5 tips for a good chain risk analysis

The Information Security Service (IBD) of VNG Realization recognizes the issue of chains and has developed a guideline for Chain Risk Analysis. "The purpose of this document is to provide guidance for municipalities that collaborate in chains and want to identify and mitigate chain risks." Version 1.0 has been available for general use since January 2022, see this link. The guideline aligns with the Baseline Information Security Government (BIO) and the ISO 27001 and ISO 27002 standards for information security.

The guideline provides a thorough approach to chain risk analysis in five detailed steps (and 13 activities). It starts with determining the scope, followed by describing the chain and the interdependencies in processes, systems, and interfaces. Next, it assesses the impact of a disruption in the chain and further delves into identifying cyber threats and risks. The last step involves determining measures and creating action plans. Templates, formats, and checklists are included in the annexes.

The attention given by IBD to the issue of chains is, in our opinion, entirely justified. We are heavily dependent on chains as a society. Whether it's in the form of numerous customer-supplier relationships or co-production of tasks and services (chain partner-chain partner relationships), even municipalities are involved. However, we feel somewhat uneasy about the Chain Risk Analysis guideline. The proposed approach is top-down involving all chain parties and is thus extensive. Who will undertake this task? A municipality is part of many chains, so which ones should they address and which ones should they not? The IBD itself acknowledges that there is often no chain owner, so who will initiate and coordinate the process?

The magnitude of the work and coordination burden can be daunting. Therefore, we advocate the following principles when conducting a chain risk analysis:

1. Each organization should apply a bottom-up approach in addition to the top-down approach for chain risk analysis.
2. Such a bottom-up approach should be designed to identify, develop, implement, and test cyclic improvements in various parts of the chain.
3. Each organization is responsible for its own information security.
4. Each organization provides insight into its security level (up to the level that is relevant for the chain's security).
5. Individual organizations engage in bilateral discussions and actively contribute to the security of the chain.

In addition to these important principles for successfully addressing chain risks, we provide five pragmatic actions to consider:

1. Inventory the interfaces/connections the organization has with each chain partner. Utilize existing risk analyses and/or business impact analyses.
2. Select one chain partner based on a criterion important to your organization, such as the level of risk, financial or reputational damage, etc.
3. Identify the current security policy and the applied baseline security level (BSL) for the interfaces/connections with this chain partner. Call the CISO of the collaborating partner and arrange a meeting. It's always a good idea to occasionally have a face-to-face conversation over a cup of coffee 😊
4. Discuss the applied security policies together. Explore the reasons for any differences and the choices underlying them.
5. There may be a lasting difference of opinion regarding the application of security policies. In such cases, identify the chain services involved and involve the other chain parties. Repeat step four with all chain parties.

Finally, vulnerabilities won't wait for the completion of a chain risk analysis. Crises won't unfold exactly as described in a business continuity plan or resilience playbook. In other words, "The proof of the pudding is in the eating." As part of our bottom-up approach, we advise getting started as soon as possible with practicing and testing the measures that contribute to the manageability and resilience of the chain.

If you would like to learn more about collaborations, risk analyses, and/or practicing and testing measures, or if you need support in implementing the five actions, please contact ruud.boot@vka.nl.