Connect with us

Tech

Security Think Tank: Basic steps to secure your supply chain

Published

on

Security Think Tank: Basic steps to secure your supply chain

When it comes to supply chain security, there are some core things you should be doing – but remember, the devil is in the detail

Petra Wenham

By

Published: 15 Jun 2022

When we think about supply chains, we typically think of them in relation to manufacturing, for example a car typically will have a radio supplied by one manufacturer, an air-conditioning system from another supplier (or two), nuts, bolts and screws from other suppliers, and so forth. The same is true of most companies operating today with respect to their IT. 

In looking at the security of links between a company and its business partners, it goes without saying that the security is only as good as the weakest business partner link. But in saying that, we must include the company’s IT in that statement and the security of a partner’s IT system. 

Good practices, from my experience, in dealing with IT supply chain security, can be broken down into the following steps, but remember that these steps are relatively high level and that the devil is in the detail. Also note that the list is not exhaustive because each IT scenario is different.

  • An IT security team needs a solid understanding of a company’s business, including all partners, subsidiaries and other external services that are used, be they public or private.
  • Arising from this will be an understanding of the assets at risk and the associated value at risk (reputation, financial, ability to trade, etc).
  • Likewise, the IT security team needs a solid understanding of the company’s IT, including its suppliers.
  • In-house, in-house/third-party maintenance, partial outsource: do the outsource suppliers, in turn, outsource some of “their” IT, remote working, etc?
  • The security team needs a good and up-to-date understanding of the threat and vulnerability landscape.
  • The security team needs to be able to map out the key parts of the supply chain. Caveat: too much detail and you’ll not see the wood for the trees, but conversely, take a too high-level view and you’ll start to miss some key points.
  • Once the key parts of the chain have been mapped, the team need to identify for each part whether its security is within the direct control of the company, the company is in indirect control, or if the company has no control.
  • The key here is to identify the boundaries between each supply chain part and who has the technical management of security for each part and its interfaces.
  • As part of this mapping exercise, the team should consider what current industry good-practice security controls they would expect to find, both for the supply chain part under consideration and its interfaces to other supply chain parts.
  • For each part of the chain, the next step is to review what security controls are actually in place, including its interfaces, and compare those with the identified good-practice controls.
  • These reviews, together with the knowledge of the company assets that could be exposed by a security breach and the value at risk should a control fail, will lead to a risk profile and a remediation plan to improve security.  

What I have not explicitly covered here are the physical aspects of security, for example if a company’s offices are in a shared or multi-tenanted building, then cable rooms, closets and risers are important, is guarding outsourced, does an outsourced guarding service create entry cards, and who employs the cleaners? That is not an exhaustive list, but these are all equally part of the security supply chain.

A few thoughts to close with:

Direct control: This would be where company assets are controlled by company policies, procedures, standards and work guides. Maintenance staff could be employees or contractors legally required to follow company policies, etc.

Indirect control: This is where a third party provides services under a legal contract. That contract would have clauses relating to security and annexes spelling out the security requirements in detail. Security needs to be spelt out; it is no good just saying that the third party must be ISO27001 compliant, the statement of applicability and the relevant clauses need to be identified, together with any necessary expansion. Other standards, including any company-specific ones, need to be covered by the contract, together with mechanisms to ensure that the security is being regularly maintained – independent auditor opinion, copy of a standards renewal certificate, for example.

No control: The interconnections between the company and its partners (and subsidiaries and remote workers) over public or third-party networks such as the internet. Here we would have to look for the interface security of the supply chain part, for example to add a layer of security, such as encryption.

My previous Think Tank article, Security Think Tank: To follow a path, you need a good map, might add a little more with respect to risk analysis.





Read more on Data breach incident management and recovery

Read More

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published.

Tech

FIFA 23 lets you turn off commentary pointing out how bad you are

Published

on

By

FIFA 23 lets you turn off commentary pointing out how bad you are
A player shouldering the ball



(Image credit: EA)

FIFA 23 might be the best game soccer game yet for terrible sports fans, as it lets you turn off commentary that criticizes your bad playing.

Now that the early access FIFA 23 release time has passed, EA Play and Xbox Game Pass Ultimate subscribers can hop into the game ahead of its full release. But as Eurogamer (opens in new tab) spotted, they’ll find a peculiar option waiting for them.

FIFA 23 includes a toggle to turn off ‘Critical Commentary’. The setting lets you silence all negative in-match comments made about your technique, so you can protect your precious ego even when you miss an open goal or commit an obvious foul. The more positive commentary won’t be affected. 

Spare your feelings

A player dribbling the ball in FIFA 23

(Image credit: EA)

The feature looks tailored toward children and new players, who don’t want to have their confidence wrecked within mere minutes of picking up the controller. But even experienced players who just so happen to be terrible at the game might benefit.

It’s not perfect, though. According to Eurogamer, the feature didn’t seem to work during a FIFA Ultimate Team Division Rivals match, with critical comments slipping through the filter. Still, who hasn’t benefited from a light grilling every now and then?

Polite commentary isn’t the only new addition in FIFA 23. It’s the first game in the series to include women’s club football teams, and fancy overhauled animations that take advantage of the PS5 and Xbox Series X|S’s new-gen hardware. EA will be hoping to end on a high, as FIFA 23 will be the last of its soccer games to release with the official FIFA licence.

If disabling critical commentary doesn’t improve your soccer skills, maybe building a squad of Marvel superheroes will. Although you might not do much better with Ted Lasso wandering the pitch.

FIFA 23 is set to fully release this Friday, September 30.

Callum is TechRadar Gaming’s News Writer. You’ll find him whipping up stories about all the latest happenings in the gaming world, as well as penning the odd feature and review. Before coming to TechRadar, he wrote freelance for various sites, including Clash, The Telegraph, and Gamesindustry.biz, and worked as a Staff Writer at Wargamer. Strategy games and RPGs are his bread and butter, but he’ll eat anything that spins a captivating narrative. He also loves tabletop games, and will happily chew your ear off about TTRPGs and board games. 

Read More

Continue Reading

Tech

Google Pixel 7 price leak suggests Google is totally out of touch

Published

on

By

Google Pixel 7 price leak suggests Google is totally out of touch
The backs of the Pixel 7 and the Pixel 7 Pro



(Image credit: Google)

We’re starting to hear more and more Google Pixel 7 leaks, with the launch of the phone just a week away, but tech fans might be getting a lot of déjà vu, with the leaks all listing near-identical specs to what we heard about the Pixel 6 a year ago.

It sounds like the new phones – a successor to the Pixel 6 Pro is also expected – could be very similar to their 2021 predecessors. And a new price leak has suggested that the phones’ costs could be the same too, as a Twitter user spotted the Pixel 7 briefly listed on Amazon (before being promptly taken down, of course).

Google pixel 7 on Amazon US. $599.99.It is still showing up in search cache but the listing gives an error if you click on it. We have the B0 number to keep track of though!#teampixel pic.twitter.com/w5Z09D28YESeptember 27, 2022

See more

According to these listings, the Pixel 7 will cost $599 while the Pixel 7 Pro will cost $899, both of which are identical to the Pixel 6 and Pixel 6 Pro starting prices. The leak doesn’t include any other region prices, but in the UK the current models cost £599 and £849, while in Australia they went for AU$999 and AU$1,299.

So it sounds like Google is planning on retaining the same prices for its new phones as it sold the old ones for, a move which doesn’t make much sense.


Analysis: same price, new world

Google’s choice to keep the same price points is a little curious when you consider that the specs leaks suggest these phones are virtually unchanged from their predecessors. You’re buying year-old tech for the same price as before.

Do bear in mind that the price of tech generally lowers over time, so you can readily pick up a cheaper Pixel 6 or 6 Pro right now, and after the launch of the new ones, the older models will very likely get even cheaper.

But there’s another key factor to consider in the price: $599 might be the same number in 2022 as it was in 2021, but with the changing global climate, like wars and flailing currencies and cost of living crises, it’s a very different amount of money.

Some people just won’t be willing to shell out the amount this year, that they may have been able to last year. But this speaks to a wider issue in consumer tech.

Google isn’t the only tech company to completely neglect the challenging global climate when pricing its gadgets: Samsung is still releasing super-pricey folding phones, and the iPhone 14 is, for some incomprehensible reason, even pricier than the iPhone 13 in some regions. 

Too few brands are actually catering to the tough economic times many are facing right now, with companies increasing the price of their premium offerings to counter rising costs, instead of just designing more affordable alternatives to flagships.

These high and rising prices suggest that companies are totally out of touch with their buyers, and don’t understand the economic hardship troubling many.

We’ll have to reach a breaking point sooner or later, either with brands finally clueing into the fact that they need to release cheaper phones, or with customers voting with their wallets by sticking to second-hand or refurbished devices. But until then, you can buy the best cheap phones to show that cost is important to you.

Tom’s role in the TechRadar team is to specialize in phones and tablets, but he also takes on other tech like electric scooters, smartwatches, fitness, mobile gaming and more. He is based in London, UK.

He graduated in American Literature and Creative Writing from the University of East Anglia. Prior to working in TechRadar freelanced in tech, gaming and entertainment, and also spent many years working as a mixologist. Outside of TechRadar he works in film as a screenwriter, director and producer.

Read More

Continue Reading

Tech

DisplayMate awards the “Best Smartphone Display” title to the iPhone 14 Pro Max

Published

on

By

DisplayMate awards the “Best Smartphone Display” title to the iPhone 14 Pro Max

, , , , , ,

search relation.

, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

 

Read More

Continue Reading

Trending

Copyright © 2022 Xanatan