Research Report: Assessing Cyber Supply Chain Security Vulnerabilities Within the U.S. Critical Infrastructure
ESG Research Report

Nov 28, 2010
The primary objective of this ESG research study was to survey Critical Infrastructure and Key Resources (CIKR) organizations in order to qualify and quantify the current status of their existing security profiles as well as their awareness of and programs dealing with cyber supply chain security.
To assess cyber supply chain assurance, ESG asked 285 security professionals to respond to questions in areas such as: 1. Risk management
  • Has the organization experienced any security breaches? If so, what was the impact?
  • How would respondents rate the security threat landscape now as compared to two years ago? Do respondents expect the threat landscape to get worse over the next two years?
  • How well prepared is the organization for the current threat landscape?
  • Is executive management supporting and investing in cyber security?
2. Procurement
  • How important are IT vendors’ security processes in customers’ procurement decisions?
  • Do CIKR organizations audit the development processes of vendors before purchasing IT products? If so, is there a common model for these audits? Are these standard activities and processes across the enterprise?
  • Do IT vendors assume any liabilities for faulty or compromised products?
  • Do CIKR organizations hold system integrators accountable for the overall security of the systems they design, deploy, operate, and manage? If so, how?
  • To the best of their knowledge, have CIKR organizations purchased any counterfeit IT hardware/software over the past 12 months?
3. Software development
  • Do CIKR organizations include security considerations in their standard software development processes?
  • Have organizations experienced any security breaches related to internally-developed software vulnerability?
  • Do CIKR organizations require their internal developers to be trained in secure software development?
  • When organizations outsource their software development, are secure development processes a requirement for external outsourcers and contractors?
4. External IT security
  • To what extent do CIKR organizations currently open their IT systems to external parties such as customers, suppliers, and business partners?
  • If so, how are these relationships secured? Are there formal processes and safeguards in place?
5. The role of the U.S. Federal Government
  • Do CIKR organizations believe that the Federal Government should do more or less in terms of cyber security defenses and strategies?
  • What specific actions should the Federal Government take?

Page Count: 62