http://www.informationweek.com/news/government/security/showArticle.jhtml?articleID=221600499 By J. Nicholas Hoover InformationWeek November 7, 2009 (From the November 9, 2009 issue) Security pros draw a line at the firewall--what happens "out there" might be beyond their control, but a secure perimeter is intended to protect the data and systems within. That view, however, fails to take into account the role of developers, vendors, customers, users, and others along the supply chain of IT systems, hardware, and software coming into the enterprise. A new school of practice advocates a more encompassing approach to security that leaves none of those touch points unchecked. It's called the cybersecurity supply chain, and, as it sounds, it applies the principles of supply chain management--product assembly and acquisition, data sharing among partners, governance, and more--to the security of IT systems and software. "Organizations need to realize that their borders are porous," says Jim Lewis, director and senior fellow of the Center for Strategic and International Studies' technology and public policy program. "We're no longer living behind a moat. It's not just how secure you are, but how secure the people you connect with are as well." What comprises a cyber supply chain? Researchers at the University of Maryland's Robert H. Smith School of Business and the IT services firm SAIC, in a white paper published in June, define it as "the mass of IT systems--hardware, software, public, and classified networks--that together enable the uninterrupted operations" of government agencies, public companies, and their major suppliers. "The cyber supply chain includes the entire set of key actors and their organizational and process-level interactions that plan, build, manage, maintain, and defend this infrastructure." Foreign nations already are carrying out supply chain attacks on IT systems belonging to the U.S. government, according to a presentation by Mitch Komaroff, director of the Department of Defense CIO's globalization task force. A simple example is hardware being delivered with malware installed. In the private sector, financial firms have become regular targets. These two sectors are also the most aggressive in looking at ways to fight the problem. [...] ________________________________________ Did a friend send you this? From now on, be the first to find out! Subscribe to InfoSec News http://www.infosecnews.orgReceived on Sun Nov 08 2009 - 22:43:27 PST
This archive was generated by hypermail 2.2.0 : Sun Nov 08 2009 - 22:58:22 PST