On a federal level, more and more regulations are being put in place asking for increased visibility into certain processes and practices of organizations. Two notable categories these regulations fall into are cybersecurity and ESG. In the last few months, the U.S. Securities and Exchange Commission (SEC) approved several rules including one that will require some public companies to report their greenhouse gas emissions and climate risks, and another that requires publicly traded companies to disclose “material” cybersecurity incidents.
So how are businesses navigating these new regulations? By aligning themselves with relevant cybersecurity and ESG frameworks.
Cybersecurity
The number of cyberattacks on supply chain companies has increased by 26 percent from 2022 to 2023, according to BlueVoyant’s State of Supply Chain report. An attack can have monumental financial impacts, as well as damage a business’s reputation. There are several cybersecurity frameworks that, by being able to confirm compliance, businesses are able to mitigate risks, put themselves in the best position to recover in the event of an attack, and prove their commitment to prioritizing security.
The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) has become a popular choice for compliance alignment for organizations looking to meet the recent SEC Cybersecurity rules. The NIST CSF is a voluntary framework designed to provide a flexible, risk-based approach to managing cybersecurity risks. The core component requires organizations to:
- Identify what systems and assets need protecting.
- Protect data and other assets through the implementation of appropriate safeguards.
- Detect any cybersecurity incident.
- Respond to attacks with documented techniques and processes.
- Recover any capabilities or data impaired by a cyberattack.
In contrast to a prescriptive or even flexible compliance reporting model, the NIST CSF allows companies to benchmark their security program against these five key domains and not only assess their maturity as of a point-in-time, but on an ongoing basis. This is a notable benefit as supply chain companies may have a different risk profile than a traditional cloud software vendor.
System and Organization Control (SOC) 2 Examination
A SOC 2 report focuses on how organizations achieve service commitments or promises related to security, service availability, transaction processing, data confidentiality, and/or privacy. SOC 2 has five Trust Services Criteria to measure against:
- Security: The in-scope data and systems are protected against unauthorized access, unauthorized disclosure of information and damage.
- Availability: The in-scope data and systems are available for use as agreed upon.
- Processing Integrity: The in-scope data is processed in a complete, accurate, timely, and authorized manner.
- Confidentiality: The in-scope data designated as confidential is effectively protected.
- Privacy: The in-scope personal information is collected, used, retained, disclosed, and destroyed in accordance with the business’s privacy policy.
While there is a SOC for Supply Chain report, from the AICPA, it is similar to the SOC 2 in that it is commitment-based and provides a narrative around who a company interacts with and/or protects the data of its customers. SOC 2 is arguably the most widely used service provider report in the US so the SOC for Supply Chain could potentially supplement that.
ISO 27001 Certification
ISO 27001 lays out the required criteria for taking a holistic approach to information security through the implementation and ongoing maintenance of an information security management system (ISMS). It focuses on confidentiality, integrity and availability of information. Requirements include:
- Determination of the scope of the organizations ISMS.
- Leadership team to demonstrate commitment to the ISMS through the creation of internal policies, assignments of roles and responsibilities and allocation of resources.
- Identification of information security risks and performance of a risk assessment.
- Sufficient employee awareness and competence.
- Monitoring, measurement, analysis, and evaluation of the performance of ISMS to ensure its effectiveness and ongoing alignment with organizational objectives.
- Continual enhancement of ISMS.
In addition to enhanced mitigation of security threats, compliance with ISO 27001 helps organizations provide assurance to their customers, avoid the financial costs of data breaches, improve structure and productivity and reduce human cybersecurity errors. This is important for all companies, including supply chain companies.
The first step on the road to compliance is identifying which frameworks make the most sense – or are required – for an organization to measure against. This list is not comprehensive of every framework in these realms, meaning there’s a lot for a business to navigate when it comes to deciding what’s the right path for them.
Once a company identifies the certification they’re aiming to achieve, the next step is conducting a readiness assessment to identify gaps and vulnerabilities that the organization can address before the certification assessment. Working with a third-party auditor during this process can be beneficial as your organization works towards compliance.
This post was originally published on 3rd party site mentioned in the title of this site
