II.C.14 Supply Chain
The typical institution purchases a wide variety of hardware and software, which often is manufactured or developed internationally. In a supply chain attack, a threat source incorporates unidentified and harmful features into the purchased items before delivery. During the risk identification process, management should identify factors that may increase risk from supply chain attacks and respond with appropriate risk mitigations. An effective information security program seeks to limit the potential for harm through techniques tailored to specific acquisitions and services. Examples of techniques to mitigate the risk from such attacks include the following:
- Only making purchases through reputable sellers who demonstrate an ability to control their own supply chains.
- Purchasing hardware and software through third parties to shield the institution's identity.
- Reviewing hardware for anomalies.
- Using automated software testing and code reviews for software.
- Regularly reviewing the reliability of software and hardware items purchased through activity monitoring and evaluations by user groups.
II.C.13(e) Rogue or Shadow IT
II.C.15 Logical Security