Taming the Chaos of Supply Chain Security Risks with MITRE's System of Trust™
03:15 ~ 04:05
The trust and trustworthiness of supply chains is at the center of many of today’s global security challenges. This presentation explores the details of MITRE’s System of Trust, a community effort to develop and validate a process for integrating evidence of the organizational, technical, and transactional trustworthiness of supply chain elements for decision makers dealing with supply chain security. This framework is defining, aligning, and addressing the specific concerns and risks that stand in the way of organizations’ trusting suppliers, supplies, and service offerings. More importantly, the framework offers a comprehensive, consistent, and repeatable methodology – for evaluating suppliers, supplies, and service offerings alike – that is based on decades of supply chain security experience, deep insights into the complex challenges facing the procurement and operations communities, and broad knowledge of the relevant standards and community best practices.
By creating and curating a community-enabled structured corpus of concerns that are important for trusting organizations, products, and components, and service offerings that can be adopted, taught, and utilized by any organization involved in a supply chain, the System of Trust offers a framework for focusing concise and rapid attention onto those risks most relevant and actionable to the parties involved in exchanging goods and services. This is comparable to how MITRE’s ATT&CK framework enables discourse and synergies in the cyber risk domain. Additionally, the framework includes a mechanism for winnowing down and tailoring the overall System of Trust to a set of concerns and investigative questions that consider the resources of your organization, the significance of the system or service to its operations, and the consequences that could result from failing to fully vet concerns. Finally, the System of Trust provides the ability to apply scoring mechanisms that can be adapted to your organization’s priorities, operational sensitivities, and experience with its type of business and partners.