« 2019年に狙われた脆弱性 | Main | COSO ERMガイダンス:価値の創造と保護 »

2020.02.05

NISTがサプライチェーンセキュリティの実践資料のドラフトを公開していますね。。。

 こんにちは、丸山満彦です。NISTがサプライチェーンセキュリティの実践資料のドラフトを公開していますね。

NIST

・2020.02.04 NISTIR 8276(Draft) Key Practices in Cyber Supply Chain Risk Management: Observations from Industry

2015年と2019年の企業へのインタビューの分析に基づいて24のケーススタディを開発したようです。効果的なサイバーサプライチェーンリスク管理プログラムを実践するための基本を提供することを目的としているようですね。

・・NISTIR 8276 (Draft) (DOI)


Announcement
Since the release of the Framework for Improving Critical Infrastructure Cybersecurity (NIST Cybersecurity Framework) and its companion, Roadmap for Improving Critical Infrastructure Cybersecurity in 2014, NIST has researched industry practices in cyber supply chain risk management (C-SCRM) through engagement with industry leaders.
This publication is based on: an analysis of interviews with companies in 2015 and 2019, which led to the development of 24 case studies; prior NIST research in cyber supply chain risk management; and a number of standards and industry best practices documents. NISTIR 8276 is intended to provide a high-level summary of practices deemed by subject matter experts to be foundational to an effective cyber supply chain risk management program.


 

主なプラクティス

1 Integrate C-SCRM across the organization 組織全体でC-SCRMを統合する
2 Establish a formal program 正式なプログラムを確立する
3 Know and manage your critical suppliers 重要なサプライヤーを知り、管理する
4 Understand your supply chain サプライチェーンを理解する
5 Closely collaborate with your key suppliers 主要サプライヤーと緊密に連携する
6 Include key suppliers in your resilience and improvement activities 回復と改善活動に主要サプライヤーを含める
7 Assess and monitor throughout supplier relationship サプライヤーとの関係全体の評価と監視
8 Plan for the full lifecycle ライフサイクル全体を計画する

 

主な推奨事項

Create explicit collaborative roles, structures, and processes for supply chain, cybersecurity, product security, and physical security (and other relevant) functions. サプライチェーン、サイバーセキュリティ、製品セキュリティ、および物理的セキュリティ(およびその他の関連する)機能のための明示的な連携のための役割、構造、およびプロセスの作成
Integrate cybersecurity considerations into the system and product lifecycle. サイバーセキュリティの考慮事項とシステムと製品のライフサイクルの統合
Determine supplier criticality by using industry standards and best practices. 業界標準とベストプラクティスを使用して、サプライヤの重要度の決定
Mentor and coach suppliers to improve their cybersecurity practices. サイバーセキュリティの実践を改善するためのサプライヤーの指導。
Include key suppliers in contingency planning, incident response, and disaster recovery planning and testing. 緊急時の計画、インシデント対応、災害復旧の計画とテストへの主要なサプライヤーの組み込み
Use third-party assessments, site visits, and formal certification to assess critical suppliers.

重要なサプライヤーを評価するための第三者評価、サイト訪問、および正式な認証

 

2020.02.04にこれだけ出しているんですよね。。。

 

Series Number Title Status Release
Date
NISTIR 8276

Key Practices in Cyber Supply Chain Risk Management: Observations from Industry

Draft 2/04/2020

Download: NISTIR 8276 (Draft) (DOI); Local Download; Cyber SCRM Key Practices and Case Studies; NIST news article

White Paper  

Case Studies in Cyber Supply Chain Risk Management: Anonymous Consumer Goods Company

Final 2/04/2020

Download: White Paper (DOI); Local Download; Cyber SCRM Key Practices and Case Studies

White Paper  

Case Studies in Cyber Supply Chain Risk Management: Anonymous Consumer Electronics Company

Final 2/04/2020

Download: White Paper (DOI); Local Download; Cyber SCRM Key Practices and Case Studies

White Paper  

Case Studies in Cyber Supply Chain Risk Management: Seagate Technology

Final 2/04/2020

Download: White Paper (DOI); Local Download; Cyber SCRM Key Practices and Case Studies

White Paper  

Case Studies in Cyber Supply Chain Risk Management: Mayo Clinic

Final 2/04/2020

Download: White Paper (DOI); Local Download; Cyber SCRM Key Practices and Case Studies

White Paper  

Case Studies in Cyber Supply Chain Risk Management: Anonymous Renewable Energy Company

Final 2/04/2020

Download: White Paper (DOI); Local Download; Cyber SCRM Key Practices and Case Studies

White Paper  

Case Studies in Cyber Supply Chain Risk Management: Summary of Findings and Recommendations

Final 2/04/2020

Download: White Paper (DOI); Cyber SCRM Key Practices and Case Studies

SP 800-161 Rev. 1

PRE-DRAFT Call for Comments: Supply Chain Risk Management Practices for Federal Information Systems and Organizations

Draft 2/04/2020

Download: None available

White Paper  

Case Studies in Cyber Supply Chain Risk Management: Palo Alto Networks, Inc.

Final 2/04/2020

Download: White Paper (DOI); Local Download; Cyber SCRM Key Practices and Case Studies

 

|

« 2019年に狙われた脆弱性 | Main | COSO ERMガイダンス:価値の創造と保護 »

Comments

Post a comment



(Not displayed with comment.)


Comments are moderated, and will not appear on this weblog until the author has approved them.



« 2019年に狙われた脆弱性 | Main | COSO ERMガイダンス:価値の創造と保護 »