5 tips for a good chain risk analysis
The Need for Understanding Chain Risks
Collaborations between organizations (government, businesses, institutions, etc.) are indispensable in today's society. Governments, such as inspection services, environmental agencies, and safety regions, collaborate on activities such as granting permits, supervision, and enforcement. Hospitals, general practitioners, and pharmacists collaborate to provide healthcare, and in the business world, the supply chain is crucial for the delivery of goods. The dependencies faced by different municipalities during the Log4j vulnerability and the developments in Ukraine that put our digital resilience to the test highlight the interdependence and complexity of the chains we are part of.
These examples have one thing in common: there is an underlying information system that connects all parties and enables the sharing of information, shipment of goods, and provision of services. The old saying "a chain is only as strong as its weakest link" applies here as well: how secure is the information system in the chain, and how do you ensure that all links in the chain are equally strong?
Guideline for Chain Risk Analysis by VNG
The Information Security Service (IBD) of VNG Realization recognizes the issue of chains and has developed a guideline for Chain Risk Analysis. "The purpose of this document is to provide guidance for municipalities that collaborate in chains and want to identify and mitigate chain risks." Version 1.0 has been available for general use since January 2022, see this link. The guideline aligns with the Baseline Information Security Government (BIO) and the ISO 27001 and ISO 27002 standards for information security.
The guideline provides a thorough approach to chain risk analysis in five detailed steps (and 13 activities). It starts with determining the scope, followed by describing the chain and the interdependencies in processes, systems, and interfaces. Next, it assesses the impact of a disruption in the chain and further delves into identifying cyber threats and risks. The last step involves determining measures and creating action plans. Templates, formats, and checklists are included in the annexes.
Principles for Chain Risk Analysis
The attention given by IBD to the issue of chains is, in our opinion, entirely justified. We are heavily dependent on chains as a society. Whether it's in the form of numerous customer-supplier relationships or co-production of tasks and services (chain partner-chain partner relationships), even municipalities are involved. However, we feel somewhat uneasy about the Chain Risk Analysis guideline. The proposed approach is top-down involving all chain parties and is thus extensive. Who will undertake this task? A municipality is part of many chains, so which ones should they address and which ones should they not? The IBD itself acknowledges that there is often no chain owner, so who will initiate and coordinate the process?
The magnitude of the work and coordination burden can be daunting. Therefore, we advocate the following principles when conducting a chain risk analysis:
- Each organization should apply a bottom-up approach in addition to the top-down approach for chain risk analysis.
- Such a bottom-up approach should be designed to identify, develop, implement, and test cyclic improvements in various parts of the chain.
- Each organization is responsible for its own information security.
- Each organization provides insight into its security level (up to the level that is relevant for the chain's security).
- Individual organizations engage in bilateral discussions and actively contribute to the security of the chain.
Five Pragmatic Actions for Chain Risk Analysis
In addition to these important principles for successfully addressing chain risks, we provide five pragmatic actions to consider:
- Inventory the interfaces/connections the organization has with each chain partner. Utilize existing risk analyses and/or business impact analyses.
- Select one chain partner based on a criterion important to your organization, such as the level of risk, financial or reputational damage, etc.
- Identify the current security policy and the applied baseline security level (BSL) for the interfaces/connections with this chain partner. Call the CISO of the collaborating partner and arrange a meeting. It's always a good idea to occasionally have a face-to-face conversation over a cup of coffee 😊
- Discuss the applied security policies together. Explore the reasons for any differences and the choices underlying them.
- There may be a lasting difference of opinion regarding the application of security policies. In such cases, identify the chain services involved and involve the other chain parties. Repeat step four with all chain parties.
Take Action: Practice and Test Measures
Finally, vulnerabilities won't wait for the completion of a chain risk analysis. Crises won't unfold exactly as described in a business continuity plan or resilience playbook. In other words, "The proof of the pudding is in the eating." As part of our bottom-up approach, we advise getting started as soon as possible with practicing and testing the measures that contribute to the manageability and resilience of the chain.
Would you like to know more?
If you would like to learn more about collaborations, risk analyses, and/or practicing and testing measures, or if you need support in implementing the five actions, please contact ruud.boot@vka.nl.