Supply Chain IT Security

Supply chain security is the part of supply chain management that focuses on the risk management of external suppliers, vendors, logistics and transportation. Its goal is to identify, analyze and mitigate the risks inherent in working with other organizations as part of a supply chain.

Supply chain security involves:

• Supply chain physical security
• Supply chain IT security

Supply chain IT security or supply chain cybersecurity involves the supply chain security of IT assets, software and IT services.

Service Level Agreement (SLA)

Operational Level Agreement (OLA)

Risk assessments and audits must be done on supplier, when establishing the contract and periodically.

IT Supplier Security Standards

IT supplier security standards featured on this post:

• ISO/IEC 27036
• SCOR

ISO/IEC 27036

ISO/IEC 27036 has the title “Cybersecurity supplier relationships”.

SCOR

Supply Chain Operations Reference (SCOR) is a model.

SCOR at Wikipedia

IT Supplier Risk Management

You can read more about IT supplier risk management on this post.

IT Supplier Risk Management Organizations

SCRLC

Supply Chain Risk Leadership Council (SCRLC) is a council of private companies.

SCRLC official website

Supply Chain Software Security

Software supply chain should also be considered as part of supply chain IT security.

A supplier can supply a standalone applications or just application components.

For application components, you can check this post about a software bill of materials.

A typicial example of SBOM is SolarWinds.

Tools related to Supply Chain IT Security

Tools related to supply chain IT security featured on this post:

• Supply-chain Levels for Software Artifacts (SLSA)
• Sigstore

Supply-chain Levels for Software Artifacts (SLSA)

Supply-chain Levels for Software Artifacts (SLSA), pronounced “salsa”, is a project by OpenSSF.

It is a security framework or a checklist of standards and controls to prevent tampering, improve integrity, and secure packages and infrastructure in a supply chain.

SLSA official link

Sigstore

Sigstore is an open source project for improving software supply chain security.

The Sigstore framework and tooling enable software developers and consumers to securely sign and verify software artifacts such as release files, container images, binaries or software bills of materials (SBOMs).

Sigstore is a project of OpenSSF, part of The Linux Foundation.

You can find a course to learn Sigstore on this external link.

Sigtore official website

Software Lifecycle

Software Lifecycle:

• Operating System support lifecycle
• Application support lifecycle
• Database support lifecycle

Portals to check lifecycle

When checking the release date, I would recommend to double check the original source from the manufacturer instead of relying on a third party.

Websites offering software lifecycle:

• endoflife.

endoflife.date

Official website

You might also be interested in…

• Introduction to IT security
• IT Security Risk Questionnaire Providers

External References

• M. Chapman et al; “CISSP Study Guide 5th Edition”, chapter 4 “Laws, Regulation and Compliance”, section “Contracting and procurement”, p. 171; Wiley, 2021
• Gavin Wright; “supply chain security“; TechTarget