C-SCRM - Process
1. Background and Purpose
This document defines the process that is used to implement MRC’s C-SCRM.
The process has two main stages – the allocation of candidate suppliers into tiers, and the application of certain risk management actions based on their tiers. This allows differentiation of controls based on the criticality or risk associated with a supplier.
Once a supplier has been assigned to a tier, further actions are taken based on a specific point int the relationship with MRC. Three phases are used, each of which deals with a separate part of a typical supply chain lifecycle. These are:
- Acquisition – The actions that need to be taken to understand and mitigate the risk prior to entering a relationship with a supplier.
- Utilisation – The ongoing use of a service, product or system from a supplier.
- Disposal – The termination of a relationship with a supplier, or the disposal of products or systems.
Given the range of possible suppliers and differences between their capabilities and the services they provide, allowance is given for the variation of controls applied to a tier. The process for doing this is also included in this document.
The objective of the processes is to ensure that appropriate consideration is given to risk in the cyber security supply chain at the various stages.
2. Process
The process for supply chain risk management is described below. It covers C-SCRM stages, the tiering of suppliers, and the actions required per stage, per tier.
Each of the stages have similarities, and follow the same broad sequence:
- An action triggers a sequence.
- The associated supplier/service/product is identified, which mandates a list of buyer and supplier actions.
- Buyer actions for the stage and tier are applied as per the procedures.
- Supplier actions for the stage and tier are applied as per the procedures.
- The outcome of the process is determined, and stakeholders are informed.
2.1. Stages
The C-SCRM process must cover the full life cycle of supplied systems. This includes acquisition, utilisation, and disposal. Each of these stages have different sets of actions that may need to be undertaken. The series of diagrams below does not include all the actions that need to be undertaken. These are documented in separate procedures.
2.1.1. Acquisition
This is the process by which a supplier is selected and onboarded into the organisation in preparation for supply of products or services.
Figure 1: C-SCRM Acquisition Process
The process is summarised below:
- There is one entry event:
- A business unit requests that a supplier be onboarded by completing a request form.
- There are two end events:
- A supplier assessment has failed, and the process terminates.
- A supplier assessment has passed, and procurement have successfully onboarded the supplier.
- There are four actors in this process:
- Business Unit – the entity making the request to engage with a new supplier.
- Supply Chain Risk Staff – the supply chain risk subject matter experts responsible for assessing the new supplier.
- Procurement – the business function that onboards the supplier onto the organisation.
- Supplier – the potential supplier of goods and/or services to the organisation.
- The Business Unit actions are simple, they start the process, complete the request for assessment, and are then notified of success or failure.
- Supply Chain Risk Staff are the primary actors in the process and are responsible for:
- receiving the request,
- assessing the risk associated with the supplier,
- assigning the supplier to a tier,
- determining if an exemption is required,
- recording an exemption in the risk register if required,
- modifying the actions if an exemption is required,
- undertaking buyer review actions,
- requesting the supplier to undertake supplier actions, if there are any,
- assessing the outcomes of actions,
- requesting the supplier undertake remedial actions, and assessing their outcomes,
- approving or denying the supplier onboarding,
- informing the business unit of failure or success,
- passing approved reviews to Procurement for further onboarding.
- Procurement simply actions an approved supplier onboarding request using their existing processes.
2.1.2. Utilisation
This is the ongoing use of a supplier. Typically, periodic actions would be undertaken during this stage (e.g., annual reviews of suppliers), or actions triggered by changes in supplier relationships or elevated supplier risks.
Figure 1: C-SCRM Utilisation Process
The process is summarised below:
- There are three possible entry events:
- A business unit determines supplier conditions have changed and requests a re-evaluation.
- Supply chain risk staff determine that supplier conditions have changed and request a re-evaluation.
- A periodic re-evaluation of a supplier is triggered.
- Supplier relationship staff determine that supplier conditions have changed and request a re-evaluation.
- There are two end events:
- A supplier assessment has passed.
- A supplier assessment has failed, and procurement have successfully offboarded the supplier.
- There are four actors in this process:
- Business Unit – the entity making the request to engage with a new supplier.
- Supply Chain Risk Staff – the supply chain risk subject matter experts responsible for assessing the new supplier.
- Supplier Relations – the business function that maintains the supplier relations with the organisation.
- Supplier – the potential supplier of goods and/or services to the organisation.
- The Business Unit actions are simple, they start the process, complete the request for re-assessment, and are then notified of success or failure.
- Supply Chain Risk Staff are the primary actors in the process and are responsible for:
- determining if supplier conditions have changed,
- receiving notifications of periodic re-assessments,
- receiving a re-assessment request,
- assessing the risk associated with the supplier,
- determining if an exemption is required,
- recording an exemption in the risk register if required,
- modifying the actions if an exemption is required,
- assigning the supplier to a tier,
- undertaking buyer review actions,
- requesting the supplier to undertake supplier actions, if there are any,
- assessing the outcomes of actions,
- requesting the supplier undertake remedial actions, and assessing their outcomes,
- informing the business unit of failure or success,
- passing failed reviews to Supplier Relations for offboarding.
- Supplier Relations:
- complete a request for re-assessment based on changed supplier conditions,
- action offboarding of suppliers using their existing processes.
The final stage of the life cycle is responsible for ensuring the security of the enterprise upon ceasing use of a supplier. Actions here typically include revocation of access to systems or facilities.
Figure 1: C-SCRM Disposal Process
The process is summarised below:
- There are two possible entry events:
- A business unit requests that a supplier relationship be terminated,
- The supply term concludes.
- There are two end events:
- A supplier relationship is extended.
- A supplier relationship is terminated, and the supplier is offboarded.
- There are four actors in this process:
- Business Unit – the entity making the request to engage with a new supplier.
- Supply Chain Risk Staff – the supply chain risk subject matter experts responsible for assessing the new supplier.
- Supplier Relations – the business function that maintains the supplier relations with the organisation.
- Supplier – the potential supplier of goods and/or services to the organisation.
- The Business Unit actions are simple, they start the process, complete a request for supplier termination, and are then notified of completion.
- Supply Chain Risk Staff are the primary actors in the process and are responsible for:
- determining if an exemption is required,
- recording an exemption in the risk register if required,
- modifying the actions if an exemption is required,
- applying any offboarding actions,
- sending offboarding actions to the supplier, and assessing the results,
- informing the business unit of successful termination of the supplier relationship.
- Supplier Relations:
- receive notification of a supply term concluding,
- determine if a supply term needs to be extended,
- request termination or extend the relationship.
To simplify the process, suppliers will be placed into tiers. Tiers, and the criteria for placement are defined below:
Tier
Criteria
1
Access to sensitive information.
Access to, or involvement with, critical business processes.
Access to critical/sensitive business areas or facilities.
Loss of this product or service will severely impact the ability of the organisation to do business.
2
Access to non-sensitive information.
Access to, or involvement with, non-critical business processes.
Access to non-critical/non-sensitive business areas or facilities.
Loss of this product or service will only impact the ability of the organisation to do business efficiently.
3
No access to any type of information.
No access to, or involvement with, critical business processes.
Access to non-critical/non-sensitive business areas or facilities.
Loss of this product or service will not impact the ability of the organisation to do business.
Table 2: Tiers
Risk assessments of suppliers are based on an internal assessment and are the primary mechanism by which a supplier is placed into a tier. While the criteria above establish some qualitative combination of factors, there can be variations within these, and a judgement call as to where exactly to place a supplier will still be required in many cases.
The above criteria can be imagined as existing on a continuum, with Tier 1 being associated with the highest risk, Tier 2 with moderate risk, and Tier 3 with minimal risk. Some suppliers may not fit neatly into a Tier, notably where there is a mix of higher and lower criteria being met. In cases such as this, the preference should be to “round up” to the highest Tier.
Rounding up will impose actions on a supplier that may be excessive, in this case, an exemption can be sought. Exemptions are covered in 3.5 Exemptions and Variations.
Assignment to tiers processes a candidate supplier, product or system through several gates. The gates are designed to provide the easiest, least-ambiguous means of placing a candidate into a tier.
The assignment process is illustrated below:
Figure 1: C-SCRM Tiering Assignment Process
Most candidates are expected to be in Tier 3. Tier 3 is the tier with the lowest risk associated to it and requires the least effort to onboard. It is beneficial to assign candidates to that Tier as rapidly as possible to process them as soon as possible.
Gate 1 – Tier 3 Assignment
Assignment to Tier 3 is assessed based on the responses to the following questions:
- Does this supplier/product/system have access to any type of information? (Y/N)
- Does this supplier/product/system have access to, or involvement with, any critical business processes? (Y/N)
- Does this supplier/product/system only have access to non-critical/non-sensitive business areas or facilities? (Y/N)
- Does the loss of this supplier/product/system impact the ability of the organisation to do business? (Y/N)
If the given responses to ALL the questions is No, then this candidate can be assigned to Tier 3.
Gate 2 – Tier 1 Assignment
To determine if a candidate is Tier 1, the following responses are required:
- Does this supplier/product/system have access to sensitive information? (Y/N)
- Does this supplier/product/system have access to, or involvement with, any critical business processes? (Y/N)
- Does this supplier/product/system have access to critical/sensitive business areas or facilities? (Y/N)
- Does loss of this supplier/product/system severely impact the ability of the organisation to do business? (Y/N)
If the answer to ANY of these questions is Yes, then the candidate is assigned to Tier 1.
Otherwise, candidates can be assigned to Tier 2.
2.4. Actions per Tier per Stage
The following actions apply to each tier and lifecycle stage. Actions are broken down into two sides:
- Supplier – Actions that are imposed on the supplier to ensure that risk is appropriately managed.
- Buyer – Actions that MRC, as the buyer, must do to ensure that risk associated with a supplier is appropriately managed.
2.4.1. Tier 1 Actions
Stage
Side
Action
Reference
Comment
Acquisition
Supplier
Return completed Tier 1 Supplier C-SCRM Questionnaire.
As per <Tier 1 Supplier SCRM Questionnaire>
Incorporate a legal clause that requires the supplier to inform you of any security incidents, alerts, advisories or directives.
As per <Relevant MRC Legal Clause>
Incorporate a legal clause that specifies what you expect to be done with data once supply ceases.
As per <Relevant MRC Legal Clause>
Incorporate any other legal clauses.
As per <Relevant MRC Legal Clause>
Buyer
Provide accounts with least privilege to execute tasks.
As per <Relevant MRC Procedure>
Provide secure remote access.
As per <Relevant MRC Procedure>
Ensure staff have adequate training to use the product/system.
As per <Relevant MRC Procedure>
Systems may be complex, and staff may require appropriate training to safely and effectively use them.
Provide a suitably locked down and secure device for the supplier to use.
As per <Relevant MRC Procedure>
Ensure that contingency plans are made for the supplier.
As per <Relevant MRC Procedure>
Understand the implications of what happens when a supplier can no longer supply you, or that supply is impacted (e.g., limited to an amount below what you can effectively operate with).
Do you need to ensure that you have a backup supplier? Do you need to lay the groundwork for this? Do you need to have a reserve of the product or system to ensure that you can ride out any disruptions?
Include the supplier in incident response plans.
As per <Relevant MRC Procedure>
Check certifications.
As per <Relevant MRC Procedure>
For example, a supplier with ISO27001 certification is likely going to be taking cybersecurity more seriously than one without.
Ensure that users of the product/service/system are appropriately screened.
As per <Relevant MRC Procedure>
In some cases, the product/system/service may be sensitive in nature to require that anyone using it be appropriately screened. This is likely a niche case.
An example would be that users for some systems may have to be VGCCC licensed. See https://www.vgccc.vic.gov.au/gambling/gaming-industry-employee/understand-your-permit/licence-conditions-and-duties
Scan systems/products for vulnerabilities before use.
As per <Relevant MRC Procedure>
For example, perform a vulnerability of even a virus scan on a device before plugging it in to a sensitive network.
Ensure that the system being sought has good documentation.
As per <Relevant MRC Procedure>
Clear, easily accessible documentation is critical to the effective use of a system. Consider the worst-case scenario - an incident involving the system - and no one has access to documentation.
Ensure that internal documentation is updated to include the new product/system/service where required.
As per <Relevant MRC Procedure>
For example, update any designs to include new systems that integrate with them.
Ensure that the product/system/service does not use or require unsupported components.
As per <Relevant MRC Procedure>
For example, you are buying a system that uses software or operating systems that are no longer supporter.
Also consider that some systems may have requirements that require you to have systems that you don't support. For example, a new solution needs an Oracle database, buy you only support MongoDB internally.
Validate supplier is not on the forbidden supplier list.
As per <Relevant MRC Procedure>
Apply the necessary boundary protections to ensure that access is appropriately restricted.
As per <Relevant MRC Procedure>
For example, apply the most restrictive firewalls rules for the case of a supplier requiring access to networks or systems.
Utilisation
Supplier
Return completed Tier 1 Supplier C-SCRM Questionnaire.
As per <Tier 1 Supplier SCRM Questionnaire>
This is an annual requirement to redo the questionnaire to ensure that any changes to the risk profile of the supplier are captured.
Cadence meetings.
As per <Relevant MRC Procedure>
This can be any number or type of meeting that manages the supplier. This is a broad category and depends on what is being supplied.
Ensure that MRC is appropriately informed of any security incident.
As per <Relevant MRC Procedure>
Ensure that MRC is informed of any material changes to the organisation that will affect their ability to supply.
As per <Relevant MRC Procedure>
Buyer
Understand the impact of changes made on organisational systems to the ability of suppliers to supply.
As per <Relevant MRC Procedure>
Consider and changes you make to systems that a supplier relies on to deliver their service. For example, if you change how remote access is done, how does this affect your suppliers?
Understand the changes made by a supplier on the MRC’s operations.
As per <Relevant MRC Procedure>
If a supplier informs MRC of a change to their product/system/service, then understand the implications of this. Comparable to standard change management impact assessments, where the change is made by the supplier.
Include the supplier in incident response plan testing.
As per <Relevant MRC Procedure>
Include the supplier in an incident response.
As per <Relevant MRC Procedure>
Validate C-SCRM tiering.
As per Tier Assignment
Disposal
Supplier
Securely dispose of systems and provide certification of having done so.
As per <Relevant MRC Procedure>
Delete any data as required by contractual agreements.
As per <Relevant MRC Procedure>
Return any MRC assets.
As per <Relevant MRC Procedure>
Buyer
Sanitise devices upon return from a supplier.
As per <Relevant MRC Procedure>
This could be to avoid the case of a supplier returning a laptop that they that has been inadvertently, or deliberately compromised while they were using it.
Request sanitisation certificates and ensure that they are filed appropriately.
As per <Relevant MRC Procedure>
Manage data as per the data management policy upon termination of supply.
As per <Relevant MRC Procedure>
Delete any supplier data you are obligated to delete.
Update any internal documentation that references the supplier.
As per <Relevant MRC Procedure>
Terminate any access that was provided to the supplier.
As per <Relevant MRC Procedure>
Apply the necessary boundary protections to ensure that access is appropriately restricted upon termination of the relationship.
As per <Relevant MRC Procedure>
Ensure that the supplier has returned any assets provided to them.
As per <Relevant MRC Procedure>
Table 4: Tier 1 Actions
2.4.2. Tier 2 Actions
Stage
Side
Action
Reference
Comment
Acquisition
Supplier
Return completed Tier 2 Supplier C-SCRM Questionnaire.
As per <Tier 1 Supplier SCRM Questionnaire>
Incorporate a legal clause that requires the supplier to inform you of any security incidents, alerts, advisories or directives.
As per <Relevant MRC Legal Clause>
Incorporate any other legal clauses.
As per <Relevant MRC Legal Clause>
Buyer
Provide accounts with least privilege to execute tasks.
As per <Relevant MRC Procedure>
Provide secure remote access.
As per <Relevant MRC Procedure>
Ensure staff have adequate training to use the product/system.
As per <Relevant MRC Procedure>
Systems may be complex, and staff may require appropriate training to safely and effectively use them.
Provide a suitably locked down and secure device for the supplier to use.
As per <Relevant MRC Procedure>
Ensure that internal documentation is updated to include the new product/system/service where required.
As per <Relevant MRC Procedure>
For example, update any designs to include new systems that integrate with them.
Validate supplier is not on the forbidden supplier list.
As per <Relevant MRC Procedure>
Apply the necessary boundary protections to ensure that access is appropriately restricted.
As per <Relevant MRC Procedure>
For example, apply the most restrictive firewalls rules for the case of a supplier requiring access to networks or systems.
Utilisation
Supplier
Return completed Tier 2 Supplier C-SCRM Questionnaire.
As per <Tier 1 Supplier SCRM Questionnaire>
This is an annual requirement to redo the questionnaire to ensure that any changes to the risk profile of the supplier are captured.
Ensure that MRC is appropriately informed of any security incident.
As per <Relevant MRC Procedure>
Ensure that MRC is informed of any material changes to the organisation that will affect their ability to supply.
As per <Relevant MRC Procedure>
Buyer
Understand the impact of changes made on organisational systems to the ability of suppliers to supply.
As per <Relevant MRC Procedure>
Consider and changes you make to systems that a supplier relies on to deliver their service. For example, if you change how remote access is done, how does this affect your suppliers?
Understand the changes made by a supplier on the MRC’s operations.
As per <Relevant MRC Procedure>
If a supplier informs MRC of a change to their product/system/service, then understand the implications of this. Comparable to standard change management impact assessments, where the change is made by the supplier.
Validate C-SCRM tiering.
As per Tier Assignment
Disposal
Supplier
Return any MRC assets.
As per <Relevant MRC Procedure>
Buyer
Sanitise devices upon return from a supplier.
As per <Relevant MRC Procedure>
This could be to avoid the case of a supplier returning a laptop that they that has been inadvertently, or deliberately compromised while they were using it.
Update any internal documentation that references the supplier.
As per <Relevant MRC Procedure>
Terminate any access that was provided to the supplier.
As per <Relevant MRC Procedure>
Apply the necessary boundary protections to ensure that access is appropriately restricted upon termination of the relationship.
As per <Relevant MRC Procedure>
Ensure that the supplier has returned any assets provided to them.
As per <Relevant MRC Procedure>
Table 4: Tier 2 Actions
2.4.3. Tier 4 Actions
Stage
Side
Action
Reference
Comment
Acquisition
Supplier
Incorporate any other legal clauses.
As per <Relevant MRC Legal Clause>
Buyer
Provide accounts with least privilege to execute tasks.
As per <Relevant MRC Procedure>
Provide secure remote access.
As per <Relevant MRC Procedure>
Validate supplier is not on the forbidden supplier list.
As per <Relevant MRC Procedure>
Utilisation
Supplier
Ensure that MRC is informed of any material changes to the organisation that will affect their ability to supply.
As per <Relevant MRC Procedure>
Buyer
Validate C-SCRM tiering.
As per Tier Assignment
Disposal
Supplier
Return any MRC assets.
As per <Relevant MRC Procedure>
Buyer
Terminate any access that was provided to the supplier.
As per <Relevant MRC Procedure>
Ensure that the supplier has returned any assets provided to them.
As per <Relevant MRC Procedure>
Table 4: Tier 3 Actions
2.5. Supplier Questionnaires
As is evident from the table above, acquisition is clearly the busiest part of the lifecycle. It is also the most effective part of the lifecycle for understanding and mitigating risk.
One of the key controls in the acquisition phase is the request for suppliers to complete a questionnaire. This questionnaire stipulates what information is required by MRC to understand the risk that the supplier poses to their ability to continue to operate. There are two questionnaires, one for Tier 1 suppliers, and one for Tier 2 suppliers.
These questionnaires can be found at <Link to Tier 1 and Tier 2 Supplier Questionnaires>.
2.6. Relevance Variations and Exemptions
Given the breadth of possible suppliers that MRC could use and the various ways in which they provide services, products or systems, it is not always possible to apply certain controls.
In this case, the following convention might be useful when determining a course of action:
- Is the application of the control relevant? For example, if the supplied item is a professional service, then scanning a device for vulnerabilities is obviously not possible and can be marked as not relevant.
- If you cannot apply the control at all, then can you apply a compensating control or a variation of the control?
- If yes, then you can mark this as a variation. Variations must be recorded in the risk register for ongoing oversight and maintenance.
- If no, then assess the risk and consider if you absolutely must work with this supplier. If you must work with the supplier and cannot vary the control or apply a compensating control, then you can exempt the supplier from the control. Exemptions should require approval and must be recorded in the risk register for ongoing oversight and maintenance.
The actual decision making is left up to the personnel to undertake using their own discretion and experience.
Figure 1: C-SCRM Exemption Process
3. Authority and Compliance
This section documents the laws, executive orders, directives, regulations, policies, standards, and guidelines that govern the C-SCRM process.
This process is designed to ensure compliance with the following:
- Policies
- MRC Enterprise Risk Management Policy
- MRC Information Security Policy
- MRC Cybersecurity Supply Chain Risk Management Policy
- Legislation
- Add any necessary legislation here.
- Regulations
- Add any necessary regulations here.
- Guidelines
- NIST SP 800-161, Revision 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations
4. Revision and Maintenance
MRC’s C-SCRM process must be reviewed on an annual basis, at minimum, since changes to laws, policies, standards, guidelines, and controls are dynamic and evolving.
Additional criteria that may trigger interim revisions include:
- A change of policies that impact the C-SCRM program,
- Significant C-SCRM events,
- The introduction of new technologies,
- The discovery of new vulnerabilities,
- Operational or environmental changes,
- Shortcomings in the C-SCRM policy,
- A change of scope, and
- Other enterprise-specific criteria.
Version
Date
Description of Change/Revision
Section/Pages Affected
Changes Made By
1.0
First draft
All
Trinity Cyber Security
Table 5: Version Management