Page 119 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 119

Apply Risk-Based Management Concepts to

               the Supply Chain


               Applying risk-based management concepts to the supply chain is a
               means to ensure a more robust and successful security strategy in

               organizations of all sizes. A supply chain is the concept that most
               computers, devices, networks, and systems are not built by a single
               entity. In fact, most of the companies we know of as computer and
               equipment manufacturers, such as Dell, Cisco, Extreme Networks,
               Juniper, Asus, Acer, and Apple, generally perform the final assembly
               rather than manufacture all of the individual components. Often the
               CPU, memory, drive controllers, hard drives, SSDs, and video cards

               are created by other third-party vendors. Even these commodity
               vendors are unlikely to have mined their own metals or processed the
               oil for plastics or etched the silicon of their chips. Thus, any finished
               system has a long and complex history, known as its supply chain, that
               enabled it to come into existence.

               A secure supply chain is one in which all of the vendors or links in the
               chain are reliable, trustworthy, reputable organizations that disclose

               their practices and security requirements to their business partners
               (although not necessarily to the public). Each link in the chain is
               responsible and accountable to the next link in the chain. Each hand-
               off from raw materials to refined products to electronics parts to
               computer components to the finished product is properly organized,
               documented, managed, and audited. The goal of a secure supply chain

               is to ensure that the finished product is of sufficient quality, meets
               performance and operational goals, and provides stated security
               mechanisms, and that at no point in the process was any element
               counterfeited or subjected to unauthorized or malicious manipulation
               or sabotage. For an additional perspective on supply chain risk, view a
               NIST case study located at
               https://www.nist.gov/sites/default/files/documents/itl/csd/NIST_USRP-

               Boeing-Exostar-Case-Study.pdf.

               When acquisitions and mergers are made without security
               considerations, the risks inherent in those products remain
   114   115   116   117   118   119   120   121   122   123   124