Organizations require security assurance of their supply chain. Almost every day there is a news article concerning a disruption to a supply chain—whether it be a security issue with physical transport or through a cybersecurity incident. Wherever you fit into the supply chain, from supplying raw materials, providing managed services, or supplying a hosted solution, the integrity of your customer’s property (data and other assets) within the supply chain is essential.
The Radian team supports multiple frameworks to assist organizations in the reduction of supply chain risks.
ISO 28000:2022, Security and Resilience – Security management system requirements
This standard establishes a security system that will protect people, goods, infrastructure, equipment, and transportation against security incidents and other potentially disruptive situations. It also provides an organization with a solid base to identify, assess, control, and mitigate its supply chain security risks. This standard requires identification of the following security risks:
• Physical or functional failures and malicious criminal acts.
• Environmental, human, and cultural factors, and other internal or external contexts, including factors outside the organization’s control affecting the organization’s security.
• The design, installation, maintenance, and replacement of security equipment.
• The organizations information, data, knowledge, and communication management.
• Information related to security threats and vulnerabilities.
• The interdependencies between suppliers.
Open Trusted Technology Provider™ Standard (O-TTPS)
Mitigating Maliciously Tainted and Counterfeit Products:
• Part 1: Requirements and Recommendations, Version 1.2, and the technically equivalent ISO/IEC 20243:2023 Part 1: Requirements and recommendations for mitigating maliciously tainted and counterfeit products.
Radian compliance commonly implements both ISO 28000 and the OTTPS together to provide additional tailored processes specific to the organization’s role in the supply chain. OTTPS/ISO 20243 is a set of guidelines, requirements, and recommendations to address specific threats to the integrity of hardware and software commercial off the shelf (COTS) and information, communication and technology (ICT) products throughout the product lifecycle. The organizations generally adding this standard include suppliers who are upstream that supply components or solutions to providers and resellers or integrators who are downstream that supply COTS/ICT directly to the customer.
EASI – Third Party Risk Management (TPRM)
Radian has developed its own TPRM methodology, EASI. Evaluating the security and privacy practices of your supply chain can proactively identify and address potential risks, strengthening overall cyber & privacy resilience. Through our EASI methodology, we work with an organization to focus on creating or enhancing an assessment program to better ensure that vendor cybersecurity and privacy measures align with an organization’s expectations. See more detail here.
Benefits
• Standardized risk levels and supplier questionnaires.
• Reduce the risk of a supply chain incident.
• Imbed risk reviews and monitoring of suppliers by establishing corporate governance.
• Include SAAS and Cloud Providers into oversight.
Why Implement a Supply Chain/Risk Management Program
• Identify risks to supply chain security and create effective risk treatment plans.
• Create security plans to address disruptions upstream or downstream to ensure you can meet your contractual requirements.
• OTTPS can be self-certified or 3rd party by following the additional guidance by OTTPS
The Radian Supply Chain Security/Risk Management Difference
All the ISO standards supported by Radian team members include some aspects of supply chain risk management. By having relevant knowledge in multiple frameworks, we can identify best practices to support an organization’s scope. We have created a proprietary process called EASI for Third Party Risk Management (TPRM) to additionally assist organizations to create a sustainable TPRM program.
Our team is constantly studying updates and providing relevant information about persistent and new supply chain risks to our customers. We are active in security organizations, including ASIS International, (ISC)2, ISACA, WiCys, IAPP, PMI, ASQ, and AITP–Chicago.
Connect with us now to learn how Radian Compliance can support your Supply Chain Security/Risk Management requirements.