SlideShare a Scribd company logo

Cybersec Supply Chain Risks and Governance v0.1.pdf

D
DaveNjoga1

Cyber Risks in the Supply Chain

Business
1 of 24
Download to read offline
Cyber Security Supply Chain Risks and Governance By: David NJOGA – Cyber GRC Expert (NC3) CONFIDENTIAL 1
CONFIDENTIAL Aim • Apprise the participants on the cybersecurity governance principles, and their alignment towards effective supply chain risks treatments to enhance national security. CONFIDENTIAL 2
CONFIDENTIAL Scope Introduction Objectives Justification Supply Chain Risks Supply Chain Risks Treatment Plans Conclusion Plenary CONFIDENTIAL 3
CONFIDENTIAL Introduction • Cyber Security Governance provides strategic visibility into business risks based on cyber threats to: • achieve compliance requirements • improve the nation’s overall cyber security posture CONFIDENTIAL 4
CONFIDENTIAL Objectives of Cyber Security Governance • To provide pivotal cyber governance activities for effective and efficient national cyber operations to improve national security. CONFIDENTIAL 5 Fig. 1: NIST Cybersecurity Framework v1.1
CONFIDENTIAL Objectives of Cyber Security Governance. . . • Cyber Governance is concerned with value delivery from digital transformation and the mitigation of business risk that results from digital transformation. CONFIDENTIAL 6 Benefits Realization Risk Optimization Resource Optimization Fig. 2: COBIT 2019 Value Chain
CONFIDENTIAL Components of Cyber Governance System CONFIDENTIAL 7 Fig. 3: COBIT 2019 Governance System
CONFIDENTIAL Key Roles, Activities and Relationships CONFIDENTIAL 8 Fig. 4: COBIT 2019 Governance vs Management
CONFIDENTIAL Justification CONFIDENTIAL 9
CONFIDENTIAL Supply Chain • Cybersecurity in the supply chain cannot be viewed as an IT problem only! • Cyber supply chain risks touch sourcing, vendor management, supply chain continuity and quality, transportation security and many other functions across the enterprise. • Cyber supply chain risks require a coordinated effort to address. CONFIDENTIAL 10
CONFIDENTIAL CONFIDENTIAL 11
CONFIDENTIAL Some Cyber Attacks NotPetya ransomware hit global businesses in approximately 59 countries in late June 2017; an attack which prevented one of the largest container shippers, Maersk Line, from taking new orders Superfish adware installed on Lenovo notebooks could intercept encrypted https traffic (2014-2015) Exploitation of internet of things (IoT) sensors Bogus traffic attacks from Google Traffic Analytics CONFIDENTIAL 12
CONFIDENTIAL Cyber Supply Chain Security Principles Develop your defenses based on the principle that your systems will be breached. Cybersecurity is never just a technology problem, it’s a people, processes and knowledge problem. Security is Security. CONFIDENTIAL 13 “Sharing information with suppliers is essential, yet increases the risk of that information being compromised” (Bowman 2013).
CONFIDENTIAL Supply Chain Risks • Cyber supply chain risks covers a lot of territory. Some of the concerns include risks from: Third party service providers or vendors to software engineering. Poor information security practices by lower‐tier suppliers. Compromised software or hardware purchased from suppliers. Software security vulnerabilities in supply chain management or supplier systems. Counterfeit hardware or hardware with embedded malware. Third party data storage or data aggregators. CONFIDENTIAL 14
CONFIDENTIAL Appreciation of suppliers’ cybersecurity practices Is the vendor’s software / hardware design process documented? Repeatable? Measurable? Is the mitigation of known vulnerabilities factored into product design? How does the vendor stay current on emerging vulnerabilities? What controls are in place to manage and monitor production processes? CONFIDENTIAL 15
CONFIDENTIAL Appreciation of suppliers’ cybersecurity practices … How is configuration management performed? Quality assurance? What levels of malware protection and detection are performed? What steps are taken to “tamper proof” products? Are backdoors closed? What physical security measures are in place? Documented? Audited? What access controls, both cyber and physical are in place? How are they documented and audited? CONFIDENTIAL 16
CONFIDENTIAL Appreciation of suppliers’ cybersecurity practices … What type of employee background checks are conducted and how frequently? What security practice expectations are set for upstream suppliers? How is adherence to these standards assessed? How secure is the distribution process? Have approved and authorized distribution channels been clearly documented? What is the component disposal risk and mitigation strategy? How does vendor assure security through product lifecycle? CONFIDENTIAL 17
CONFIDENTIAL Cyber Supply Chain Best Practices Security requirements are included in every RFP and contract. Onsite collaboration with vendors to address any vulnerabilities and security gaps. “One strike and you’re out” policies with respect to vendor products that are either counterfeit or do not match specification. Component purchases are tightly controlled; component purchases from approved vendors are prequalified CONFIDENTIAL 18
CONFIDENTIAL Cyber Supply Chain Best Practices… Secure Software Lifecycle Development Programs and training for all engineers in the life cycle are established. Source code is obtained for all purchased software. Software and hardware have a security handshake. Automation of manufacturing and testing regimes reduces the risk of human intervention. CONFIDENTIAL 19
CONFIDENTIAL Cyber Supply Chain Best Practices… Track and trace programs establish provenance of all parts, components and systems. Programs capture “as built” component identity data for each assembly and automatically links the component identity data to sourcing information. Personnel in charge of supply chain cybersecurity partner with every team that touches any part of the product during its development lifecycle and ensures that cybersecurity is part of suppliers’ and developers’ employee experience, processes and tools. Legacy support for end-of‐life products and platforms; assure continued supply of authorized IP and parts. Tight controls on access by service vendors are imposed. CONFIDENTIAL 20
CONFIDENTIAL Strategic and Systemic transformation The strategic dimension covers setting strategy, planning and implementing high‐level steps, and initiating a program and related portfolio of cybersecurity projects. The systemic dimension addresses dependencies between parts of the cybersecurity system that will have an impact on how change will be achieved and what will be the immediate and secondary effects. CONFIDENTIAL 21
CONFIDENTIAL Recommendations • Adopt Local Robust IT security solutions • Compliance and Governance of suppliers, vendors, third-party actors, partners, traders, manufacturers and contractors. • Certification of International Standards CONFIDENTIAL 22
CONFIDENTIAL Conclusion • Cyber governance needs to acknowledge the fact that attacks, incidents and breaches always target the weakest link in the security of value chain of the enterprise. • Consequently, the national cyber security governance design will address the following two dimensions: • Basic governance provisions, e.g., expressing the intentions and overall goals of senior executives and management; • Extended governance provisions, e.g., guidance for processes that handle cybercrime and cyberwarfare attacks or links to business assurance. CONFIDENTIAL 23
CONFIDENTIAL Plenary CONFIDENTIAL 24

Recommended

Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxYoisRoberthTapiadeLa
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxVictoriaChavesta
 
MCGlobalTech Service Presentation
MCGlobalTech Service PresentationMCGlobalTech Service Presentation
MCGlobalTech Service PresentationWilliam McBorrough
 
BEST CYBER SECURITY PRACTICES
BEST CYBER SECURITY PRACTICESBEST CYBER SECURITY PRACTICES
BEST CYBER SECURITY PRACTICESHappiest Minds Technologies
 
Integrating Cybersecurity into Supply Chain Risk Management
Integrating Cybersecurity into Supply Chain Risk ManagementIntegrating Cybersecurity into Supply Chain Risk Management
Integrating Cybersecurity into Supply Chain Risk ManagementPriyanka Aash
 
Integrating Cybersecurity into Supply Chain Risk Management
Integrating Cybersecurity into Supply Chain Risk ManagementIntegrating Cybersecurity into Supply Chain Risk Management
Integrating Cybersecurity into Supply Chain Risk ManagementPriyanka Aash
 
MCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service PresentationMCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service PresentationWilliam McBorrough
 
Digital defence ds-vciso-supplychain
Digital defence ds-vciso-supplychainDigital defence ds-vciso-supplychain
Digital defence ds-vciso-supplychainShawn Brown
 

Recommended

Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxYoisRoberthTapiadeLa
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxVictoriaChavesta
 
MCGlobalTech Service Presentation
MCGlobalTech Service PresentationMCGlobalTech Service Presentation
MCGlobalTech Service PresentationWilliam McBorrough
 
BEST CYBER SECURITY PRACTICES
BEST CYBER SECURITY PRACTICESBEST CYBER SECURITY PRACTICES
BEST CYBER SECURITY PRACTICESHappiest Minds Technologies
 
Integrating Cybersecurity into Supply Chain Risk Management
Integrating Cybersecurity into Supply Chain Risk ManagementIntegrating Cybersecurity into Supply Chain Risk Management
Integrating Cybersecurity into Supply Chain Risk ManagementPriyanka Aash
 
Integrating Cybersecurity into Supply Chain Risk Management
Integrating Cybersecurity into Supply Chain Risk ManagementIntegrating Cybersecurity into Supply Chain Risk Management
Integrating Cybersecurity into Supply Chain Risk ManagementPriyanka Aash
 
MCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service PresentationMCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service PresentationWilliam McBorrough
 
Digital defence ds-vciso-supplychain
Digital defence ds-vciso-supplychainDigital defence ds-vciso-supplychain
Digital defence ds-vciso-supplychainShawn Brown
 
Boosting IoT Protection: An Enterprise Risk Imperative
Boosting IoT Protection: An Enterprise Risk ImperativeBoosting IoT Protection: An Enterprise Risk Imperative
Boosting IoT Protection: An Enterprise Risk ImperativeNational Retail Federation
 
How to Raise Cyber Risk Awareness and Management to the C-Suite
How to Raise Cyber Risk Awareness and Management to the C-SuiteHow to Raise Cyber Risk Awareness and Management to the C-Suite
How to Raise Cyber Risk Awareness and Management to the C-SuiteSurfWatch Labs
 
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala LumpurCybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala LumpurAlan Yau Ti Dun
 
30 September 2014: Cyber Security Model
30 September 2014: Cyber Security Model30 September 2014: Cyber Security Model
30 September 2014: Cyber Security ModelDefence and Security Accelerator
 
Robert Nichols: Cybersecurity for Government Contractors
Robert Nichols: Cybersecurity for Government ContractorsRobert Nichols: Cybersecurity for Government Contractors
Robert Nichols: Cybersecurity for Government ContractorsGovernment Technology and Services Coalition
 
9 September 2014: Cyber Security Model
9 September 2014: Cyber Security Model 9 September 2014: Cyber Security Model
9 September 2014: Cyber Security Model Defence and Security Accelerator
 
Product security program slideshare
Product security program slideshareProduct security program slideshare
Product security program slideshareAmir Einav
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceTej Luthra
 
Fintech Belgium - MeetUp on The Right Tech for your FinTech - Philippe Cornet...
Fintech Belgium - MeetUp on The Right Tech for your FinTech - Philippe Cornet...Fintech Belgium - MeetUp on The Right Tech for your FinTech - Philippe Cornet...
Fintech Belgium - MeetUp on The Right Tech for your FinTech - Philippe Cornet...FinTech Belgium
 
Cyber security: A roadmap to secure solutions
Cyber security: A roadmap to secure solutionsCyber security: A roadmap to secure solutions
Cyber security: A roadmap to secure solutionsSchneider Electric
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)Norm Barber
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001PECB
 
Implementing Robust Cybersecurity Measures in IT Infrastructures
Implementing Robust Cybersecurity Measures in IT InfrastructuresImplementing Robust Cybersecurity Measures in IT Infrastructures
Implementing Robust Cybersecurity Measures in IT InfrastructuresVRS Technologies
 
CircleCity Con 2017 - Dwight Koop's talk Cybersecurity for real life: Using t...
CircleCity Con 2017 - Dwight Koop's talk Cybersecurity for real life: Using t...CircleCity Con 2017 - Dwight Koop's talk Cybersecurity for real life: Using t...
CircleCity Con 2017 - Dwight Koop's talk Cybersecurity for real life: Using t...Cohesive Networks
 
MCGlobalTech Cyber Capability Statement
MCGlobalTech Cyber Capability Statement MCGlobalTech Cyber Capability Statement
MCGlobalTech Cyber Capability Statement William McBorrough
 
Cloud Cybersecurity: Strategies for Managing Vendor Risk
Cloud Cybersecurity: Strategies for Managing Vendor RiskCloud Cybersecurity: Strategies for Managing Vendor Risk
Cloud Cybersecurity: Strategies for Managing Vendor RiskHealth Catalyst
 
Luncheon 2015-06-18 Security Industry 2.0: Survival in the Boardroom by David...
Luncheon 2015-06-18 Security Industry 2.0: Survival in the Boardroom by David...Luncheon 2015-06-18 Security Industry 2.0: Survival in the Boardroom by David...
Luncheon 2015-06-18 Security Industry 2.0: Survival in the Boardroom by David...North Texas Chapter of the ISSA
 
Cybersecurity Summit 2020 Slide Deck
Cybersecurity Summit 2020 Slide DeckCybersecurity Summit 2020 Slide Deck
Cybersecurity Summit 2020 Slide DeckCimetrics Inc
 
Fortifying the Digital Sky: Exploring the Application of Cybersecurity for Cl...
Fortifying the Digital Sky: Exploring the Application of Cybersecurity for Cl...Fortifying the Digital Sky: Exploring the Application of Cybersecurity for Cl...
Fortifying the Digital Sky: Exploring the Application of Cybersecurity for Cl...cyberprosocial
 
CYBER SECURITY.pptx
CYBER SECURITY.pptxCYBER SECURITY.pptx
CYBER SECURITY.pptxlidiyamekonnen
 
Call Girls in DELHI Cantt, ( Call Me )-8377877756-Female Escort- In Delhi / Ncr
Call Girls in DELHI Cantt, ( Call Me )-8377877756-Female Escort- In Delhi / NcrCall Girls in DELHI Cantt, ( Call Me )-8377877756-Female Escort- In Delhi / Ncr
Call Girls in DELHI Cantt, ( Call Me )-8377877756-Female Escort- In Delhi / Ncrdollysharma2066
 
Kenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby AfricaKenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby Africaictsugar
 

More Related Content

Similar to Cybersec Supply Chain Risks and Governance v0.1.pdf

Boosting IoT Protection: An Enterprise Risk Imperative
Boosting IoT Protection: An Enterprise Risk ImperativeBoosting IoT Protection: An Enterprise Risk Imperative
Boosting IoT Protection: An Enterprise Risk ImperativeNational Retail Federation
 
How to Raise Cyber Risk Awareness and Management to the C-Suite
How to Raise Cyber Risk Awareness and Management to the C-SuiteHow to Raise Cyber Risk Awareness and Management to the C-Suite
How to Raise Cyber Risk Awareness and Management to the C-SuiteSurfWatch Labs
 
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala LumpurCybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala LumpurAlan Yau Ti Dun
 
Product security program slideshare
Product security program slideshareProduct security program slideshare
Product security program slideshareAmir Einav
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceTej Luthra
 
Fintech Belgium - MeetUp on The Right Tech for your FinTech - Philippe Cornet...
Fintech Belgium - MeetUp on The Right Tech for your FinTech - Philippe Cornet...Fintech Belgium - MeetUp on The Right Tech for your FinTech - Philippe Cornet...
Fintech Belgium - MeetUp on The Right Tech for your FinTech - Philippe Cornet...FinTech Belgium
 
Cyber security: A roadmap to secure solutions
Cyber security: A roadmap to secure solutionsCyber security: A roadmap to secure solutions
Cyber security: A roadmap to secure solutionsSchneider Electric
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)Norm Barber
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001PECB
 
Implementing Robust Cybersecurity Measures in IT Infrastructures
Implementing Robust Cybersecurity Measures in IT InfrastructuresImplementing Robust Cybersecurity Measures in IT Infrastructures
Implementing Robust Cybersecurity Measures in IT InfrastructuresVRS Technologies
 
CircleCity Con 2017 - Dwight Koop's talk Cybersecurity for real life: Using t...
CircleCity Con 2017 - Dwight Koop's talk Cybersecurity for real life: Using t...CircleCity Con 2017 - Dwight Koop's talk Cybersecurity for real life: Using t...
CircleCity Con 2017 - Dwight Koop's talk Cybersecurity for real life: Using t...Cohesive Networks
 
MCGlobalTech Cyber Capability Statement
MCGlobalTech Cyber Capability Statement MCGlobalTech Cyber Capability Statement
MCGlobalTech Cyber Capability Statement William McBorrough
 
Cloud Cybersecurity: Strategies for Managing Vendor Risk
Cloud Cybersecurity: Strategies for Managing Vendor RiskCloud Cybersecurity: Strategies for Managing Vendor Risk
Cloud Cybersecurity: Strategies for Managing Vendor RiskHealth Catalyst
 
Luncheon 2015-06-18 Security Industry 2.0: Survival in the Boardroom by David...
Luncheon 2015-06-18 Security Industry 2.0: Survival in the Boardroom by David...Luncheon 2015-06-18 Security Industry 2.0: Survival in the Boardroom by David...
Luncheon 2015-06-18 Security Industry 2.0: Survival in the Boardroom by David...North Texas Chapter of the ISSA
 
Cybersecurity Summit 2020 Slide Deck
Cybersecurity Summit 2020 Slide DeckCybersecurity Summit 2020 Slide Deck
Cybersecurity Summit 2020 Slide DeckCimetrics Inc
 
Fortifying the Digital Sky: Exploring the Application of Cybersecurity for Cl...
Fortifying the Digital Sky: Exploring the Application of Cybersecurity for Cl...Fortifying the Digital Sky: Exploring the Application of Cybersecurity for Cl...
Fortifying the Digital Sky: Exploring the Application of Cybersecurity for Cl...cyberprosocial
 

Similar to Cybersec Supply Chain Risks and Governance v0.1.pdf (20)

Boosting IoT Protection: An Enterprise Risk Imperative
Boosting IoT Protection: An Enterprise Risk ImperativeBoosting IoT Protection: An Enterprise Risk Imperative
Boosting IoT Protection: An Enterprise Risk Imperative
 
How to Raise Cyber Risk Awareness and Management to the C-Suite
How to Raise Cyber Risk Awareness and Management to the C-SuiteHow to Raise Cyber Risk Awareness and Management to the C-Suite
How to Raise Cyber Risk Awareness and Management to the C-Suite
 
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala LumpurCybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
 
30 September 2014: Cyber Security Model
30 September 2014: Cyber Security Model30 September 2014: Cyber Security Model
30 September 2014: Cyber Security Model
 
Robert Nichols: Cybersecurity for Government Contractors
Robert Nichols: Cybersecurity for Government ContractorsRobert Nichols: Cybersecurity for Government Contractors
Robert Nichols: Cybersecurity for Government Contractors
 
9 September 2014: Cyber Security Model
9 September 2014: Cyber Security Model 9 September 2014: Cyber Security Model
9 September 2014: Cyber Security Model
 
Product security program slideshare
Product security program slideshareProduct security program slideshare
Product security program slideshare
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation Guidance
 
Fintech Belgium - MeetUp on The Right Tech for your FinTech - Philippe Cornet...
Fintech Belgium - MeetUp on The Right Tech for your FinTech - Philippe Cornet...Fintech Belgium - MeetUp on The Right Tech for your FinTech - Philippe Cornet...
Fintech Belgium - MeetUp on The Right Tech for your FinTech - Philippe Cornet...
 
Cyber security: A roadmap to secure solutions
Cyber security: A roadmap to secure solutionsCyber security: A roadmap to secure solutions
Cyber security: A roadmap to secure solutions
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
 
Implementing Robust Cybersecurity Measures in IT Infrastructures
Implementing Robust Cybersecurity Measures in IT InfrastructuresImplementing Robust Cybersecurity Measures in IT Infrastructures
Implementing Robust Cybersecurity Measures in IT Infrastructures
 
CircleCity Con 2017 - Dwight Koop's talk Cybersecurity for real life: Using t...
CircleCity Con 2017 - Dwight Koop's talk Cybersecurity for real life: Using t...CircleCity Con 2017 - Dwight Koop's talk Cybersecurity for real life: Using t...
CircleCity Con 2017 - Dwight Koop's talk Cybersecurity for real life: Using t...
 
MCGlobalTech Cyber Capability Statement
MCGlobalTech Cyber Capability Statement MCGlobalTech Cyber Capability Statement
MCGlobalTech Cyber Capability Statement
 
Cloud Cybersecurity: Strategies for Managing Vendor Risk
Cloud Cybersecurity: Strategies for Managing Vendor RiskCloud Cybersecurity: Strategies for Managing Vendor Risk
Cloud Cybersecurity: Strategies for Managing Vendor Risk
 
Luncheon 2015-06-18 Security Industry 2.0: Survival in the Boardroom by David...
Luncheon 2015-06-18 Security Industry 2.0: Survival in the Boardroom by David...Luncheon 2015-06-18 Security Industry 2.0: Survival in the Boardroom by David...
Luncheon 2015-06-18 Security Industry 2.0: Survival in the Boardroom by David...
 
Cybersecurity Summit 2020 Slide Deck
Cybersecurity Summit 2020 Slide DeckCybersecurity Summit 2020 Slide Deck
Cybersecurity Summit 2020 Slide Deck
 
Fortifying the Digital Sky: Exploring the Application of Cybersecurity for Cl...
Fortifying the Digital Sky: Exploring the Application of Cybersecurity for Cl...Fortifying the Digital Sky: Exploring the Application of Cybersecurity for Cl...
Fortifying the Digital Sky: Exploring the Application of Cybersecurity for Cl...
 
CYBER SECURITY.pptx
CYBER SECURITY.pptxCYBER SECURITY.pptx
CYBER SECURITY.pptx
 

Recently uploaded

Call Girls in DELHI Cantt, ( Call Me )-8377877756-Female Escort- In Delhi / Ncr
Call Girls in DELHI Cantt, ( Call Me )-8377877756-Female Escort- In Delhi / NcrCall Girls in DELHI Cantt, ( Call Me )-8377877756-Female Escort- In Delhi / Ncr
Call Girls in DELHI Cantt, ( Call Me )-8377877756-Female Escort- In Delhi / Ncrdollysharma2066
 
Kenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby AfricaKenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby Africaictsugar
 
Organizational Structure Running A Successful Business
Organizational Structure Running A Successful BusinessOrganizational Structure Running A Successful Business
Organizational Structure Running A Successful BusinessSeta Wicaksana
 
8447779800, Low rate Call girls in Rohini Delhi NCR
8447779800, Low rate Call girls in Rohini Delhi NCR8447779800, Low rate Call girls in Rohini Delhi NCR
8447779800, Low rate Call girls in Rohini Delhi NCRashishs7044
 
Annual General Meeting Presentation Slides
Annual General Meeting Presentation SlidesAnnual General Meeting Presentation Slides
Annual General Meeting Presentation SlidesKeppelCorporation
 
Cash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call GirlsCash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call GirlsApsara Of India
 
Islamabad Escorts | Call 03274100048 | Escort Service in Islamabad
Islamabad Escorts | Call 03274100048 | Escort Service in IslamabadIslamabad Escorts | Call 03274100048 | Escort Service in Islamabad
Islamabad Escorts | Call 03274100048 | Escort Service in IslamabadAyesha Khan
 
(8264348440) 🔝 Call Girls In Mahipalpur 🔝 Delhi NCR
(8264348440) 🔝 Call Girls In Mahipalpur 🔝 Delhi NCR(8264348440) 🔝 Call Girls In Mahipalpur 🔝 Delhi NCR
(8264348440) 🔝 Call Girls In Mahipalpur 🔝 Delhi NCRsoniya singh
 
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort ServiceCall US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Servicecallgirls2057
 
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu MenzaYouth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu Menzaictsugar
 
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...lizamodels9
 
8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCR8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCRashishs7044
 
Marketing Management Business Plan_My Sweet Creations
Marketing Management Business Plan_My Sweet CreationsMarketing Management Business Plan_My Sweet Creations
Marketing Management Business Plan_My Sweet Creationsnakalysalcedo61
 
BEST Call Girls In Greater Noida ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In Greater Noida ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,BEST Call Girls In Greater Noida ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In Greater Noida ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,noida100girls
 
Future Of Sample Report 2024 | Redacted Version
Future Of Sample Report 2024 | Redacted VersionFuture Of Sample Report 2024 | Redacted Version
Future Of Sample Report 2024 | Redacted VersionMintel Group
 
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In.../:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...lizamodels9
 
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation SlidesKeppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation SlidesKeppelCorporation
 
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With RoomVIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With Roomdivyansh0kumar0
 
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCRashishs7044
 
Intro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdfIntro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdfpollardmorgan
 

Recently uploaded (20)

Call Girls in DELHI Cantt, ( Call Me )-8377877756-Female Escort- In Delhi / Ncr
Call Girls in DELHI Cantt, ( Call Me )-8377877756-Female Escort- In Delhi / NcrCall Girls in DELHI Cantt, ( Call Me )-8377877756-Female Escort- In Delhi / Ncr
Call Girls in DELHI Cantt, ( Call Me )-8377877756-Female Escort- In Delhi / Ncr
 
Kenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby AfricaKenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby Africa
 
Organizational Structure Running A Successful Business
Organizational Structure Running A Successful BusinessOrganizational Structure Running A Successful Business
Organizational Structure Running A Successful Business
 
8447779800, Low rate Call girls in Rohini Delhi NCR
8447779800, Low rate Call girls in Rohini Delhi NCR8447779800, Low rate Call girls in Rohini Delhi NCR
8447779800, Low rate Call girls in Rohini Delhi NCR
 
Annual General Meeting Presentation Slides
Annual General Meeting Presentation SlidesAnnual General Meeting Presentation Slides
Annual General Meeting Presentation Slides
 
Cash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call GirlsCash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call Girls
 
Islamabad Escorts | Call 03274100048 | Escort Service in Islamabad
Islamabad Escorts | Call 03274100048 | Escort Service in IslamabadIslamabad Escorts | Call 03274100048 | Escort Service in Islamabad
Islamabad Escorts | Call 03274100048 | Escort Service in Islamabad
 
(8264348440) 🔝 Call Girls In Mahipalpur 🔝 Delhi NCR
(8264348440) 🔝 Call Girls In Mahipalpur 🔝 Delhi NCR(8264348440) 🔝 Call Girls In Mahipalpur 🔝 Delhi NCR
(8264348440) 🔝 Call Girls In Mahipalpur 🔝 Delhi NCR
 
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort ServiceCall US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
 
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu MenzaYouth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
 
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
 
8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCR8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCR
 
Marketing Management Business Plan_My Sweet Creations
Marketing Management Business Plan_My Sweet CreationsMarketing Management Business Plan_My Sweet Creations
Marketing Management Business Plan_My Sweet Creations
 
BEST Call Girls In Greater Noida ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In Greater Noida ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,BEST Call Girls In Greater Noida ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In Greater Noida ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
 
Future Of Sample Report 2024 | Redacted Version
Future Of Sample Report 2024 | Redacted VersionFuture Of Sample Report 2024 | Redacted Version
Future Of Sample Report 2024 | Redacted Version
 
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In.../:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...
 
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation SlidesKeppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
 
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With RoomVIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
 
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
 
Intro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdfIntro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdf
 

Cybersec Supply Chain Risks and Governance v0.1.pdf

  • 1. Cyber Security Supply Chain Risks and Governance By: David NJOGA – Cyber GRC Expert (NC3) CONFIDENTIAL 1
  • 2. CONFIDENTIAL Aim • Apprise the participants on the cybersecurity governance principles, and their alignment towards effective supply chain risks treatments to enhance national security. CONFIDENTIAL 2
  • 3. CONFIDENTIAL Scope Introduction Objectives Justification Supply Chain Risks Supply Chain Risks Treatment Plans Conclusion Plenary CONFIDENTIAL 3
  • 4. CONFIDENTIAL Introduction • Cyber Security Governance provides strategic visibility into business risks based on cyber threats to: • achieve compliance requirements • improve the nation’s overall cyber security posture CONFIDENTIAL 4
  • 5. CONFIDENTIAL Objectives of Cyber Security Governance • To provide pivotal cyber governance activities for effective and efficient national cyber operations to improve national security. CONFIDENTIAL 5 Fig. 1: NIST Cybersecurity Framework v1.1
  • 6. CONFIDENTIAL Objectives of Cyber Security Governance. . . • Cyber Governance is concerned with value delivery from digital transformation and the mitigation of business risk that results from digital transformation. CONFIDENTIAL 6 Benefits Realization Risk Optimization Resource Optimization Fig. 2: COBIT 2019 Value Chain
  • 7. CONFIDENTIAL Components of Cyber Governance System CONFIDENTIAL 7 Fig. 3: COBIT 2019 Governance System
  • 8. CONFIDENTIAL Key Roles, Activities and Relationships CONFIDENTIAL 8 Fig. 4: COBIT 2019 Governance vs Management
  • 10. CONFIDENTIAL Supply Chain • Cybersecurity in the supply chain cannot be viewed as an IT problem only! • Cyber supply chain risks touch sourcing, vendor management, supply chain continuity and quality, transportation security and many other functions across the enterprise. • Cyber supply chain risks require a coordinated effort to address. CONFIDENTIAL 10
  • 12. CONFIDENTIAL Some Cyber Attacks NotPetya ransomware hit global businesses in approximately 59 countries in late June 2017; an attack which prevented one of the largest container shippers, Maersk Line, from taking new orders Superfish adware installed on Lenovo notebooks could intercept encrypted https traffic (2014-2015) Exploitation of internet of things (IoT) sensors Bogus traffic attacks from Google Traffic Analytics CONFIDENTIAL 12
  • 13. CONFIDENTIAL Cyber Supply Chain Security Principles Develop your defenses based on the principle that your systems will be breached. Cybersecurity is never just a technology problem, it’s a people, processes and knowledge problem. Security is Security. CONFIDENTIAL 13 “Sharing information with suppliers is essential, yet increases the risk of that information being compromised” (Bowman 2013).
  • 14. CONFIDENTIAL Supply Chain Risks • Cyber supply chain risks covers a lot of territory. Some of the concerns include risks from: Third party service providers or vendors to software engineering. Poor information security practices by lower‐tier suppliers. Compromised software or hardware purchased from suppliers. Software security vulnerabilities in supply chain management or supplier systems. Counterfeit hardware or hardware with embedded malware. Third party data storage or data aggregators. CONFIDENTIAL 14
  • 15. CONFIDENTIAL Appreciation of suppliers’ cybersecurity practices Is the vendor’s software / hardware design process documented? Repeatable? Measurable? Is the mitigation of known vulnerabilities factored into product design? How does the vendor stay current on emerging vulnerabilities? What controls are in place to manage and monitor production processes? CONFIDENTIAL 15
  • 16. CONFIDENTIAL Appreciation of suppliers’ cybersecurity practices … How is configuration management performed? Quality assurance? What levels of malware protection and detection are performed? What steps are taken to “tamper proof” products? Are backdoors closed? What physical security measures are in place? Documented? Audited? What access controls, both cyber and physical are in place? How are they documented and audited? CONFIDENTIAL 16
  • 17. CONFIDENTIAL Appreciation of suppliers’ cybersecurity practices … What type of employee background checks are conducted and how frequently? What security practice expectations are set for upstream suppliers? How is adherence to these standards assessed? How secure is the distribution process? Have approved and authorized distribution channels been clearly documented? What is the component disposal risk and mitigation strategy? How does vendor assure security through product lifecycle? CONFIDENTIAL 17
  • 18. CONFIDENTIAL Cyber Supply Chain Best Practices Security requirements are included in every RFP and contract. Onsite collaboration with vendors to address any vulnerabilities and security gaps. “One strike and you’re out” policies with respect to vendor products that are either counterfeit or do not match specification. Component purchases are tightly controlled; component purchases from approved vendors are prequalified CONFIDENTIAL 18
  • 19. CONFIDENTIAL Cyber Supply Chain Best Practices… Secure Software Lifecycle Development Programs and training for all engineers in the life cycle are established. Source code is obtained for all purchased software. Software and hardware have a security handshake. Automation of manufacturing and testing regimes reduces the risk of human intervention. CONFIDENTIAL 19
  • 20. CONFIDENTIAL Cyber Supply Chain Best Practices… Track and trace programs establish provenance of all parts, components and systems. Programs capture “as built” component identity data for each assembly and automatically links the component identity data to sourcing information. Personnel in charge of supply chain cybersecurity partner with every team that touches any part of the product during its development lifecycle and ensures that cybersecurity is part of suppliers’ and developers’ employee experience, processes and tools. Legacy support for end-of‐life products and platforms; assure continued supply of authorized IP and parts. Tight controls on access by service vendors are imposed. CONFIDENTIAL 20
  • 21. CONFIDENTIAL Strategic and Systemic transformation The strategic dimension covers setting strategy, planning and implementing high‐level steps, and initiating a program and related portfolio of cybersecurity projects. The systemic dimension addresses dependencies between parts of the cybersecurity system that will have an impact on how change will be achieved and what will be the immediate and secondary effects. CONFIDENTIAL 21
  • 22. CONFIDENTIAL Recommendations • Adopt Local Robust IT security solutions • Compliance and Governance of suppliers, vendors, third-party actors, partners, traders, manufacturers and contractors. • Certification of International Standards CONFIDENTIAL 22
  • 23. CONFIDENTIAL Conclusion • Cyber governance needs to acknowledge the fact that attacks, incidents and breaches always target the weakest link in the security of value chain of the enterprise. • Consequently, the national cyber security governance design will address the following two dimensions: • Basic governance provisions, e.g., expressing the intentions and overall goals of senior executives and management; • Extended governance provisions, e.g., guidance for processes that handle cybercrime and cyberwarfare attacks or links to business assurance. CONFIDENTIAL 23