Membership Login FR

What's New

Supply Chain Resilience and Transparency

 

Due to the rising impact of information security incidents on global supply chains, many governments and regulatory bodies have increased the requirements on product vendors that sell into critical infrastructure sectors. Most recently President Joe Biden issued an executive order on improving the US cybersecurity and supply chain resilience.

 

It is a fact that downstream suppliers remain to be a very sought-after target for threat actors today. They can provide easy access to large enterprise organizations and government agencies - and cause massive disruptions - if critical suppliers are taken down. If we want to ensure the global digital economy is protected, these suppliers must take steps to improve their information security posture.

Vendors should demonstrate the transparency of their information security practices with internationally recognized product validations and business practice certifications. This can help demonstrate transparency of the vendor’s products and business practices.

 

In the same way we look for “EnergyStar” ratings on appliances, we need to create a “CyberStar” program that provides objective, independent, apolitical third-party validation of technologies and business practices to demonstrate suitability for critical infrastructure supply chains. This could translate into an international compliance passport allowing them to contribute to the critical infrastructure supply chains in all nations.

 

A program such as this would also support product labelling - all consumers of these products could be protected. This program could be a method of strengthening the resilience of global supply chains while fostering the growth and stability of these vendors. This can be achieved by requiring, requesting, or supporting adoption of a transparency initiative to demonstrate:

 

Product Validations

Products would need to have code validated based on best practices in information security hardening, respective of the type of product and the sector it supports. Validations would demonstrate the current versions and firmware of the offering and would need to be maintained with future revisions and updates.

 

Business Certification

Cybersecurity certification is the best way to ensure best practices in cyber resilience are followed within downstream suppliers and contractors. Certification can ensure these agencies and external providers have the basic protections in place to prevent cyber incidents and have a plan on how to respond in the event of an incident.

 

Certification supports the audit of the supplier’s infrastructure by an accredited third-party auditor. Ensuring the correct implementation for maximizing information security.

 

Cybersecurity certification could also be the best way for insurers to de-risk cyber insurance policies. With certification, organizations can clearly demonstrate third-party audits are conducted routinely, which in turn should classify them as lower risk to support Cyber Insurance eligibility.

 

Privacy Compliance

Privacy reviews of the vendors business practices must be factored into supplier transparency. We must ensure the vendors have privacy programs supporting secure collection, storage, transmission, and proper deletion of the personal information of its customers.

 

A third-party review of the privacy programs currently employed with these vendor organizations will help ensure vendors are following the highest bar in protecting the confidentiality of personal information.

 

Perimeter Testing

Vendor organization should also be ensuring the implementation of control requirements and privacy programs are secure by routinely testing the perimeter for weaknesses with penetration testing and vulnerability scanning.

If there are any critical or high-risk vulnerabilities detected they should be addressed immediately, and medium to low risks should be corrected when possible.

 

Openly sharing Transparency

If each jurisdiction creates their own framework and regulations regarding supply chain security and compliance, this can create barriers to trade.  Forcing vendors to comply with multiple frameworks based on the location a product is being sold can cause extreme cost and overhead increases to these vendors which in turn will translate to higher prices on products and services.

 

The recommended path forward would see vendors openly share any validations, business process compliance and/or certification, and perimeter scan regime openly and freely. If these products demonstrate clear compliance with internationally recognized frameworks, it should act as a passport for the sale of their products internationally.

 

 

 

Author: Brendan Dunphy

Director, Trust and Compliance | Directeur, Confiance et de Conformité

CyberNB and FutureShield Collaborate to Support Critical Infrastructure Owners and Operators in Canada

CyberNB Inc. is pleased to announce a partnership with FutureShield Inc., a technology solution and consulting practice for physical & IT security, emergency management, and continuity that specializes in critical infrastructure protection. 

 

FutureShield is a Toronto-based company that has provided security and emergency manager clients with technology experience and software integration operational support for more than 30 years. President and Founder Cynthia Weeden will drive awareness for CyberNB’s Critical Infrastructure Security Operations Centre (CI-SOC) with industrial security leadership across Canada, as well as with the provincial and federal government.  

 

In addition to the CI-SOC, Weeden will promote CyberNB’s Critical Infrastructure Protection Network (CIPnet) membership program. CIPnet is Canada’s most extensive network of cybersecurity stakeholders, leveraging the power of collective impact to multiply opportunities for members at home and abroad. 

 

Finally, Weeden will ensure that critical infrastructure owners and operators and industrial security executives are aware of CyberNB’s Trust & Compliance initiatives, specifically the value of obtaining cybersecurity certification and demonstrating security and resilience through CyberNB’s Transparency Centre initiative with Lightship Security. 

 

If you are a critical infrastructure owner or operator with questions about the CI-SOC, CIPnet, or cybersecurity certification, please contact Cynthia Weeden at [email protected].

CIO Strategy Council and CyberNB Partner to Bolster Canada’s Cyber Readiness and Digital Resiliency

Today, the CIO Strategy Council and CyberNB announced a new partnership to bolster Canada’s cyber readiness and digital resiliency. This partnership aims to advance cybersecurity knowledge, expertise and collaboration among public, private and not for profit organizations across all sectors of the economy. By working together, the Council and CyberNB will drive the creation of intellectual capital to advance cybersecurity resiliency through the identification and delivery of collaborative research, standards projects, use cases, pilots, and proofs of concepts.

 

Read More

CyberNB Launches Secure Online Portal to Offer Level One Cybersecurity Maturity Model Certification (CMMC) Readiness Support to Canadian Aerospace and Defence Contractors

Fredericton, NB: CyberNB Inc., Canada’s epicentre for cybersecurity, announced today that it has launched a secure online portal to process all of the required controls necessary to meet level one requirements for Cybersecurity Maturity Model Certification (CMMC) for Aerospace and Defence Contractors in Canada. 

 

As of September 2020, all U.S. Department of Defense (DoD) contractors and 

suppliers worldwide will need Cybersecurity Maturity Model Certification (CMMC) in order to be awarded new contracts. By 2025, every single DoD supplier will need 

to be CMMC compliant. Last year, the Canadian Commercial Corporation (CCC) signed $1B in contracts with the U.S., while Innovation, Science and Economic Development Canada (ISED) estimates that the DoD spent $2.5B from Canadian suppliers. 

 

Read More