCves and evaluate their extent of coverage of the end to end Cyber Supply Chain.
8
Cyber Supply Chain Management: A Holistic Model
Ring #1: Governance
Ring #2: Systems IntegraCon/Shared Services
Ring #3: OperaCons
Data
Networks People
Plants/ Factories
Enterprise ApplicaCons
IT Hardware
SoKware Code
Ring #1 DefiniLon:
• Supply Chain Champion/Orchestrator
• Risk Board facilitates extended Enterprise Risk Management Group (e.g. Council of Interests)
• Network Map CreaCon
Ring #2 DefiniLon:
• Stewardship of cyber/ physical asset network map
• Ensures network asset visibility and real-‐Cme monitoring of processes
• System-‐integrator/enforcer of chain of custody Ring #3 DefiniLon:
• AcCon/ Field Layer
• Blend Physical /Cyber-‐Asset Visibility & Management
• AcCve Quest For Process Excellence
Phase Three Advances
• Finally, we took our composite knowledge base and worked with NIST to build a Portal and formal Capability/Maturity Model for Cyber Supply Chain Risk Management…
Cyber SCRM Portal
Features four major funcCons: • An IniLaLves SecLon, featuring upgradeable summaries of
major public and private sector ICT SCRM iniCaCves; • A Library SecLon, featuring a spectrum of related policy
studies, case studies, research reports, etc; • A Forum SecLon that enables collaboraCon groups to form
around specific ICT SCRM topic areas; • An Enterprise Assessment SecLon
IniLaLves
Library
Forums
Enterprise Assessment
• A Strategic Readiness Tool that profiles an enterprise’s risk management
posture and organizaConal development status. • A NIST Principles/PracLces Tool that drills down on the ten major
principles embedded in NIST IR 7622 and asks a poriolio of operaConal quesCons associated with each principle.
• A Cyber Chain Mapping Tool that provides a rapid method to build a
working global map of cyber supply chain assets, transacCons and vulnerabiliCes.
• A Results Area that enables enterprises to view their ICT SCRM baseline
status against three benchmarks: a group of peer enterprises; the Community Framework Model; and an ICT SCRM Capability/Maturity Level.
Strategic Readiness
• Field visits and extended discussions were held with: – the Risk Group of the Security Exchange Commission; – the ExecuCve Director of the Independent Distributors Of Electronics AssociaCon (IDEA); with
– the Center For Advanced Life Cycle Engineering (CALCE) University Of Maryland;
– the Principal of the Marsh Supply Chain Risk Management PracCce, etc.
NIST Principles/PracLces
• This assessment area was prepared uClizing the NIST IR 7622 as well as previous Smith research for NIST.
• In addiCon, we evaluated a variety of capability/maturity models, from the Supply Chain Council’s SCOR Model to the Supply Chain Risk Leadership Council’s emerging maturity criteria.
Results
Field TesLng The Assessment Tools
• A support for our assessment development acCviCes was the TM Forum, a twenty five year old 800 member global organizaCon of telecommunicaCons industry providers.
• This organizaCon selecCvely recruited a small member pool to validate our survey instruments and provide feedback.
© 2012 TeleManagement Forum | 3
www.tmforum.org v2011.1
Copyright © 2011 TeleManagement Forum, All Rights Reserved. | 3 v2011.1
Participant BoD / Risk Audit Cmt
Chief Exec
Chief Financial
Chief Risk
Source / Procure
VP Supply Chain
CSP #1
?
CSP #2
CSP #3
= Strong = Moderate/Some = Weak/Not Available
Readiness Survey Who contributes significantly to cyber risk management policy
development?
CIO
CIO
CIO
Cyber Chain Map
• This assessment area was the most exploratory.
• It links a variety of tools such as network planning tools, Google maps and CVSS Scoring into an easy to use mapping exercise.
• The map shows both cyber as well as tradiConal supply chain hubs, nodes, transacCons and vulnerabiliCes.
Map
Next Steps
• Scaling to a wider set of companies • CreaCng a downloadable desktop version • CreaCng a mobile app