Most organizations have historically focused their information risk and security efforts on what they can control and often ignore their IT supply chains, 他们只能影响什么. Organizations are highly dependent on IT supply chains for their business operations and strategic success, but only recently have gained awareness of how fragile they can become if they are compromised. In many cases, 组织要么没有在安全风险评估中考虑他们的IT供应链,要么将与之相关的风险排得足够低,从而无法有效或积极地监控和减轻此类风险. Adversaries have become keenly aware of this and are shifting their focus from direct attacks on their intended targets to indirect ones through the vendors, 组织所依赖的服务和功能.
Securing the IT supply chain requires organizations to expand and mature their information risk and security methods and tactics beyond their own borders. 这需要与供应商建立更紧密的伙伴关系,并扩大治理和监督. The successful implementation of IT supply chain security requires multiple layers of capabilities and activities that need to be consistently applied and constantly matured.
The following are five key considerations that organizations should account for when attempting to enhance the security of their IT supply chains:
- 你无法保护你不知道的东西. 开发和维护供应商及其提供的能力的清单-许多组织缺乏全面和最新的产品清单, 第三方IT提供商提供给他们的功能和服务. 在云服务时代, 开源软件和多层次服务提供商, it is easy for organizations to lose track of with whom they are working and what services those vendors provide. 确定依赖于第三方技术和功能的业务流程和功能,以确保在第三方受到损害时对潜在业务影响的透明度,这一点非常重要. 这些可能包括应用程序, services, solutions, 与它们交互的基础设施和数据. 然后,这些数据应该被填充到一个清单中,其中包括供应商的风险分类,以及基于其相对价值和对组织的重要性的相关能力.
配置管理数据库(CMDB)通常是存储在组织环境中操作的所有第三方IT功能的技术细节的理想存储库. 一旦发现明显的第三方漏洞,信息风险和安全人员可以使用数据库来确定组织是否容易受到攻击,以及在哪里容易受到攻击. The CMDB should also include dependency data on the business processes with which the capabilities support or interact. 这将有助于组织做出基于风险的决策,决定他们必须采取的保护和补救措施,以管理和减轻已识别的脆弱性所带来的风险. - 要求公开开源软件组件-使用开源代码对许多应用程序和供应商的成功很重要,因为它帮助他们跟上客户和选民期望的创新步伐. Much of the hardware and software componentry in modern IT systems used in organizations includes open-source software. 引人注目的和有影响的漏洞 found in open-source code libraries such as Apache Log4j and Heartbleed have removed the idealistic notions surrounding open-source software. There has long been a belief promoted by open-source developers that they are consistently evaluating and/or enhancing the security of open-source code and software. 不幸的是,这在很多情况下被证明是不正确的. 目前开放源代码和软件的许可模式并没有期望它们是安全的,或者在未来发现安全漏洞时不会受到保护.
识别和降低与开源软件和/或代码相关的风险, it is important to contractually require IT supply chain suppliers to disclose an inventory of all open-source components included in the products and services they provide. 这个清单被称为软件物料清单(SBOM)。. SBOM应该包括软件版本号, license details and the acquisition source of the open-source components that are used in the provided products and services.
If a vendor pushes back on the disclosure of open-source details included in their products and services due to the concern of disclosing trade secrets or proprietary information, 一个组织可以使用所谓的可口可乐反驳. 在可口可乐软饮料的每个容器上,除了被列为天然香料的专有成分外,还列出了一份开源成分清单. The same principal can be applied in the release of the SBOM; A third-party supplier can list the open-source components of their software individually and then identify proprietary code as a unique category. This approach allows the vendor to disclose the entire inventory of their software without having to disclose any trade secrets or proprietary information. - 为您的业务对关键第三方进行威胁和漏洞分析-使用基于场景的结构化方法进行威胁和漏洞分析,使组织能够识别与其IT供应链相关的威胁和漏洞的可能性并对其概率进行规划. 分析的重点应该是识别高概率的场景, if realized, 是否会对组织及其有效运作的能力造成重大影响, 包括保安事故. Once an organization identifies and rationalizes the threat and vulnerabilities included in its IT supply chain, 它可以识别和分类风险. 有了这些信息,它就可以开发基于风险的控制框架, control requirements, 适当处理和减轻风险的治理方法和响应计划.
- 为供应链合同创建技术和组织措施合同附录-技术和组织措施(TOMS)附录提供了有关第三方与相关组织开展业务所需的安全期望和要求的IT供应链指导. 在提供服务期间,第三方将与组织的应用程序交互,TOMS附录应详细说明程序和技术控制期望和要求, 基础设施和/或数据. It should also explain the expectations and requirements for communication and notification of security incidents (e.g., a 48-hour notification period) and proposed methods and tactics for risk management and remediation. It is important that organizations clearly communicate methods and practices they expect their IT supply chain to use for notifications and the level of detail that is expected.
在提供软件的情况下, TOMS附录应该包括对应用程序安全测试的期望, including, but not limited to, 静态测试的使用, dynamic testing and software composition analysis that will support the creation and maintenance of the SBOM. 增编还应包括软件维护和责任要求. It is important for the organization to ensure that security deficiencies will be remediated at the supplier’s cost and within reasonable timeframes. The covered maintenance period for the applications should also be clearly defined and reasonable in terms of their expected useful life period. - Trust, but verify. 对关键第三方进行循证审查部署保证功能以确保为关键第三方创建的期望和需求在持续的基础上得到适当的治理和监控是很重要的. These capabilities can be deployed in a risk-based approach wherein the basic assessment can begin with a questionnaire. Questionnaires should include comprehensive security-related questions and require that the answers provided be supported with objective evidence where possible and applicable. 组织应定义所期望证据的内容,以确保供应链供方对所期望的证据不会产生歧义或误解.
在编制问卷时, 组织应该包括充分评估人员的组成部分, processes, procedures and technologies associated with the products and services that are being provided by the supply chain providers. For key providers, questionnaires should be followed up with interviews with supplier personnel to ensure that questions and evidence are accurate. Additional details and questions can be asked based on the answers provided to ensure that there is no doubt of the accuracy of the evaluation of the provider’s capabilities.
These assessments are intended to identify deficiencies that the organization believes should be addressed; corrective action plans should be developed with the provider to ensure that remediations occur within reasonable timeframes. It is important to establish a consequence management framework that will ensure that the supplier understands they are being held accountable for remediation activities. 清楚地认识到,如果他们表现不佳或没有充分完成组织满意的计划,就会出现负面结果,这通常会导致成功的结果和更牢固的伙伴关系.
Most important is to establish an ongoing channel of communication and a relationship with the security personnel of key suppliers in an organization’s IT supply chain. 伙伴关系确保双向情报和信息共享,允许组织根据需要对其供应商进行非正式查询,而不仅仅是在正式的审计和审查期间. 与供应商的对等关系允许组织的风险和安全人员进行持续的对话,在此期间可以共享信息,而不必担心产生负面影响.
建立持续的理解
Effective IT supply chain security requires an organization to have a continuous understanding of how and in what areas it leverages third-party service and application providers. Following a trust, 但是,确保组织IT供应链安全的验证方法提供了可见性和制衡,以确保可以实施适当的措施来应用基于风险的方法. If an organization waits for security audits to be performed to identify supply chain security risk, 要想有效补救,可能为时已晚. Therefore, 对于风险和安全专业人员来说,培养和维护强大的关系是很重要的,以允许合作伙伴组织之间的情报自由流动,以支持彼此的信息风险管理目标和目的,并加强it供应链的整体安全性.
John P. Pironti、CISA、CRISC、CISM、CGEIT、CDPSE、CISSP、ISSAP、ISSMP
是IP建筑师有限责任公司的总裁吗.