Mr Ward suggests asking the right questions of suppliers to gather the appropriate evidence needed to mitigate risks.
“Questions range everywhere from the supplier’s ability to encrypt data, use of MFA, password policies, patching program management, architecture and segmentation, cloud usage and many more,” he said.
“Your assessment questions must be balanced. Too little and you won’t know what’s really going on; too much and you’ll be lucky to get a response from your suppliers.
“More importantly, you should be going further than assessment questionnaires. Ask for evidence – security policy, penetration test reports, certifications like ISO 27001 and SOC2 reports.”
Cyber Supply Chain Risk Management
To help you achieve cyber supply chain risk management, the Australian Cyber Security Centre (ACSC) has simplified the process into the following five steps:
- identifying the cyber supply chain
- understanding the cyber supply chain risk
- setting cyber security expectations
- auditing for compliance
- monitoring and improving cyber supply chain security practices.
Read more on what each step entails here.