C-SCRM - Strategy
1. Introduction
Melbourne Racing Club (MRC) operates and manages several racecourses, hotels, and other venues. The club offers membership to the public for exclusive access to events, additional benefits, and other initiatives. Like most modern businesses the Melbourne Racing Club is heavily reliant on information and technology for successful operation. To adequately secure its data and operations, cyber security is an ongoing concern.
MRC has suppliers of various products and services. Many suppliers pose a cyber security risk to organisations, and MRC is no different. MRC is looking to undertake a comprehensive program of works that aims to deliver policy and processes to better manage the cyber security risk associated with the supply chain.
This document describes the Cybersecurity Supply Chain Risk Management (C-SCRM) strategy and implementation plan that will address this need and describe the steps that need to be taken to ensure efforts are coordinated and aligned with the broader goals of the organisation.
The scope of the C-SCRM program is only aimed at risk posed by suppliers to MRC, not from risks posed by MRC to consumers or users.
2. Purpose
The purpose of this document is to establish a set of objectives and series of steps for the implementation of effective C-SCRM capabilities, practices, processes and tools within the organisation. The objectives must be aligned with and cover the scope of the vision, mission and values of the organisation.
This document covers the necessary core functions, roles, responsibilities and the approach that will be taken to implement the desired C-SCRM outcomes in the organisation.
Given that this is the first iteration of the strategy, the focus will be on establishing an understanding of the organisation and its present C-SCRM capability and establishing a set of baseline function. These include the development of policies, processes and procedures, assignment of ownership and responsibilities, raising awareness, and the allocation of the necessary resources to effectively execute C-SCRM.
3. Authority and Compliance
The following legislation, regulations, standards of guidelines either govern the C-SCRM capability, or were used to create it:
- Standards
- Any internal ERM standards should be referenced here.
- Add any other standards that this strategy should adhere to.
- Policies
- Procurement Principles
- Authority Limits Policy
- Capital Expenditure Policy
- Third Party Policy
- Guidelines
- NIST SP 800-161, Revision 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations
4. Strategic Objectives
Given that this is the first time that a formal strategy has been implemented at MRC, there is a need to establish the foundations of a C-SCRM capability, hence there is only one objective at this point.
Objective 1: Effectively manage cybersecurity risks throughout the supply chain
This is the primary objective of the C-SCRM program. The C-SCRM capability allows the organisation to identify, assess and mitigate supply chain risk to the organisation’s assets, functions and services.
It aims to establish an initial capability that will expand in scope and effectiveness in phases, and incorporates the people, processes and technologies needed to ensure that it can meet its stated goals of improving awareness, protection and resilience.
Given the foundational nature of this objective, it will be the only objective for the program. This strategy will be revisited in due course, and additional objectives will be defined at that point.
5. Implementation Plan
To execute the C-SCRM strategy, milestones are defined that deliver incremental progress toward the objectives. It is critical that there is commitment to achieving this, and that they are formally tracked.
The following implementation plan will be maintained by the personnel responsible for the implementation of the C-SCRM program.
Objective 1: Effectively manage cybersecurity risks throughout the supply chain
Milestone
Status
Owner
Priority
Target Date
Establish policy and authority
Partial – Policy is complete
Authority is yet to be defined.
Establish and provide executive oversight and direction
Integrate C-SCRM into the enterprise risk management (ERM) framework
Establish roles and responsibilities, and assign accountability
Draft roles and responsibilities provided, awaiting review.
Develop C-SCRM processes
Draft processes developed, awaiting review.
Develop C-SCRM procedures
Draft actions defined, awaiting review.
Establish the internal awareness function
Develop internal C-SCRM awareness training material
Deploy internal C-SCRM awareness training
Identify, prioritize, and implement supply chain risk assessment capabilities
Establish, document, and implement SCRM controls
Draft controls provided in process, awaiting review.
Identify C-SCRM resource requirements, and secure sustained funding
Deferred until the program has run for a period.
Establish C-SCRM program performance monitoring
Deferred until the program has run for a period.
Table 1: Objective 1 – Tracking
6. Revision and Maintenance
This C-SCRM strategy and implementation plan must be reviewed every 1-2 years, at a minimum, since changes to laws, policies, standards, guidelines, and controls are dynamic and evolving. Additional criteria that may trigger interim revisions include:
- Change of policies that impact the Strategy and Implementation,
- Significant Strategy and Implementation events,
- The introduction of new technologies,
- The discovery of new vulnerabilities,
- Operational or environmental changes,
- Shortcomings in the Strategy and Implementation,
- Change of scope, and
- Other enterprise-specific criteria
Version
Date
Description of Change/Revision
Section/Pages Affected
Changes Made By
1.0
First draft
All
Trinity Cyber Security
Table 2: Version Management Table