Welcome » IT Booklets » Information Security » II Information Security Program Management » II.C Risk Mitigation » II.C.14 Supply Chain
The typical institution purchases a wide variety of hardware and
software, which often is manufactured or developed internationally.
In a supply chain attack, a threat source incorporates unidentified
and harmful features into the purchased items before delivery.
During the risk identification process, management should identify
factors that may increase risk from supply chain attacks and
respond with appropriate risk mitigations. An effective information
security program seeks to limit the potential for harm through
techniques tailored to specific acquisitions and services. Examples
of techniques to mitigate the risk from such attacks include the