sanctions , news stories on indictments and security issue publications . Other risk questions require access to non-public or proprietary information and can involve resourcing the information directly from the supplier or by assessing the service or item of supply directly .
The ICT SCRM Task Force ’ s Vendor Template is an example process that answers questions that could be collected directly from a supplier and used to answer SoT risk questions . There are additional risk questions that can be answered by looking at other sources , such as analyses of certifications and accreditations done on an organization , their workforce , facilities , and products . If , for example , an organization has been certified by a trusted 3 rd party to have met one of these standards for security practices by their facilities , it would qualify as addressing SoT risk questions on that topic .
Finally , there will be restricted sources of information that could be used to gather insights on some supply chain risks . For government this may include law enforcement resources or information gathered by the intelligence community . In private industry it maybe information from past work with a supplier or service provider . SoT provides for the use of these types of sources as “ general research .”
SoT is exploring a mechanism for conveying examples of all the above as part of the SoT BoK and making them accessible as assessment information sources within the RMM tool itself . SoT is also working to incrementally expand the lists of sources in collaboration with industry and those providing the certifications and information sources . Similar to MITRE ’ s established compatibility programs for initiatives like Common Vulnerabilities and Exposures ( CVE ) and Common Weakness Enumeration ( CWE ), the SoT program is establishing a process to allow organizations to share their adoption and use of the SoT taxonomy of risks .
This will enable the community at-large to see where market offerings fit into the strategic landscape of supply chain security capabilities and needs . SoT offers a consistent framework for identifying the scope and nature of issues requiring review and issues that have been addressed . This framework provides the insights necessary to construct the appropriate set of capabilities required to address individualized supply chain security needs .
Communicating the findings from a supply chain assessment is something that calls for careful planning and detailed execution . While there are lots of risks to consider when investigating your supplier , the supplies they offer , and services being provided , the key to managing those risks is to understand which ones represent a showstopper if they manifested and which ones would have strong impacts to the organization .
Reflecting the potential for impact in the scoring and weighting of the individual risks , as well as in the presentation of the findings from an assessment , is key to providing consistent , usable
54 July 2022