Supply Chain Security – Assessing Your Risk Profile

Disclaimer: The following information and guidance has been provided for information purposes only and does not constitute legal advice. Readers should contact their own institutional legal services with respect to developing specific requirements to ensure they are compliant with any applicable legal, regulatory or other requirements including international trade agreements.

It is important to assess risk in your procurement process to determine how to manage supply chain or research security. Proper assessment of risk can help you decide what mitigation measures may be warranted, or if the risk is significant enough to consider the selection of an alternative vendor. Researchers, working with their administration, are typically best positioned to assess the risk related to the service or good being purchased, as they have the most comprehensive understanding of what they are seeking to obtain.

When determining the nature and extent of the risks in your procurement process, you should first assess whether there is security risk based on what is being procured. Risk can be present in any procurement process, regardless of cost. Security considerations may change depending on a number of factors. These include whether you are procuring a service where individuals have access to research materials or laboratories, software services which may have interact with your research or your institutions’ IT systems, or physical materials which may be subject to export controls. This assessment helps you determine the potential impact of a security breach.

If you identify security risk in what is being procured, you should then assess what risk may arise from your expected pool of vendors. Risk with a potential vendor has implications for the likelihood of a security breach.

Image description

Three text boxes with arrows pointing to the right indicate a three-step process.

First box: Assess the risk in what is being procured.

Second Box: Assess the risk of who may provide the good or service.

Third Box: Determine the appropriate ways to mitigate identified risk.

 

The following sections pose questions which will help you determine the degree of risk associated with a procurement process, as well as with prospective vendors. Each set of questions clearly lays out the objective of that stage of the assessment. These questions may or may not be relevant to your procurement, depending on the good or service being sought.

By answering these questions, you can better assess both the impact and likelihood of a security breach and determine the appropriate ways to mitigate risk.

Beyond the guidance provided here, your institution may also offer security threat and risk assessments, or other similar reviews, which will help in identifying security risks to your intuition’s infrastructure, information, and systems.

Assessing Your Procurement for Risk

The following questions seek to determine whether the material or data being handled may be considered sensitive, as well as whether there is risk in the product or service being provided. They help inform a due diligence assessment, to the best of one’s ability to reasonably identify risks, about the services and goods to be procured and the potential vendors.

Sensitivity Assessment

Goal: Determine the sensitivity of materials or data processed by a product or service, and the impact of a potential compromise.

Access to Sensitive Information: Identify what information within your project may be sensitive. Determine whether a potential vendor or any of its subcontractors needs access to sensitive information to fulfill their contractual obligations. Evaluate their capability to access such data, including details about your institution’s information and communications technology (ICT) infrastructure or sensitive data (including metadata). Identify the specific types of sensitive information that the vendor or subcontractors will need or have access to and evaluate their security measures and protocols for handling and controlling access to this data, including how transparent they are in providing this information.

Remote or Physical Access to Sensitive Locations: Determine whether the employees of a potential vendor or supplier will have remote or physical access to sensitive locations, offices or equipment within your institution. Evaluate if employees or contractors will have unrestricted access, or if they are supervised by institution staff or by their own oversight bodies or supervisors. Also, consider implementing mitigations to access controls and assess the impact of such changes on operational efficiency.

Impact of Compromise: Determine the potential business impact if the data processed by the product is compromised, which could result in financial losses, operational disruptions or reputational damage. Assess the personal impacts on individuals and clients (including research subjects) whose data might be compromised, considering privacy violations and identity theft as business risks.

Interconnectedness of ICT Products: Determine how interconnected the product(s) become with the rest of the network and consider dependencies and access to other systems, public, private or sensitive. Identify possible vulnerabilities introduced via integration, and assess the risk and ability of a cyber actor to move laterally within the networks in the event of a compromise.

Assessing Vendors for Risk

In assessing a potential vendor for risk, the following questions may be applicable. You may also wish to consider using the questions found in Section 2: Know Your Partner Organization in the Risk Assessment Form of Canada’s National Security Guidelines for Research Partnerships.

Ownership Assessment

Goal: Identify the vendor’s underlying controlling interests, the location of its operations, and its business practices, and whether any of these introduce risk into the procurement.

Questions to ask:

1. Who owns the vendor? To what extent are they government-owned or influenced? May the vendor be compelled by their country’s laws to share information with their government regardless of ownership?
2. Where are the vendor’s global headquarters and their research and development centres?
   1. What lawful access and national security laws are in effect in the vendor’s locations?
   2. What legislative framework is a company bound to regarding data protection?
3. Are there concerns that a shareholder or executive may have an illegitimate interest in deliberately influencing the design of their product or service to the possible detriment of your institution’s security (such as designing a product which can inappropriately access or transfer data)?
4. Who are the vendor’s suppliers (if any) and where do they operate?
   1. Does the suppliers’ geographical location reduce or introduce potential risk to the production, transportation, delivery, and maintenance or support of the ICT product or service being procured? For example, what legal and policy frameworks may a possible supplier be operating under?
5. Does the vendor demonstrate ethical business practices and adhere to legal and policy frameworks?
   1. Has the vendor, its owners, its stakeholders or executives been sanctioned for business activities? How recent and significant are these activities?
6. Are there active lawsuits or investigations against the company or the company’s officials? Are there settled lawsuits or investigations which were not in the company’s favour related to patent infringement or other illegal activity?
7. Does the vendor have relationships with or receive preferential treatment from a foreign government (such as receiving significant domestic subsidies to increase their competitiveness internationally) that could inappropriately influence their activity that could present security risks?
8. Are there any other relationships that the vendor may have with other entities that could indicate inappropriate activity or influence or control of the vendor that could present security risks?
9. What is the current financial position of the vendor? Are they expected to be able to continue to provide support for a service, software, or physical good over the course of its use?

Technical Assessment (for ICT products)

Goal: Identify the exploitability of ICT products, as well as threat actor tactics, techniques, and processes for the ICT product.

Questions to ask:

1. Does the vendor undergo third-party assessments to provide assurances of the product’s security? Are these assessments considered reliable (i.e., are being conducted by established, reputable providers?)
2. Does the vendor carry sufficient cyber insurance for the product?
3. Does the vendor clearly identify client responsibilities for maintaining security? Are these responsibilities in line with your own institution’s policies? Are they contractually enforced?
4. Is the product connected to the company’s own systems (i.e., via the internet, cloud, etc.)?
5. Does the company actively patch their product(s)? How often? Are patches controlled autonomously or is that controlled and pushed out by your own IT security?
6. Does the potential product have:
   1. Common vulnerabilities and exposures (CVEs) (there are multiple databases to review CVEs, including the NIST’s National Vulnerability Database)?
   2. Entries in the National Institute of Standards and Technology - National Vulnerability Database?
   3. Other vulnerabilities detailed through an open-source review?
7. If the potential product has any vulnerabilities that are unpatched:
   1. Summarize their severity (using Common Vulnerability Scoring System V.4 scores, if available)
   2. Are exploits readily available online?
   3. Can an attacker construct an exploit from the public details of the vulnerability?
   4. How much risk do the known vulnerabilities of the potential product introduce into your environment?

For more guidance on the assessing risks in a procurement, particularly related to ICT products, the CCCS can offer assistance. For research security advice for your specific project, you can also contact Public Safety’s Research Security Centre.