A methodology and framework to assist organisations in managing cyber security requirements of their suppliers

Project summary

Most organisations are unable to effectively evaluate their suppliers’ cybersecurity maturity level. Conversely, from the suppliers’ viewpoint, unless they are certified against standards (e.g.,ISO/IEC27001), they are typically unable to articulate their cyber-maturity to prospective clients. We address this gap by developing a framework enabling suppliers to be automatically evaluated/certified into a single metric (e.g. 1-star vs 5-star (cf. Energy Star)) based on data/assets handled, existing security, and plans to improve security. With PO CyberMetrix, we will research methodologies to evaluate suppliers across sectors (e.g. healthcare, government). Our framework promises to incentivise suppliers towards attaining acceptable security levels, and uplift supply-chain security.

Project description

Rationale

In 2021, SolarWinds, a major US IT supplier suffered a cyberattack [1] which spread to its clients such as the US Department of Homeland Security, Treasury, and large companies such as Microsoft and leading cyber security company FireEye. While the systems of these individual government departments and large companies are usually well protected, the attackers from Russia were aware that these organisations did not manage cyber security expectations of their suppliers such as SolarWinds. The hack on SolarWinds went undetected for several months and was eventually used as a vector to spy on senior executives and key government officials.

The SolarWinds incident also raised an increased awareness of supply chain security, and the importance of regular evaluations and certification of your suppliers’ cyber security. At the time of writing, there is no effective way to manage the security level of suppliers. An organization such as our partner organization CyberMetrix’s client Royal Flying Doctors Services (RFDS) would typically have at least 2000 suppliers (from SMEs to larger companies), and currently, the manual security assessment/audit processes would not be practical for a relatively-small cyber security or IT team in most industries. An efficient methodology to regularly assess and certify suppliers is required.

Methodology/Aims

In this research, combining CI Ko’s cyber security and ISO standards expertise and CI Slapnicar’s accounting and auditing expertise, we propose a framework which will enable:

Research Aim (RA)1. Quantification, classifying and tiering of a list of common cyber security controls derived from prominent industry standards (e.g. ISO/IEC 27002, FedRAMP), and a resulting five-tier rating (e.g. 1-star to 5-star) for different sectors. For example, some controls are expected of all tiers (e.g. strong password management and authentication controls) while some are good-to-have for some industries (e.g. formal verification of source code before release). The quantification needs to balance between technical and board-level expectations. This builds on CI Slapnicar’s experience [4, 5].

RA2. Self-assessment against client cyber security and industry vertical requirements. For example, a 3-star requirement in the healthcare sector may differ from a 3-star requirement in the aerospace sector.

RA3. Cyber security auditing, continuous monitoring, and assessment workflows to be automated in a replicable and transparent way.

This builds on CI Ko’s track record in tracking data provenance, cloud security and Security Information and Event Management (SIEM) (a type of software which fuses disparate system logs and data across an organisation’s networks to flag and respond to security events) [2, 3].

Innovation

The main innovation are threefold:

1. A methodology to measure the cyber security posture of suppliers in an easy-to-understand metric. Expectations can be communicated across organizational hierarchies and also across organisations.

2. Automation of the supplier cyber security audit process. This accelerates the currently manual process.

3. Cost-effective way to manage very large supplier numbers, and a clarity of client cyber security expectations. For example, a client could expect a supplier of bottled drinking water to be at 1-star while the supplier of cloud services to the client would be expected to be at 5-stars.