Source: Programmaradon.it – ​​Author: Valeria Carozzi .

One of the key elements of the new cybersecurity directive concerns supply chain security, and ENISA has issued guidelines  for  all organizations. Keep in mind that even if your company doesn’t fall directly within the scope of the regulation, it may still be a supplier to a company required to perform these types of checks, requiring you to strengthen your cybersecurity to continue to be their supplier.

SOME USEFUL TIPS

First, it’s good practice to identify  each vendor’s role  and the type of service provided: ICT, software vendor, hardware vendor, managed services provider (MSP), managed security services provider (MSSP), or user. When evaluating vendors, it’s important to define criteria that include:

a. the cybersecurity practices of suppliers and service providers, including their secure development procedures;
b. the ability of suppliers and service providers to meet the cybersecurity specifications established by the relevant entities;
c. the overall quality and resilience of ICT products and services and the cybersecurity risk management measures integrated therein, including the risks and classification level of ICT products and services;
d. the ability of the relevant entities to diversify their supply sources and limit their dependence on them.

These criteria must be included in  specific contractual clauses  that specify:

1. a clear and complete description of ICT products and services;
2. cybersecurity requirements for suppliers or service providers, including requirements relating to security when purchasing ICT services or products;
3. the awareness, skills and training requirements and, where applicable, certifications required of employees of suppliers or service providers;
4. background check requirements for employees of suppliers and service providers;
5. accurate descriptions of service levels, well-defined timelines for responding to service disruptions, precise updates when necessary and appropriate, robust and well-structured data protection clauses in terms of compliance, non-disclosure agreements or obligations for suppliers and service providers, precise obligations of the supplier or service provider to provide assistance to the entity at no additional cost or at a cost determined ex ante, in the event of a cyber incident that presents a risk to the ICT product or service covered by the contract;
6. the obligation for suppliers and service providers to notify, without undue delay, the parties concerned of incidents that present a risk to the security of the network and information systems of those parties;
7. the forecast of second and third party audits;
8. the obligation for suppliers and service providers to manage vulnerabilities that present a risk to the security of the network and information systems of the interested parties;
9. the requirements relating to subcontracting and, where the relevant entities permit subcontracting, also those relating to cyber security;
10. the protection of intellectual property;
11. the right of withdrawal with related appropriate (minimum) notice periods for the termination of contractual agreements;

Given the disproportionate bargaining power of SMEs compared to large technology service providers, collective bargaining, membership associations, or similar initiatives may be considered.
Companies must then conduct a risk analysis of their equipment and systems to define security intervention procedures and priorities. The criticality of suppliers is obviously linked to the outcome of the risk assessment. Within its operating procedures, the company must also identify the supplier’s role in terms of system maintenance, compliance with service SLAs, its responsibilities in the event of an anomaly or emergency, service decommissioning, and related security activities.
All  incidents  related to third-party services or applications must be tracked, investigated, and managed to monitor the supplier’s activity and verify that it actively collaborates and takes action to resolve issues and prevent future ones.

USE OF OPEN SOURCE SOFTWARE

It is then necessary to consider the criteria for using the open source software (OSS) supply chain, and in particular:

1. risk assessment;
2. Collaborating with the OSS community, providing evidence of commitment to peer review, and staying informed on the latest security threats and best practices;
3. constant updates, ensuring that all open source libraries are regularly updated to the latest versions by the vendor or service provider;
4. license verification, considering the type of license (permissive/BSD, copyleft) and related characteristics;
5. code reviews, requiring the vendor or service provider to perform regular code reviews and security testing on open source libraries to identify and address any security issues;
6. software “dependencies,” requiring the vendor or service provider to provide information about tools to manage dependencies (e.g., Dependabot, Yarn, Gradle, Pip), as well as ensuring that all libraries and their dependencies are secure and up-to-date.
7. Zero Trust, verifying and authenticating all access requests.

On the one hand, all of this will certainly represent an increase in costs for companies that will have to bear the financial burden of increasing IT security and acquiring the skills necessary to manage it, but on the other, it will also constitute a distinctive element aimed at strengthening commercial relationships and allowing companies that undertake this path to stand out on the market.