The supply chain assurance program is a collaborative effort between security, procurement, and governance. The program integrates security escalations to ensure that we choose secure third-party software, goods, and services from trusted suppliers. Figure 2 illustrates the three supplier services that are currently governed by the supply chain assurance program. Figure 2. Supplier services that are governed by the supply chain assurance program. Third-party software is any software that is not developed by Microsoft and is not Microsoft intellectual property.
It can be cloud-based software as a service SaaS , on-premises server-based, or installed on client devices. Any third-party software that processes or accesses corporate data is subject to software governance. Procurement obtains third-party software and services for use at Microsoft and negotiates contracts and service subscriptions.
Once procured, the end-to-end governance process is accountable for the effective management of software licenses, subscriptions, inventory, and maintenance through the entire product life cycle. When procurement acquires third-party software, they assess the supplier, look at their risk profile, and present their findings to management. That information helps leadership make risk-informed purchasing decisions, and helps us negotiate remediation during contract negotiation.
- Cybersecurity Review Measures (Draft for Comment);
- Ravel e l’anima delle cose (La cultura) (Italian Edition);
- Conversations avec les Anges (French Edition).
- Why the Navy is giving agencies, industry a much-needed wake-up call on supply chain risks.
- Cybersecurity Review Measures (Draft for Comment);
Continuous monitoring helps ensure that security controls that are in effect at the time of purchase remain so during their life cycle. Solution integrators are suppliers that provide staff augmentation and consulting services. Helping to ensure security around people and services requires different controls than assessing software suppliers.
We use supplier risk profiles and assessments to continuously monitor the risk score of the suppliers. Then we partner with them on remediation activities to improve supplier and solution security, which is then reflected in their updated risk score. Factories all around the world build components and products for Microsoft. We have worked with most manufacturers since before we rolled out our supply chain assurance program, so we have been assessing them, creating supplier remediation plans, and helping them to improve their profile score.
For new manufacturers, we would assess and score them up front so that our findings can be part of contract negotiations. As Figure 3 shows, supply chain assurance begins during the selection phase of the procurement life cycle. Figure 3. Supply chain assurance program activities during different phases of the of the procurement lifecycle.
We work with the centralized contracting team and give them access to the supplier risk dashboard to help them consider onboarding a new supplier. For suppliers that already have a profile, the contracting office has the information on hand to make more informed decisions and gives them the ability to refine the security language within a statement of work SOW. During procurement, we assess security at the selection phase, before contract negotiation.
In the past, we did not usually review security until after software was purchased. Now we assess first, which gives us the ability to seek remediation before onboarding. This helps us avoid known risks with new suppliers or allows us to make change requests part of the contract negotiation. As illustrated in the table below, for each security category we require attestation—security reviews. We accept some industry-standard compliance attestations in lieu of some of the more detailed security questionnaires.
Security questions are based on Microsoft security standards, requirements, and technical controls that apply to our internal applications, as well. Because reviews and assessments are done during the selection phase, we can make change requests part of the contract negotiation. We look at contracts and legal as our first line of control. We can require suppliers to make fixes before onboarding and ensure that all provisions are included in the contract. We have moved beyond one-time assessments and incorporated ongoing monitoring to help ensure that a supplier stays in compliance.
The ongoing monitoring is based on data elements in our risk profile, which are updated continually from internal and external sources. When new versions of products or services are released, or when a purchase order is set to renew, we reassess based on the risk profile score and determine if it still passes our assurance needs or if new, control-based activities are required. We use key performance indicators KPIs to measure our own success and refine how we offer services within the program.
We are still working to determine which KPIs best communicate the health and overall progress of our program. Defining KPIs is an ongoing—and not always easy—task. We have been incrementally adding features to the program, and with each new feature comes new metrics that we analyze to measure adoption, performance, and customer satisfaction. For those assigned to supply chain security, there are two goals. The first is to promote the efficient and secure movement of goods, and the second is to foster a global supply chain system that is prepared for and can withstand evolving threats and hazards and rapidly recover from disruptions.
A crucial goal of any supply chain security effort is to promote the timely, efficient flow of legitimate commerce while protecting and securing the supply chain from exploitation as well as reducing its vulnerability to disruption, according to Bill Anderson, group director, international safety, health and security at Ryder, Miami, Florida.
That leadership also extends best practices to industry partners and government regulators. The aim: Understand and resolve threats early in the process and strengthen the security of physical infrastructures, conveyances and information assets, while seeking to maximize trade through modernizing supply chain infrastructures and processes.
Anderson says it is important to also foster a supply chain system that is prepared for, and can withstand, evolving threats and hazards and can recover rapidly from disruptions.
The Daily Challenges of Supply Chain Security | | Security Magazine
So he and other supply chain security executives consistently review situations based on cargo, geography, incidents, collaborative partners and other elements. He also expects information security to be the next high concern area when it comes to supply chain security. For example, one of the largest known data breaches, resulting in million records lost and hundreds of millions of dollars in damages, started with a small, third-party supplier along the chain.
Government regulations, mandates and industry specific rules play a significant role in supply chain security. Still, he says, governments have gone through administrations and budget cutting. In some ways, the U. No doubt, there are many players in the supply chain including importers, foreign manufacturers, consolidators; brokers, ocean, sea and rail carriers, and third-party logistics providers, to name a few.
Goods in movement get a little trickier.
Check Firms in Supply Chain
And how are you going to get the devices back? Crisis management is another aspect of the supply chain security multi-tiered approach. Not only could the global supply chain be used to facilitate a terrorist act, the supply chain itself could be considered a target of such an attack. Given the importance of cargo and vehicle security to ongoing sustainability, both are matters of committed corporate governance and leadership. Security practices must encompass a wide range of areas — from customs and border security for materials moving between nations to rental fleet security and crisis management.
Supply chain security also — depending on the company, location, type of supplies or data and risks ranked by priorities — calls for the use of traditional physical security technologies as well as tech unique to the mission such as seals, global positioning and more sophisticated locating and tracking applications. Warehouses, distribution centers, seaports, airports, tractor-trailer hubs and freight terminals all lend themselves to some level of credential for access control as well as security video, often IP-based and analytics equipped. Beyond security, there are other reasons for supply chain security.
Plan the approach. Understand the threats and risks and their criticality. Tagging certain job titles to specific zones such as dispatch, operations, warehouses and loading docks is a valuable step towards improving the physical security. Steve Birkmeier of Arteco stresses event-based interoperable of security technology including security video as well as license plate recognition.
Such solutions can verify trucks, open gates and even trigger email alerts, according to Birkmeier.
Supply chain attack
Every camera has a purpose. Focus on what is important to security at various locations and related to events. According to Anthony Incorvati, business development, critical infrastructure and transportation at Axis Communications, security technology has come a long way. There is system openness, higher quality imaging and more uses of security video.
He sees security technology as bridging the gap between security and enterprise resource planning as well as warehouse management, for example. He adds that, for new projects, almost all are IP-based network technology. Then there is geofencing based on sensors or cameras or both as well as customized software. Such systems can send automatic, near real-time notifications whenever a trailer moves in or out of preapproved coordinates, allowing fleets to proactively react to possible cargo theft.
If a driver has authorization to stay the night in a hotel room, the carrier can create a geofence containment field around the hotel parking lot that will send an alert if anything happens to the truck while the driver is sleeping inside the hotel. In some outdoor supply chain security applications, there is a need for a solar-powered, wireless video solution. With trucks in loading dock areas and terminals, such technology can be easily deployed on the perimeter, suggests Dave Tynan of MicroPower Technologies.
One logistics company, a provider of small package ground delivery services in the United States and Canada, has more than 40, vehicles in service at any given time, and accounts for 33 ground transportation hubs and pickup and delivery facilities. To better monitor behavior, manage the flow of traffic at its hubs and to optimize the operations, the company invested in a solar, wireless surveillance solution. The company wanted to see trucks going in and out of the parking lots to watch over traffic patterns, driver efficiencies and operational issues.
The company was already relying on traditional, hardwired surveillance systems to enhance operations and safety, but officials recognized the need to extend the views of surveillance video to the perimeters of their logistics parking areas. After looking at several solutions, the logistics leader ultimately selected a solar, wireless surveillance platform because it delivers highly reliable and secure video surveillance capabilities in a zero-cable design. Real-time locating systems also play a supply chain security role. Such telematics systems capture truck and cargo location information in real-time, points out Andy Souders of Savi Technology.
Knowing where the hotspots are in terms of cargo theft based on historical data can also help with route planning. Some providers think outside of the box. SGS, a leading inspection, verification, testing and certification company, in an effort to gain a competitive edge in its consignment verification and logistics security business, sought to develop a new integrated logistics and tracking offering that it could add to its global services portfolio.
A key requirement of the service was real-time asset tracking and comprehensive journey monitoring. SGS delivers a solution to track freight movements using global positioning GPS, general packet radio service or GPRS and satellite technology that gives end users full in-transit visibility and real-time event management. We will discuss process-based approaches to minimize vulnerability as well as ongoing methods to assure compliance. We will review specific implementation issues of actual and expected new rules.
While much of our course will inform companies about how they can incorporate business systems to reduce supply chain risk, and vulnerability to counterfeit electronic parts, our course also will show where these new requirements create new business opportunities. This course is recommended for 6 CLP credits. Nicole Best. All rights reserved. Already Registered? Skip Navigation. Summary Faculty Fees Contact Us.