This is based on my experience as an IT Security and Compliance consultant, and leans on ISO 27001. Some of the words in this article, mirror what I say in the linkedin post. I argue that rule one is to have a policy which must deal with how to apply a risk based approach to the supply chain. This means segmenting suppliers into value or risk classes, using a classic risk matrix of estimating probability of failure vs. the impact. This will help one understand how important any supplier is to the business. The policy should also have authorisation limits and policies to counter the threat of corruption and life-cycle policies inc. sunset clauses to ensure it remains relevant. The policy must define the monitoring requirements, which may create liabilities on both sides and also the need for terms to exit the contract, and remediation where the supplier unilaterally exits the market.
All IT supply must be under contract which must be appropriately authorised financially, legally and technically, i.e. someone must have signed of on the risks of confidentiality, availability and integrity. The nature of the contract and risk analysis will depend on the importance of the supplier to the enterprise. Contracts need to establish the right to use, rights to software updates, the rights to bug fixes and engineering effort under a service level agreement, the right to request…
