With supply chain infrastructures running the length of the planet, how is it possible for a company to know what is happening at any given time and at any given point within its chain? A supply chain is only as strong as its weakest link, and in this fragile economic state, global operations rely on their supply chain management to bring together all the disparate elements into a smooth churning synergy. But how does a company’s supply chain cope with all the challenges that these variables produce?

Global companies face challenges on all fronts regarding the pressures of supply chain on an international scale. With head offices say in New York, and a production arm in China or Pakistan, the most obvious challenge faced by a global company is one of distance. But what specific challenges does this kind of distance throw up?

Like a fog, distance can cloud vision, and block out or at the least delay information – and to a supply chain, information is money. A global company, with its head offices in the West, is going to be unaware, at least for a time, of the state of its supply chain in the event of localised flooding or civil unrest. The supply chain may not even be aware that the issue even exists until severe damage has been caused. Even if the factory was untouched by such a disaster, what about the infrastructure – roads, airports and harbours? Large scale emergencies create questions and uncertainty for those on the ground, never mind those in large corner offices in Manhattan.

The problem is not just limited to natural disasters or weather systems. Civil and political unrest can cause chaos to even a healthy supply chain. Then there are epidemics and pandemics, such as the H1N1 flu, which have the potential to grind a whole economy to a sudden and shuddering halt. These situations can cause utter chaos to those present, but the real danger to a global companies supply chain is more subtle than this chaos… it is ignorance.

Ignorance to a crisis is the arch enemy to a supply chain. It may be a cliché but it is true – knowledge is power, or in this case, money – and even the most solid supply chain can crumble through nothing more than a little ignorance. Even if contingency plans were made, the delay in being aware enough of the crisis to implement the contingency can cause severe flow problems.

To an extent, these challenges can all be overcome or circumvented by good planning and a world class supply chain management system but only if they are aware of the crisis. It is this knowledge gap – between the event happening, and feedback working its way all the way across the planet to head office, that can make or break a company’s financial position. It is not the event itself, cataclysmic as it may be, but it is ignorance to the event that is the killer for supply chain. How can you overcome a challenge that you are blind to?

The secondary challenge faced by a global operations supply chain management is one of local knowledge and experience. Civil and political unrest, for example, can seem to strike as suddenly and as unexpectedly as forked lightening to the outsider. Yet to those who live on the inside of that country, the sense of radical change or shift in power can almost be sensed. There is something about being on the inside that gives one the ability to more accurately predict, and therefore to prepare for this kind of change.

It is this preparation that is key to the success of any supply chain. Sensing and predicting the event or crisis, allows for contingency plans to be drawn up and/or implemented. These are essential for the reduction of downtime, and for shipping dates to be met. Contingency plans, if acted upon swiftly enough, can really protect the integrity of the supply chain. The key to this swift acting, once again, is information. Factories in neighbouring countries can be actively tooling up as the sense of political unrest grows in another, with one factory primed to take over as soon as trouble rears its ugly head.

Of course, not everything can be predicted, and some events, such as the recent volcanic ash cloud over Europe, can catch everyone by surprise. But the majority of incidents, problems and challenges faced by the supply chain of any global company can be pre-empted, predicted and planned for. But a contingency plan is only as strong and useful as the information that brings about its implementation. It is this information that will determine the success of a supply chain management system when disaster strikes, as it surely will, given enough time.

Related articles

• Supply Chain Innovators: The Future of E-Commerce (supplychainventures.typepad.com)
• Even Accenture Pays Attention to Supply Chain Risk Management: A Five-Pillar Framework (spendmatters.com)
• Small Business Supply Chain Articles (bjconquest.com)

The Data Lifecycle goes through 5 steps: creation, usage, transport, storage and destruction. Most companies have parts of this lifecycle under control, but that means there are lots of areas for gaps in the control measures that could let a threat affect the data. The multiple part blog, (I am not sure how many parts it will take), will walk through the steps of the data lifecycle and what a company can do to implement a good process for all the data management challenges.

Data lifecycle management (DLM) is a policy and procedure based approach to manage information movement. Data has to be classified and evaluated to properly protect it with the right resources. Ownership is a key factor in managing and maintaining data throughout the lifecycle

The 5 Steps

1. Creation – How does data creation get managed?
2. Usage – What limitations are on data usage?
3. Storage – What controls are in place for storage?
4. Transportation – How is data transmitted between company, customers and business partners?
5. Destruction – What is the validation and verification process over data destruction?

The Data Management Problem

• Weak processes in place to track creation usage, transportation, storage and destruction
• Weak ability to monitor and manage a customer record throughout the lifecycle
• Inconsistent processes across each phase of data movement
• Lack of enforcement capabilities

What should be the goal of data lifecycle management?

• Provide practical steps to manage each step of the customer record management process
• Provide cost effective solution for risk mitigation
• Provide framework for data management
• Reduce risk of data loss

Challenges to Customer Data Records Management

• Rarely does a company have a centralized process to track controls over data, over management processes around data, over logging and monitoring, and removal
• Organizations rely on technology to secure data not processes that drive technology purchases
• The 5 steps of data management are not followed by all functional groups in a company
• No clear ownership and classification of customer data elements

Did you know…

• 1 in 400 emails contains confidential information
• 1 in 50 network files contains confidential data
• 4 out of 5 companies have lost confidential data when a laptop was lost
• 1 in 2 USB drives contains confidential information
• Companies that incur a data breach experience a significant increase in customer turnover—as much as 11%
• Over 35 states have enacted security breach notification laws
• Can openers were invented 48 years after cans

Related articles by Zemanta

• Infosec 2010: A quarter of all firms have seen data integrity attacks (computing.co.uk)

Vendor risk assessment are not part of everyday corporate managememnt but it should be. If you drive a car and every week you have to get something fixed it would prove pretty annoying, disgusting, outrageous and you probably you would never buy that model again and probably wouldn’t by from that manufacturer either. So why do we accepts buggy software that is vulnerable to things like cross site scripting attacks, buffer overflows, malware and such? But we do that everyday.

Everything from vulnerable operating systems such as Windows to vulnerable applications such as Adobe and weak website such as Facebook. As stated by CIO.com, “SANS and Mitre, a Bedford, Mass.-based non-profit, federally funded technology research and development organization, today is also releasing its second annual CWE/SANS Top 25 list of the most common programming errors currently being made by software developers. The authors say the errors on the list are responsible nearly every major type of cyber attack, including the recent intrusions at Google (GOOG), and numerous utilities and government agencies.”  The biggest companies are culprits.

So what are we do to about buggy software? How do you force a vendor risk assessment on all yoru vendors? Maybe scream “I’m mad as hell and I am not going to take it anymore!”  Might feel good for a second or two, but not going to solve the almost daily patch process we have to go through for our software. Patch management is a thriving sector!

As I see it, some theoretical things the end user can do to change the deadly cycle of poor software:

1. Sue! I don’t know if that’s possible, but if you bought a car with bad acceleration problems (ahem Toyota) you might just sue the manufacturer if you got into an accident. What can we do that if some hacker breaks in through buggy software?
2. Stop buying from that vendor! Apple seems to be taking this tactic by not allowing Flash on the IPad. But can we all move away from Microsoft tomorrow? Probably not.
3. Make the vendors conduct Risk Assessments of their products prior to release. A third party risk assessment is probably a good idea. Something with more teeth than a SAS70 type review.

Gary Bahadur

http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity

Address: 200 Se 1st St #601 Miami FL 33131

 *Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

 *FREE Website Security Test 

Related articles by Zemanta

• Apple vs. Microsoft: Making Platform Enemies and Friends (seekingalpha.com)
• Adobe Reader And Acrobat Get Yet Another Security Update (ghacks.net)
• Microsoft investigates new Internet Explorer flaw (news.cnet.com)
• Google readies Flash for Android devices (infoworld.com)
• IBM: Vulnerabilities fell in ’09, but other risks abound (computerworld.com)
• Update: Adobe issues emergency PDF patches (computerworld.com)
• Serious web vuln found in 8 million Flash files (theregister.co.uk)
• Hold vendors liable for buggy software, group says (computerworld.com)

Gary Bahadur

http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity
Managed Firewall
Managed Vulnerability Scanning

The point being, that there are so many areas of security out there that most of us will never touch yet there is a dire need for professionals. The conference was less attended, as are most conferences this year, but I found the folks here are REALLY interested in learning and excited about the classes.

My topic was on Supplier Risk Management processe. You are asking yourself, what is that? I asked myself that same question in coming up with some good processes to target Supplier security. We have to go way beyond a SAS70 if you want real security over the hundreds or thousands of vendors that a large company may work with.

The Problem:

1. No framework for managing vendor risk
2. Inconsistent processes for tracking vendors
3. Lack of enforcement capabilities

The Opportunity:

1. Provide practical steps to manage vendor access/management
2. Provide cost effective solution for risk mitigation
3. Provide numerical risk analysis of vendor/partner security issues
4. Risk reduction or risk acceptance
5. Documented exposure
6. Iterative process for risk management
7. Happy CIO

So a Supplier Security assessment follow 4 main steps:

1. Analyze current vendor database, catageorize each
2. determine risk of each supplier, determine threats posed by each supplier
3. Perform assessment tests of each supplier, their processes of interaction, and data access
4. develop risk mitigation plan, update processed, monitoring processes

Gary Bahadur

http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test