Organizations require security assurance of their supply chain. Almost every day, there is a news article concerning a disruption to a supply chain—whether it be a security issue with physical transport or through a cybersecurity incident. Wherever you fit into the supply chain—from supplying raw materials, providing managed services, or supplying a hosted solution—the integrity of your customer’s property (data and other assets) within the supply chain is essential.
Radian Compliance utilizes multiple standards and frameworks to assist clients with creating security resilience within all aspects of the supply chain.
ISO 28000:2022, Security and Resilience – Security management system requirements
This standard establishes a security system that will protect people, goods, infrastructure, equipment, and transportation against security incidents and other potentially disruptive situations. It also provides an organization a solid base to identify, assess, control, and mitigate its supply chain security risks. This standard requires identification of the following security risks:
• Physical or functional failures and malicious criminal acts
• Environmental, human, and cultural factors, and other internal or external contexts, including factors outside the organization’s control affecting the organization’s security.
• The design, installation, maintenance, and replacement of security equipment
• The organization’s information, data, knowledge, and communication management
• Information related to security threats and vulnerabilities
• The interdependencies between suppliers
Typical audience: OEM, Integrator, Value Added Reseller.
Open Trusted Technology Provider™ Standard (O-TTPS) Version 1.1.1 and the technically equivalent ISO/IEC 20243:2018. Mitigating maliciously tainted and counterfeit products
Radian compliance commonly implements both ISO 28000 and ISO 20243 together, to provide for additional tailored processes specific to the organization’s role in the supply chain. ISO 20243 is a set of guidelines, requirements, and recommendations to address specific threats to the integrity of hardware and software commercial off-the-shelf (COTS) Information, Communication and Technology (ICT) products throughout the product lifecycle. The organizations generally adding this standard include Suppliers who are upstream that supply components or solutions to Providers or integrators who are downstream that supply directly to the integrator or customer. This standard allows for self-certification or select approved certification bodies through The Open Group.
Typical audience: Government contractors for various agency vehicles (NASA-SEWP), Integrator flow down from OEM.
Shared Responsibility Matrix
As a supplier of cloud services or an organization utilizing these services, ensuring the integrity and responsibility of the security controls is essential. 100% of Radian Compliance clients use some element of outsourced services. We recognized the need to better understand the shared responsibilities and assist our clients in maturing their risk management and supplier governance practices. Our consulting consists of seasoned cloud experts, with an extensive understanding of the shared responsibility model from the Cloud Security Alliance (CSA) that cloud service providers adhere to. The model calls out the Client’s share of cloud security responsibilities including, but not limited to:
• Information and Data
• Application Logic and Code
• Identity and Access
• Platform and Resource Configuration
Why implement or certify these standards and frameworks
• Identify risks to supply chain security and create effective risk treatment plans.
• Create security plans to address disruptions up chain or down chain to ensure you can meet your contractual requirements.
• Conduct a 3rd party assessment which will provide an organization a competitive edge in a very competitive market.
• No longer “throw accountability” over the fence to your suppliers. Understand your role in using cloud services.
• As a cloud service provider, ensure you can meet the strict requirements of clients in protecting their information.
Radian’s 100% Successful Methodology
1. Scope identification and gap analysis against the standard and clients’ current controls.
2. Implementation and education to gaps, goals and objectives as defined by the requirements of the standard and the client’s business and customer needs.
3. Internal audit support with qualified internal auditor resources.
4. Certification support and ongoing maintenance assistance during certification audits, and support during surveillance audit years.
The Radian Difference
All ISO standards that Radian supports have some element of outsourced process governance. We recognized years ago that we must create a consulting methodology that incorporates a common approach to ensure clients consistently are able to identify the risks at any level of the supply chain.
Our approach is tailored to the Client and their requirements to provide or consume cloud and 3rd party services. Our team members are not only ISO experts but have extensive knowledge and certifications in cloud services. Managing Partner, Lisa DuBrock, is a member of the ISO U.S. technical committee for ISO 28000:2022.