You are the CISO working for a direct bank based in Taiwan that relies entirely on internet banking. Your bank is considering outsourcing the customer relationship management (CRM) system to an offshore software development vendor. Which of the following action should your bank take first?
A. Conduct the threat scenario analysis
B. Describe threat sources that are relevant to the organization
C. Develop and select threat events for analysis
D. Determine applicable controls
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is B. Describe threat sources that are relevant to the organization.
This question is designed based on NIST SP 800-161 (Supply Chain Risk Management Practices for Federal Information Systems and Organizations), which applies the multitiered risk management approach of [NIST SP 800-39], by providing ICT SCRM guidance at organization, mission, and system tiers.
Supply Chain Threat Scenarios and Analysis Framework
This is the appendix D in NIST SP 800-161. It introduces the procedure to develop and analyze threat scenarios and identify applicable controls as follows:
- Step 1: Create a Plan for Developing and Analyzing Scenarios
- Step 2: Characterize the Environment
“Describe threat sources that are relevant to the organization” is part of this step.
- Step 3: Develop and Select Threat Event(s) for Analysis
- Step 4: Conduct the Threat Scenario Analysis
- Step 5: Determine Applicable Controls
- Step 6: Evaluate / Feedback