Cyber Security is Crucial to Supply Chain
Companies face an overwhelming barrage of endless data that contains sensitive information and involves a variety of supply chain vendors. The world is data-driven and securing your supply chain will help minimize your risk of cyberattacks. Here are some keys ways to help you understand more about securing your data beginning with supply chain vendors.
Check out this video with Enigma Forensics, Lee Neubecker, President & CEO, and John Blair, noted Healthcare Industry Cyber Security Expert dissect big data and the certifications needed to understand how to secure your supply chain to help monitor the risks.
This is the second video transcript of a three-part series.
Lee Neubecker: Hi, thank you for doing this show, John.
John Blair: No problem.
LN: I appreciate you coming back on.
JB: Thanks Lee, glad to have you here.
LN: So, we’re going to talk today a little bit about what organizations should be doing to monitor the risk associated with their supply chain.
LN: And John, if you can, give me an understanding of what are things that you look for when selecting a vendor or city that might be hosting your data.
LN: Or running parts of your operation.
JB: Well, the world is data-driven, and so your evaluation of vendors is critical and should be focused on their interaction with your data, what their subcontractors are going to do, are you going to allow them to have subcontractors? Where are those subcontractors located? And by all means, get some sort of attestation, that their environment that you’re now relying on, has been audited, you know, the SOC 2’s, those types of things, go a very long way in giving you some level of comfort that they’re operating their controls effectively and that you can rely on ’em.
LN: Great, can you explain to our viewers what essentially a SOC 2 certification is, and why you care about that with a vendor?
JB: That one, the SOC 2, there are multiples ones, but a SOC 2 Type 2 is the standard. There are five Trust Principles associated with it. The biggest one used probably, 75 percent of the time is security. And that’s where you, the vendor would offer, whatever service you’re interested in, the SOC report would be scoped for that service, and then the auditors evaluate that service according to the security principle that’s defined by SOC.
LN: So, typically they’re looking at physical security measures, as well,
LN: that extend just beyond data,
LN: but physical security measures that help to protect your data.
JB: Right, SOC defines objectives, and then the organization defines controls within those objectives, so the objectives are the boundaries, and then the organization defines the controls, but generally speaking, they are the IT basics, chain management, software development, life cycle, physical security, logical security, network security, data storage and security, transmission security, those types of things are almost always covered under the security principle.
LN: Isn’t it true that someone could have all the certs out there and still get compromised?
JB: Oh, absolutely. The certs are not a guarantee, by any stretch. They are just, you know, as we’ve said, they’re meant to give you a level of comfort in the control environment of the people you are now, basically trusting with your data.
LN: And so, as you go out, and you select vendors if you do this diligence and you find vendors that have a certain level of attestation, and various certs that you care about, that might help you if data breach happened, to show that you actually practiced good faith and due diligence, in selecting your vendors.
JB: No, absolutely, and HIPPA requires it, so if you did some sort of due diligence at least, at least you have a story to tell. If you don’t have a story to tell, then that’s where things start going off the rails almost immediately, because you didn’t do anything, and that’s never a good thing.
LN: Well, thanks for being on the show again.
JB: My pleasure, thank you.