C-SCRM - Policy

1. Introduction

This policy covers the management of cyber security supply chain risk in the Melbourne Racing Club (MRC). It is based on, and directs the implementation of, the defined C-SCRM strategy. It addresses the goals and objectives of the C-SCRM strategy, as well as aligning with existing internal policies and procedures, and any external legislation or other regulatory requirements.

The policy will establish the following:

The integration points for C-SCRM with enterprise risk management processes and describes how they will interoperate;
Roles and responsibilities of the personnel involved with C-SCRM;
The need to conduct risk assessments;
Identifying and implementing mitigation measures;
Managing exemptions; and
Other C-SCRM functions.

2. Policy

MRC recognises the importance of understanding and managing the risk associated with its cyber security supply chain. MRC has undertaken a strategy to mitigate this risk through the implementation of a cyber security risk management program.

The objective of the policy is to implement and maintain the capability to provide assurance that the products, services and solutions used by MRC are appropriately secure, resilient and performant.

The C-SCRM process will identify and assess vulnerabilities and threats throughout the supply chain, and its associated lifecycle. The C-SCRM program will be tasked with implementing strategies and mitigating controls to reduce risk to an acceptable level.

C-SCRM is established to implement and maintain MRC’s ability to:

Develop an overall C-SCRM strategy and high-level implementation plan, policies, processes, and procedures;
Determine the criticality of suppliers, services and systems and differentiate responses based on this;
Assess and appropriately respond to cybersecurity risks that arise from the acquisition, use and disposal of products, services and systems;
Integrate supply chain risk management practices throughout the acquisition and life cycle of products, services and systems;
Guide and oversee implementation progress and program effectiveness.

The C-SCRM Program shall:

Be endorsed by designated senior leadership;
Leverage and be appropriately integrated into MRC’s existing risk management and decision-making governance processes and structures;
Use a team-based approach that is collaborative, and interdisciplinary;
Implement and adhere to any legal or regulatory C-SCRM requirements;
Apply the C-SCRM practices and capabilities needed to assess, respond to, and monitor cybersecurity supply chain risks arising from pursuit of MRC’s core objectives;
Integrate C-SCRM activities into applicable activities to support MRC’s objective to manage cybersecurity risks throughout the supply chain;
Assign and dedicate the resources needed for executing C-SCRM activities;
Identify critical suppliers, and assess the level of risk exposure that arises from that relationship;
Ensure the cybersecurity of the supply chain across its entire lifecycle;
Implement risk response efforts to reduce exposure to cybersecurity risks throughout the supply chain;
Monitor MRC’s ongoing cybersecurity risk exposure in the supply chain;
Ensure that the organisation is aware of the C-SCRM process, how it impacts them, and how to use it; and
Provide periodic reporting to identified enterprise risk management and C-SCRM stakeholders.

3. Authority and Compliance

This section documents the legislation, directives, regulations, policies, standards, and guidelines that govern the C-SCRM policy.

This policy is designed to ensure compliance with the following:

Policies
- MRC Enterprise Risk Management Policy
- MRC Information Security Policy
- MRC Cybersecurity Supply Chain Risk Management Strategy
Legislation
- Add any relevant legislation here.
Regulations
- Add any relevant regulations here.
Guidelines
- NIST SP 800-161, Revision 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations

4. Revision and Maintenance

The C-SCRM policy must be reviewed on an annual basis, at minimum, since changes to laws, policies, standards, guidelines, and controls are dynamic and evolving.

Additional criteria that may trigger interim revisions include:

A change of policies that impact the C-SCRM policy,
Significant C-SCRM events,
The introduction of new technologies,
The discovery of new vulnerabilities,
Operational or environmental changes,
Shortcomings in the C-SCRM policy,
A change of scope, and
Other enterprise-specific criteria.

Version

Date

Description of Change/Revision

Section/Pages Affected

Changes Made By

1.0

First draft

All

Trinity Cyber Security

Table 1: Version Management