It’s critical for the company to convey its information security requests with transparency and specificity when obtaining systems, parts, and services necessary for business success. After reviewing current information system security controls, we have determined that there is a need to overhaul current practice by implementing a new set of security tools necessary to help meet or exceed current and future industry regulatory standards.
Overall, we have discovered that the company has taken the necessary steps to securing the Global Supply Chain (GSC) system with existing policy. GSC is responsible for the company’s supplier selection and contracting. All contracts with suppliers must include language that adequately addresses high-risk areas identified in the Working With Suppliers Policy (WWS Policy) maintained by the company’s legal deptartment.
We’ve discovered opportunities for enhancing security control protocols in regards to supply auditing and contingency planning competencies. Opportunities for improvement in these areas have been previously documented by a plan of action and milestone as a result of previous attempts to make improvements within these areas.
We recommend establishing an enterprise system and services acquisition policy based around the NIST.SP.800-53 rev. 4 “System and Services Acquisition” (SA Family) of control mechanisms for accessing risk with dealing with third party provider services and products. The establishment of security controls as outlined by NIST’s system and services acquisition policy and procedures is instrumental in providing an effective implementation of policy and procedures that reflect applicable directives, regulations, standards, policies, federal laws, executive orders, and overall general guidance.
NIST.SP.800-53 rev. 4 “System and Services Acquisition” (SA Family) provides the necessary framework from which to work by ensuring organizations have the proper control mechanisms in place. The security controls provided by NIST.SP.800-53 rev. 4 will address requirements for developing information systems and associated products and services for dealing with third party vendors.
22 NIST.SP.800-53 rev.4 system and service acquisition family of controls listed below are under consideration:
- (SA-1) System and Services Acquisition Policy and Procedures
- (SA-2) Allocation of Resources
- (SA-3) System Development Lifecycle
- (SA-4) Acquisition Process
- (SA-5) Information System Documentation
- (SA-6) Software Usage Restrictions
- (SA-7) User-Installed Software
- (SA-8) Security Engineering Principles
- (SA-9) External Information System Services
- (SA-10) Developer Configuration Management
- (SA-11) Developer Security Testing and Evaluation
- (SA-12) Supply Chain Protection
- (SA-13) Trustworthiness
- (SA-14) Criticality Analysis
- (SA-15) Development Process, Standards, and Tools
- (SA-16) Developer-Provided Training
- (SA-17) Developer Architecture and Design
- (SA-18) Tamper Resistance and Detection
- (SA-19) Component Authenticity
- (SA-20) Customized Development of Critical Components
- (SA-21) Developer Screening
- (SA-22) Unsupported System Components
The company’s new Information Security policy will serve to provide the necessary components inline with best practices associated with organizational information security management. These new security controls will serve to establish new methods used to evaluate third party supplier services that host the company’s information in addition to third party products that are acquired to process the company’s information.
National Vulnerability Database. (2016, September). NIST Special Publication 800-53 (Rev. 4). Retrieved September, 2016, from https://web.nvd.nist.gov/view/800-53/Rev4/family?familyName=System%20and%20Services%20Acquisition