This afternoon guest lecturer Daniele Catteddu will present on Approaches to assess supply chain security assurance (products, services and processes) in the “Advanced Cybersecurity and Global Cybersecurity Strategy” course within the Advanced Master in Privacy, Cybersecurity, Data Management and Leadership LLM at the European Centre on Privacy and Cybersecurity (ECPC)!

In this second week of the course, the students will be presented with approaches to assess supply chain security assurance (products, services and processes). As you may already be aware, supply chain attacks are currently on the rise and rapid geopolitical changes are impacting supply chain resilience as well as the length of supply chains. Supervisory Authorities, competent agencies, governments, and businesses are paying more attention to supply chain security assurance, integrity, and traceability as well resilience. In fact, users and service providers alike need to be able to determine the level of security assurance of the products, services and processes they procure, make available or use.

Security assurance is supposed to be considered as an ongoing process as opposed to a one-off task. Indeed, the security posture of providers and services needs to be assessed during the lifecycle of the service/product/solution. Organisations need to evaluate if the security and the level of assurance offered is in line with the risk appetite of the organisation both at the point of service acquisition, and then during its provisioning over time. In addition, organisations need to understand that the level of assurance offered by a provider might vary, sometimes abruptly, as a consequence of a change in the context. Furthermore, the evaluation of the level of assurance and the potential risk must be performed at a time interval that is consequential to the nature of the technology used and the criticality of a certain technology for the organisation.

This week, students will take a deep dive into supply chain security assurance methodologies, frameworks and attestations/certifications. A short introduction into supply chain tracking and corrective actions in case of vulnerabilities or non-compliances and how this process can be built into the vulnerability response and lifecycle management processes in global organisations will also be tackled.