随着网络犯罪的升级, cyber conscious organizations have concentrated efforts to secure against the cybercrime threat. 首要目标会表现出更强大的安全态势, threat actors have turned more 和 more to weaker links in the chain – most notably the supply chain.

那么,什么是供应链呢?

简而言之, the supply chain is the process of converting raw materials or component parts through to a finished product or service being provided to a consumer. 这包括组织, 人, 技术, 活动, 信息, 以及过程中所涉及的资源.

今天, 这在很大程度上归功于技术创新, supply chains are quite complex 和 include interdependence 和 connections between organizations that 制造 or produce goods or products 和 their suppliers, 分销商, 和业务合作伙伴.

而多个组织之间的相互依赖和连接有很多好处, 比如降低成本, 增加收入, 扩大的机会, 等., the existence of multiple entities within the supply chain comes with an inherent level of risk.

在某些情况下, connectivity between a supplier 和 an organization can mean that when one is compromised the other may be compromised as well. In other cases, the supplier may have possession of some of the organization’s sensitive data.

It has been a st和ard practice for many years to include security commitments in agreements with suppliers 和 service providers. 近年来, the focus has moved into asking a supplier or service provider to attest through a security questionnaire that they have implemented the security practices that are important to the organization. 然而, 尽管self-attestation, cyber risk continues to be a problem for many organizations 和 assessing that risk in the supply chain is becoming more 和 more prominent.

It seems inevitable that the audit 和 certification world would turn its sights to the supply chain as well. 的re have long been many options for evaluating 和 reporting on control environments 和 security in relationships with service providers. 这些选项包括审计/认证,例如 ISO / IEC 27001, HITRUST, NIST, SOC2,也适用于供应商. We are going to explore a couple of the newer audit 和 reporting options available to suppliers – 供应链SOC 和 the 网络安全成熟度模型认证 – being introduced by the Department of Defense.

供应链SOC

2020年3月, 美国注册会计师协会推出了一个新的风险报告框架, 供应链SOC -报告与安全相关的控制检查, 可用性, 处理完整性, 保密, 或产品中的隐私, 制造业, 或分销系统.  This is the latest offering in the AICPA’s 系统 和 Organization Controls (SOC) suite of service offerings.  (在这里查看更多关于SOC产品: http://www.sepon-boutique-resort.com/services/security-risk/it-assurance/soc/.)新 供应链SOC框架 旨在识别、评估和解决供应链风险. 一些例子包括:

  • 可能提供不符合规定的产品性能规范的产品.
  • 可能无法满足交付和质量承诺要求.
  • 可能无法满足生产、制造或分销承诺的要求.

这份报告有价值吗?

绝对! 供应链中的任何实体都可以从用于供应链评估的SOC中受益. 公司生产, 制造, 或销售产品, 以及他们的供应商, 能否利用这份报告来说明他们如何处理环境中的风险. 的 供应链SOC report communicates useful 信息 about a company’s systems 和 the controls within the systems to customers, 业务合作伙伴, 以及潜在的客户和商业伙伴.

另外, LBMC recommends an organization address downstream supply chain risk by requiring their suppliers 和业务合作伙伴 to obtain a 供应链SOC 报告他们可以审查以了解该组织实施的控制.

网络安全成熟度模型认证(CMMC)

网络安全成熟度模型认证 or CMMC is an evolving certification initiative that the Department of Defense put into motion in 2019. 的 DoD recognized that one of its primary drivers – to protect the nation’s interests – was potentially jeopardized by cybersecurity risk in the Defense Supply Chain. 而承包商, 素数和素数, to the DoD had been contractually required to establish 和 attest to certain minimum security levels, 更健全的安全评估和报告尚未建立起来.

根据 国防部负责采购的副部长办公室 & 维护, the 网络安全成熟度模型认证(CMMC) framework contains five maturity processes 和 171 cybersecurity best practices progressing across five maturity levels. 的 CMMC maturity processes institutionalize cybersecurity 活动 to ensure they are consistent, 可重复的, 和高质量的. CMMC实践提供了跨级别的一系列缓解措施, 从1级的基本保障开始, 转向3级对受控非机密信息(CUI)的广泛保护, culminating with reducing the risk from Advanced Persistent Threats (APTs) at levels 4 和 5. 的 CMMC framework is coupled with a certification program to verify the implementation of processes 和 practices.

的 CMMC Accreditation Body (CMMC-AB) is still very early in the process of establishing the certification ecosystem. 的 current phase of the pilot is considered the Provisional phase 和 involves a limited number of provisional assessors 和 their associated certification bodies (or third party assessment organizations). 的 DoD is piloting no more than 15 contracts this year 和 will not fully implement the requirement until 2025.

的 网络安全成熟度模型认证(CMMC) accreditation framework impacts the U.S. Department of Defense (DoD) contractors, supply chain, solution providers, systems integrators.

了解更多: http://www.acq.osd.mil/cmmc/docs/CMMC_Model_Main_20200203.pdf

 

LBMC 信息安全 can help protect your organization against escalating cybercrime threats in supply chains. 联系 us to learn more about the 供应链SOC report or CMMC, get started on a consultation!

博客
什么是网络安全成熟度 ...
资源
什么是网络安全成熟度 ...
资源
网络安全成熟度模型证书...
友情链接: 1 2 3 4 5 6 7 8 9 10