Generally speaking, scrutiny of supply chain security for critical infrastructure is on the rise. Governments around the globe are increasingly paying attention to this issue, a fact which is reflected in recently developed and currently developing policies. That being said, the same principled and risk-based approach applies to managing risk in the supply chains of critical infrastructure as in those in supply chains more generally. The most effective requirements in this space result from governing bodies leveraging expertise by utilizing an open, collaborative, and iterative process that engages a range of stakeholders. One example of this approach in action is the National Institute of Standards and Technology’s (NIST) “Framework for Improving Critical Infrastructure Cybersecurity.” V 1.1 of this Framework, which is currently out for public comment, contains updates focused largely on supply chain security.

We recently heard from Microsoft leaders on the methods and policies for securing the information and communication technology (ICT) supply chain in our webinar “Supply chain security: A framework for managing risk”. In this blog, we will cover some of the fantastic questions our customers asked and how we responded.

How frequently does Microsoft conduct ‘red team’ pen testing of its products before vs. after fielding?
There are several pen test events that are carried out against our products and services annually, some of which are tied to competitions and educational events. Some of these are open to the hacking community, but many are closed events to ensure product and services integrity and availability.

Supply chain logistics today has to have close to real-time access to personal information to deliver products & services to meet customer demands. What changes do you see coming to protect that information?
Cloud based information protection and the broad application of access controls in a consistent and automated way is the best and most realistic way forward. The General Data Protection Regulation (GDPR), which takes effect on May 25, 2018, will require significant changes by organizations all over the world – including Microsoft and our customers. The GDPR represents a paradigm shift in global privacy requirements governing how you respect and protect personal data – no matter where it is sent, processed, or stored. Fundamentally, the GDPR is about protecting and enabling individuals’ rights to privacy, and its goals align with Microsoft’s enduring commitment to a cloud you can trust.

With fraud and piracy increasing in sophistication & capability how will the industry stay ahead of the curve?
Microsoft has a Digital Crimes Unit which is an international team of attorneys, investigators, data scientists, engineers, analysts, and business professionals working together to transform the fight against cybercrime. In the future, similar means will have the benefit of the kind of automated identification that machine learning can provide to do this at even greater scale.

If the customer requested it, do you have the ability to do external auditing on their behalf? Have you ever had that in a contract internally or with vendors (do you audit vendor security)?
We do not provide audit services to our customers for their consumption. We do perform onsite assessments for our critical suppliers.

Can the panel elaborate on the due diligence Microsoft does on their “fourth party” suppliers, or subcontractors of contractors?
For our suppliers, we ensure that the contracts are clear on our expectations and security requirements not only for them but the suppliers they use as well. Accountability is with the supplier Microsoft contracts with, and if they choose to use a subcontractor, that does not change.

How do I convince my organization to implement supply chain security?
Whether you are working for an organization that provides products or services to governments, enterprises, or consumers, the trust of the purchaser in your output is going to be critical to sales. A principled approach to supply chain risk management can help you establish and/or enhance that trust by demonstrating your commitment to the quality of what you are selling.

Any statistics on actual breaches relating to points of breach?
There are several good reports including Verizon’s annual Data Breach Investigations Report. This report for the most part identifies people as the weakest link with phishing and easy passwords as the first point of breach.

What are the primary components of Microsoft’s vetting process to ensure a reliable vendor? Is there a way that vendors can obtain these requirements beforehand? If so, does that increase or decrease Microsoft’s likelihood of incurring risk?
Vendor onboarding is subject to a mutually agreed upon set of directives for vetting and qualification. These are tailored to Microsoft needs and requirements, so they may vary for other organizations. It is a good practice to discuss these requirements with the vendor prior to onboarding.

If you would like to hear more about the methods and policies for securing the ICT supply chain, watch our webinar Supply Chain Security: A Framework for Managing Risk on-demand.

Learn more about Microsoft’s strategic approach to security at Microsoft Secure.