How to work with the supply chain

Overview #

The Asset module in the Business and Premium subscriptions supports supply chain management features. This topic is important because supply chain weakness is one of the greatest security risks for any organisation. Also, the new European NIS2 framework contains requirements on how to manage your supply chain.

At a conceptual level, we consider a supplier as a special type of asset. You can create a hierarchy of assets and add your suppliers to this hierarchy. A supplier can have linked documents like a contract, SLA or DPA. A supplier can also have related tasks for the (annual) assessment or other purposes..

Consider to use the KPIs and Forms feature to create an internal supplier assessment questionnaire.


Hierarchy #

To create the hierarchy, it is important to understand the concept of ‘Containers’. Each asset can act as a container, meaning it can contain other assets. For example, a database asset can contain many data assets like creditcard numbers. In ISOPlanner, when you edit an asset, you select the containers where this asset is contained in.

In ‘parent / child’ terms, when editing an asset, you select the parents.

It is also important to know that assets can be contained in more than 1 other assets. This is especially true for assets of type Information. For example, you need to protect credit card numbers. This asset is stored in a database but copies may be stored in a back-up, even in another geographical location. When you edit the containers of an asset, you can check where the source of the database is.

Hackers will scan for weaknesses in secondary systems like back-up systems because they might be less protected.

Create an asset for each supplier and set the Type to Supplier. Add the products and/or services that they provide to your organisation also as assets and select the supplier in the Containers section. After saving, the product is shown below the suppliers in the hierarchy.

A  ‘smart’ diagram view is available which can be filtered to visualize chains in the created hierarchy. Because an asset can be in multiple locations in the hierarchy (e.g. customer data can be stored in the data center but copies might be on laptops), the diagram will automatically adjust for this.

Click the Enable edit mode button to directly add and edit assets in the diagram.

Classifications #

After you’ve setup your hierarchy, you might want to add classification label(s) to each asset. Our advice is to start adding them at the lowest levels in the hierarchy. We can illustrate this again with the credit card number example. You might want to add the label ‘Confidentiality – Very High‘ to this asset. This is an information asset which cannot be protected directly. Instead, you want to protect the container: the database. This database can also contain other assets, let’s say customer email addresses that have the label ‘Confidentiality – High‘. Which classification label should the database get? The highest. ISOPlanner can calculate this for you using the hierarchy.

Open the details of the credit card number asset and open the containers. For each container you see a column Inherit classification groups. By selecting the container and clicking on the button Edit classification groups, you can select the classifications that will be propagated up in the hierarchy. Click Select and click Save to save the asset.

The result is that you do not have to set the classification label on the database asset manually. It is calculated by ISOPlanner automatically based on the highest levels in all assets below in the hierarchy. You can also propagate the Confidentiality label further up the chain. From the database up to the server or hosting party, if you have created an asset for it.

When you have configured the classifications labels and configured the inheritance of your chain, you have much better insight in which asset containers you must protect at which levels.

Resources #