Introduction:

It’s critical for the company to convey its information security requests with transparency and specificity when obtaining systems, parts, and services necessary for business success. After reviewing current information system security controls, we have determined that there is a need to overhaul current practice by implementing a new set of security tools necessary to help meet or exceed current and future industry regulatory standards.

Findings:

Overall, we have discovered that the company has taken the necessary steps to securing the Global Supply Chain (GSC) system with existing policy. GSC is responsible for the company’s supplier selection and contracting. All contracts with suppliers must include language that adequately addresses high-risk areas identified in the Working With Suppliers Policy (WWS Policy) maintained by the company’s legal deptartment.

We’ve discovered opportunities for enhancing security control protocols in regards to supply auditing and contingency planning competencies. Opportunities for improvement in these areas have been previously documented by a plan of action and milestone as a result of previous attempts to make improvements within these areas.

Recommendation:

We recommend establishing an enterprise system and services acquisition policy based around the NIST.SP.800-53 rev. 4 “System and Services Acquisition” (SA Family) of control mechanisms for accessing risk with dealing with third party provider services and products. The establishment of security controls as outlined by NIST’s system and services acquisition policy and procedures is instrumental in providing an effective implementation of  policy and procedures that reflect applicable directives, regulations, standards, policies, federal laws, executive orders, and overall general guidance.

NIST.SP.800-53 rev. 4 “System and Services Acquisition” (SA Family) provides the necessary framework from which to work by ensuring organizations have the proper control mechanisms in place. The security controls provided by NIST.SP.800-53 rev. 4 will address requirements for developing information systems and associated products and services for dealing with third party vendors.

22 NIST.SP.800-53 rev.4 system and service acquisition family of controls listed below are under consideration:

1. (SA-1) System and Services Acquisition Policy and Procedures
2. (SA-2) Allocation of Resources
3. (SA-3) System Development Lifecycle
4. (SA-4) Acquisition Process
5. (SA-5) Information System Documentation
6. (SA-6) Software Usage Restrictions
7. (SA-7) User-Installed Software
8. (SA-8) Security Engineering Principles
9. (SA-9) External Information System Services
10. (SA-10) Developer Configuration Management
11. (SA-11) Developer Security Testing and Evaluation
12. (SA-12) Supply Chain Protection
13. (SA-13) Trustworthiness
14. (SA-14) Criticality Analysis
15. (SA-15) Development Process, Standards, and Tools
16. (SA-16) Developer-Provided Training
17. (SA-17) Developer Architecture and Design
18. (SA-18) Tamper Resistance and Detection
19. (SA-19) Component Authenticity
20. (SA-20) Customized Development of Critical Components
21. (SA-21) Developer Screening
22. (SA-22) Unsupported System Components

The company’s new Information Security policy will serve to provide the necessary components inline with best practices associated with organizational information security management. These new security controls will serve to establish new methods used to evaluate third party supplier services that host the company’s information in addition to third party products that are acquired to process the company’s information.

Reference:

National Vulnerability Database. (2016, September). NIST Special Publication 800-53 (Rev. 4). Retrieved September, 2016, from https://web.nvd.nist.gov/view/800-53/Rev4/family?familyName=System%20and%20Services%20Acquisition