On 7 January 2021, the Australian Cyber Security Centre (ACSC) issued updated guidance on Cyber Supply Chain Risk Management and Identifying Cyber Supply Chain Risks to help businesses identify and manage cyber risks associated with their use of suppliers, manufacturers, distributors and retailers.
The updated guidance on Cyber Supply Chain Risk Management sets out the key steps businesses should take to:
- identify cyber supply chain participants;
- understand relevant supply chain risks;
- set appropriate cyber security expectations for various participants;
- audit supply chain participants to ensure compliance; and
- monitor and improve their supply chain cyber security practices on an iterative basis.
The updated guidance on Identifying Cyber Supply Chain Risks addresses specific risks that may arise in the supply chain due to:
- foreign control, influence or interference in relation to supply chain participants;
- poor security practices of supply chain participants;
- lack of transparency by participants; and
- the scope of access and privileges for relevant products and services.
The Guidelines for Outsourcing contained in the Australian Government Information Security Manual (ISM) may also be of interest to any business that is considering, or in the process of, engaging supply chain participants or carrying out any form of outsourcing activity.
"Effective cyber supply chain risk management ensures, as much as possible, the secure supply of products and services for systems throughout their lifetime.... As such, cyber supply chain risk management forms a significant component of any organisation’s overall cyber security strategy." ACSC, Cyber Supply Chain Risk Management