Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Cyber Security Services

Covering All Your Bases – Part 2

Created: 12 Nov 2012
SecurityHill's picture
0 0 Votes
Login to vote
So in Covering All Your Bases – Part 1, I discussed some of the possible risks to our organizations by not having a Supply Chain Risk Management process in place.  In this article I will cover some ideas and controls to manage your risk and exposure through the Supply Chain Process.
Using traditional Business Continuity Planning (BCP) an organization can begin to establish a beginning SCRM process.
  1. Identifying high risk Items
  2. Understand key processes and/or components
  3. Identify recovery time per process and/or component
  4. Audit processes and maintain reporting for baselines

To accomplish the first, establish a formalized SCRM team; do not rely on your Business Units to handle issues on an Ad-Hoc basis.  The group does not need to be large but should maintain the correct amount of personnel to influence and manage the process.  Hopefully you have buy in or a representative from the various Business Units if the SCRM has purview over the whole organization.  If you are only planning on a team for IT, I would recommend having representation from the Endpoint Operations, Data Center, Network Infrastructure, the Applications Group, Procurement and Legal.
For IT, the SCRM should establish the key assets and resources critical for maintaining revenue for the organization or maintaining a service. These assets and services need to be ranked by effect on revenue or service.   Once those key assets and resources are determined, the key subcomponents and individual resources can be established for the large product.
The continued supply of these subcomponents or resources has to be evaluated.  Understanding the supply chain resiliency for all your key subcomponents or resources is critical.  We have seen past issues where unexpected growth in data centers with the limited supply of hard drives has impacted and interrupted business operations.  An organization should be able to monitor the inventory or reserved capacity in items relevant to its supply chain.  We have also seen natural disasters such as; hurricanes, earthquakes, and fires impact facilities that produce materials and subcomponents.  As a part of the SCRM process, the team should identify all instances of single source vendors.  In the event that part of the supply chain is dependent on a single site, maintain an alternate stream or “warm” supply in the event of a catastrophic disruption from your primary vendor.  Maintain an active list of contacts for fallback sources with established contracts if not maintaining a “warm” supply.
If your supply chain is interrupted you should to understand the critical path for recovery.  Additionally, understand the Time to Recover (TTR) and add this metric into your analysis of the resiliency of your supply chain.  Also have an established procedure in the event of supply chain interruption.  As part of the discussion regarding suppliers, have an established contract for the integrity of subcomponents and resources.
In IT have a Systems and Software Assurance contract in place requiring the minimum:

  • The ability to review and audit key manufacturing process and logistics
  • The vetting of key supplier employees crucial to the manufacture or delivery including their upstream suppliers
  • Securing against Anti-tampering or theft of subcomponents during production and transit
  • Availability to request and review supplier information regarding the geographical location and the personnel manufacturing each subcomponent or service

And finally have an established risk index or scorecard for the state of the supply chain as discussed above.  The index or scorecard should be perpetually maintained and regularly reviewed and understood at an executive level.

I would like to hear your thoughts.  Does your organization have a group responsible for SCRM?  What processes and controls has your organization implemented?

Blog Entry Filed Under: