CSQA participated in the drafting of the book "Supply Chain Security: the risks of the supply chain" edited by the Clusit Community for Security .
Specifically, the supply chain relating to ICT services has undergone profound transformations over time, passing from solutions managed in internal data centers to outsourcing and the cloud, affecting not only the classic basic IT but also the automation of plants with OT (Operational Technology) and IoT (Internet of Things) solutions. The outsourcing of services has also resulted in more and more suppliers gaining access to the client's organization's IT systems.
This book discusses ICT supply chain security risks .
The term supply chain will therefore normally refer, implicitly, to the ICT one, although sometimes extending the treatment, more generally, to those digitized objects whose security is strongly correlated to that of their suppliers.
In particular, the Clusit Community for Security intends with this publication to provide some cross-functional suggestions such as:
Ample space is also dedicated to the discussion of the main regulations dedicated to regulated sectors , such as the recently published NIS2 Directive , intended for private organizations and public administrations that operate in fundamental services and critical infrastructures and their suppliers.
The need for adequate risk management is also demonstrated by many cases of accidents due to errors, carelessness and lack of controls by subcontractors in the supply chain, the impacts of which then spread to the end customer, with even serious consequences for the business.
Various research and relevant examples of security incidents are then included, providing further useful insights. Why this book?
The data of the Clusit 2021 Report on ICT security in Italy and in the world shows an increase in attacks conveyed by exploiting vulnerabilities in the supply chain, which allows cybercriminals to hit all the subjects involved in it (customers, other suppliers and third parties). Some emerging or recently consolidated dynamics highlighted in it are:
Unfortunately, the growing interconnection between the various organizations means that the weakness of just one link in the chain allows access to the data and networks of clients and the entire supply chain.
It therefore becomes essential for management to understand how the scenario described can affect one's own organization and what risks it is exposed to, considering all types of internal or outsourced ICT services.
The aim is not only to help customers understand what to ask their suppliers but also to help suppliers prepare to support possible (and increasingly probable) requests from their customers. Who is it aimed at?
The top management of organizations (eg board members, CEOs and CFOs ) will certainly benefit from reading this book. In fact, they play a fundamental role in defining security and outsourcing strategies, they will be able to develop awareness on the subject and require adequate monitoring of the supply chain.
The book will also be useful reading for other figures with more operational and supportive responsibilities to the top. For example, risk managers, CIOs, CISOs, DPOs and, in the public sector, digital transition managers, purchasing managers, project and product managers.
Reading this book does not assume in-depth previous skills: the reader will assume at least a sensitivity towards the critical processes of an organization and an attention to what is outsourced. (Source: https://supplychainsecurity.clusit.it/ ) DOWNLOAD THE SUPPLY CHAIN SECURITY BOOK FOR FREE
Supply Chain Security: the risks of the supply chain