Securing trust in electronic supply chains

Similar documents
Data protection policy

Data protection. 3 April 2018

Your security on click Jobs

A company built on security

Information Security Controls Policy

Internet of Things Toolkit for Small and Medium Businesses

UKIP needs to gather and use certain information about individuals.

What is ISO ISMS? Business Beam

10 Hidden IT Risks That Might Threaten Your Business

Security Policies and Procedures Principles and Practices

An overview of mobile call recording for businesses

Controls Electronic messaging Information involved in electronic messaging shall be appropriately protected.

Enviro Technology Services Ltd Data Protection Policy

Computer Security Policy

The Honest Advantage

It s still very important that you take some steps to help keep up security when you re online:

Security Awareness Training Courses

Please let us know if you have any questions regarding this Policy either by to or by telephone

A practical guide to IT security

Renmar Plastics Machinery Ltd Privacy Statement

TERMS AND CONDITIONS FOR THE USE OF THE WEBSITE AND PRIVACY POLICY

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

For our services, the data controller (the company that s responsible for your privacy), is Rent a Van 365 Limited. Registered address:

Checklist: Credit Union Information Security and Privacy Policies

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

Canada Life Cyber Security Statement 2018

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

Mobile Computing Policy

FACTS WHAT DOES FARMERS STATE BANK DO WITH YOUR PERSONAL INFORMATION? WHY? WHAT? HOW? L QUESTIONS?

Nine Steps to Smart Security for Small Businesses

Is your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner

Information Security Management System

Introduction. Controlling Information Systems. Threats to Computerised Information System. Why System are Vulnerable?

Copyright ECSC Group plc 2017 ECSC - UNRESTRICTED

SAFECOM SECUREWEB - CUSTOM PRODUCT SPECIFICATION 1. INTRODUCTION 2. SERVICE DEFINITION. 2.1 Service Overview. 2.2 Standard Service Features APPENDIX 2

Unit 3 Cyber security

THE CYBER SECURITY PLAYBOOKECTOR SHOULD KNOW BEFPRE, DURING & AFTER WHAT EVERY DIRECTOR SHOULD KNOW BEFORE, DURING AND AFTER AN ATTACK

M a d. Take control of your digital security. Advisory & Audit Security Testing Certification Services Training & Awareness

TEL2813/IS2820 Security Management

Simple and Powerful Security for PCI DSS

Ian Speller CISM PCIP MBCS. Head of Corporate Security at Sopra Steria

Hallmark Solutions Limited PRIVACY NOTICE

Information Security Controls Policy

Cloud Security Standards Supplier Survey. Version 1

Privacy notice. Last updated: 25 May 2018

PCI Compliance. What is it? Who uses it? Why is it important?

Patient Information Security

PCI DSS Compliance. White Paper Parallels Remote Application Server

Qualification Specification

5 Trends That Will Impact Your IT Planning in Layered Security. Executive Brief

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

2. The Information we collect and how we use it: Individuals and Organisations: We collect and process personal data from individuals and organisation

ASD CERTIFICATION REPORT

Publications. ACH Audit Requirements. A new approach to payments advising SM. Sound Practices Checklists

Information Security Strategy

Subject: Kier Group plc Data Protection Policy

Securing Network Devices with the IEC Standard What You Should Know. Vance Chen Product Manager

June 2013 PCI DSS COMPLIANCE GUIDE. Look out for the tips in the blue boxes if you use Fetch TM payment solutions.

INFORMATION ASSET MANAGEMENT POLICY

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

UWTSD Group Data Protection Policy

Lakeshore Technical College Official Policy

THE COMPLETE FIELD GUIDE TO THE WAN

INFORMATION SECURITY AND RISK POLICY

22 BEVIS MARKS, LONDON, EC3A 7JB

ma recycle GDPR Privacy Policy .com Rely and Comply... Policy Date: 24 May 2018

PS Mailing Services Ltd Data Protection Policy May 2018

DONE FOR YOU SAMPLE INTERNET ACCEPTABLE USE POLICY

2.4. Target Audience This document is intended to be read by technical staff involved in the procurement of externally hosted solutions for Diageo.

Recommendations for Device Provisioning Security

SECURE INFORMATION EXCHANGE: REFERENCE ARCHITECTURE

IT Remote Working Policy

Federated authentication for e-infrastructures

Data Protection and GDPR

BRING YOUR OWN DEVICE (BYOD)

Federated Authentication for E-Infrastructures

Oracle Data Cloud ( ODC ) Inbound Security Policies

Keys to a more secure data environment

RADIAN6 SECURITY, PRIVACY, AND ARCHITECTURE

Unit 2 Essentials of cyber security

NIPPON VALUE INVESTORS DATA PROTECTION POLICY

POLICY FOR DATA AND INFORMATION SECURITY AT BMC IN LUND. October Table of Contents

Advent IM Ltd ISO/IEC 27001:2013 vs

How Cyber-Criminals Steal and Profit from your Data

"PPS" is Private Practice Software as developed and produced by Rushcliff Ltd.

Security Aspects Control Rationale Best Practices Self-Assessment (Click all that applicable) 1. Security Policy and Security Management

Protecting information across government

commtech Online Holiday Shopping Tips A Guide Presented by: CommTech Industries

Information Security Management Criteria for Our Business Partners

ARCHIVE ESSENTIALS

SDR Guide to Complete the SDR

security FRAUD PREVENTION Business Checklist Safeguard your money, your credit and your good name.

PS 176 Removable Media Policy

South Hams Motor Club Our Privacy Policy. How do we collect information from you? What type of information is collected from you?

ACCEPTABLE USE ISO INFORMATION SECURITY POLICY. Author: Owner: Organisation: Document No: Version No: 1.0 Date: 10 th January 2010

AuthAnvil for Retail IT. Exploring how AuthAnvil helps to reach compliance objectives

Privacy Policy: Data & Information Security Policy Last revised: 9 May 2018

How the GDPR will impact your software delivery processes

ADVANCED SECURITY MECHANISMS TO PROTECT ASSETS AND NETWORKS: SOFTWARE-DEFINED SECURITY

Transcription:

Securing trust in electronic supply chains

www.ukonlineforbusiness.gov.uk/supply Securing trust 1 Introduction: How issues of trust affect e-supply chains Introduction 1 Trust in each element of the supply chain 2 Trust and security in action 3 Securing your future 4 Electronic supply chains are gaining ever wider acceptance by large organisations thanks to the economies of scale, speed and accuracy of transactions, greater efficiency, and reduced costs that they bring. The other companies in these chains derive the same benefits of reduced costs, increased sales, and greater efficiency from electronic supply chains. But they can also be exposed to greater risks through participation in electronic chains they do not control. One of the main inhibitors to the uptake of e-commerce in general, and the adoption of electronic supply chains in particular, has been concern about the security of online transactions. Once organisations can demonstrate to both customers and trading partners the security of their online operations, commercial prospects immediately improve. It is important to remember that the fundamental goal of electronic supply chain network security is not to prevent the loss of sensitive data, but to maximise the economic return on such data, whilst always maintaining its integrity.

2 Securing trust www.ukonlineforbusiness.gov.uk/supply www.ukonlineforbusiness.gov.uk/supply Securing trust 3 Trust in each element of the electronic supply chain Trust and security in action Trust in each element of the electronic supply chain Every element of the electronic supply chain is affected by issues of trust and security. Product Development. Open communication is vital during product development, and sharing information and resources within the development team is in everyone's interest. Commercially sensitive information will need to be communicated in a secure online environment, through, for instance, secure e-mail services or virtual private networks. Purchasing. This time the goal is transactional confidence. Both parties must be confident in the ability of the other to deliver payment or goods, and to maintain the security of payment details provided - by credit or debit card, for instance. The use of digital signatures supported by certification authorities and encrypted transmissions (such as Secure Socket Layer or other end-to-end security products) can reassure customers that their details will be kept confidential. Stock control/inventory. By regulating who has access to your stock control system and who can update records you can make sure that you have an accurate picture of your stock holdings. This is particularly important when online customer/supplier interfaces are in use. Order accuracy. Greatly improved by e-mail, fraudulent ordering can be guarded against by the use of digital signatures and Certificate Authorities (CAs). CAs issue and manage security credentials to guarantee people are who they say they are. Delivery. Secure delivery information where the information cannot be intercepted online means that details of what you have purchased and where it will be delivered are secure. This protects against the possibility of high value items being targeted in transit by thieves. Customer service. Increased levels of trust and security in the electronic supply chain lead to better business relationships and greater levels of trading activity. Infotel Solutions Infotel Solutions is a hotel, conference and events reservation service based in Lincolnshire. It uses web and telephone technology to integrate its telephone call centre with its web site s online booking service for both its end customers and its hotel suppliers. Mark Taylor is the company s information manager. We have a number of security systems in place, including an extremely effective firewall that sits between our systems and the Internet, monitoring all traffic. Opening up your system to the Internet can leave you wide open, so a firewall is essential. It keeps all unauthorised intruders at bay, but allows customers in to browse our site. Infotel also has all incoming and outgoing e-mails and attachments swept for viruses by its Internet Service Provider (ISP). We get about twenty infected e-mails a day, explains Taylor. The ISP keeps them in a quarantined area for me to look at and also sends a courtesy message to the sender advising them that they have a problem. Inside the organisation staff have appropriate levels of access to corporate information through password identification, and transmit and store all transactional details in a securely encrypted fashion. Wright publications Based in West Yorkshire, Wright Publications specialises in technical publications and foreign language translations. Secure information is key to its business, and it decided to adopt British Standard 7799 back in 1998. Customers have recognised the difference BS 7799 makes and have confirmed that it gives the company a distinct advantage against other suppliers, as it gives customers a greater sense of confidence in dealing with them. Adopting the standard also helped Wright Publications spot risks it had not considered before. Through BS 7799, the company learnt to apply electronic solutions in controlling electronic information, and to integrate different administrative and management procedures into a single system for complete visibility. The proof of its effectiveness? When Wright Publications suffered a serious break-in, its security provisions meant that all its information remained safe and it was back in business in just a few hours.

4 Securing trust www.ukonlineforbusiness.gov.uk/supply Securing your future Data is frequently an organisation s most significant asset, and deciding how to manage and control your data is one of the most significant business decisions any company has to make. It is also the one commodity traded by every company in your supply chain. British Standard 7799 is the standard on information security management. Following its provisions will ensure you comply with legal requirements, can help achieve the level of trust that will allow you and your supply chain partners to trade securely together. The use of BS 7799 allows you to develop a practical Information Security Management System (ISMS), that involves three simple steps: Set the goals and direction of information security in your organisation through a management framework for information and an agreed security policy. Work with your customers and suppliers to ensure your solution works for all concerned. Assess the risks you face - small and medium sized businesses may be unlikely to be the target of professional hackers, but data loss could cost your business a lot. Think also about the potential risks to your customers and suppliers this could affect you too. Balance your security spending against the risks you and your face. Once you've agreed a policy and identified risks it's time to choose and implement the security measures you will take to keep risk down to an acceptable level. You also need to consider the trust implications involved in any security measures. Will regular customers and suppliers be happy to remember user names and passwords? Communicating the reasons behind your security measures and the benefits they ll bring will ensure the transition to a more secure trading environment goes smoothly. Always involve your key supply chain partners in these discussions. It will enable you to identify potential problems and work on solutions to them earlier. Practical ways in which you can begin preparing for this process include: 1 Determine the value of the data you hold SEC 1 (low security classification) non-critical data that all your employees can access and probably some of your customers and suppliers too, through a password protected web site. This could include inventory information, for instance. SEC 2 (medium security classification) business critical data that should be kept confidential within the company, with access allowed on a limited basis through passwords and similar measures this might include mailing lists, financial information, and so on. You might want to make this available to selected customers and suppliers. SEC 3 (high security classification) essentially private information access to which should be strictly controlled. It may also be necessary to hold this information in encrypted format as in the case of credit card details, for instance. 2 Identify threats These come in two basic forms - malicious threats, and accidental threats. Malicious threats might include hackers, disgruntled employees, and so on. Accidental threats might include system failures or internet-born viruses. Take into account the threats to your supply chain partners. If they re sharing electronic information with you, breaches to their security could affect you too. 3 Identify weaknesses In the light of the risks you have considered, where is your system vulnerable? Are there regular backups? Is access carefully and appropriately regulated? How secure are your suppliers systems? How easily can your customers get in and out of your systems? To reap the benefits of working collaboratively you need trust, you also need to be aware of any vulnerabilities in the links between you and the rest of your supply chain. 4 Establish countermeasures These range from external backups through firewalls and virus protection programs to strong token passwords, and might also include software to monitor internet and extranet traffic. However secure your counter-measures are, if key suppliers and customers are vulnerable then there is a good chance that any security breach to their systems will affect you too. 5 Managing risk Once security measures are in place that's not the end of the story. Security is an ongoing issue, and each new business development or new customer or supplier acquisition brings new security implications in its wake. To be effective any security policy must include regular reviews of the situation. Involve key supply chain partners in any reviews. To be truly effective any security measures must work for the whole supply chain.

Further help and advice For more information on securing trust in electronic supply chains, and a wealth of other information, visit our web site at www.ukonlineforbusiness.gov.uk/supply www.dti.gov.uk/cii/datasecurity/index.shtml The DTI web site with extensive links and lots of downloadable information on security. To find out details of your local UK online for business adviser: Call the UK online for business Infoline on 0845 715 2000 Visit our web site at www.ukonlineforbusiness.gov.uk The Supplying Electronically CD-ROM will give you information about working in supply chains. If you are a smaller business, read E-security a guide for small businesses available from UK online for business. These can be obtained from the Infoline or the web site. Other useful sites www.rsasecurity.com commercial provider of electronic security services. www.trustuk.org.uk online hallmarking organisation. http://www.open.gov.uk/dpr/dprhome.htm Data Protection Commission web site provides information on your legal requirements when storing data. http://www.bsi.org.uk/disc provides detailed information on British Standard BS7799. Examples of products and companies included in this leaflet do not in any way imply endorsement or recommendation by UK online for business. Bear in mind that prices quoted are indicative at the time it was published (April 2002). Published by the Department of Trade and Industry. Crown Copyright. URN 02/724; 04/02

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback