1 How do you think supply chain mapping can help a company? who should be responsible for this in an organization?

2 Of the six suggested contract terms to bolster security. pick one. expand on this reasoning and give an example of how this can help in a buyer-supplier contract.

Six contract terms that will bolster supply chain security posted by Will Green 17 February 202 in Procurement, Risk New guidance urges organisations to comprehensively map supply chains for cyber risk, despite this potentially representing a "massive undertaking". A report, produced by the National Cyber Security Centre (NCSC), said mapping would result in better decision-making because it provides insights into cyber security considerations that "could be more easily enforced via contracts". Other benefits of mapping include: - Ability to respond to supply chain-related cyber incidents; - Establishing repeatable methods that create confidence in suppliers' security practices and build long-term partnerships; - Easier compliance with legal, regulatory and contractual responsibilities. "Gathering information about your suppliers in a consistent manner and storing i in a centralised repository that's access controlled will ensure it's easier to analyse and maintain," said the report. Such information should include: a) Full inventory of suppliers and their subcontractors. b) What produce or service is being provided and by whom. c) Information flows between your organisation and a supplier. d) Assurance contacts within the supplier. e) Assessment details and when the next is due. f) Proof of certifications such as ISO and product certifications. "Acquiring this information, especially for large organisations with complex supply chains, can be a massive undertaking," said the report. The NCSC warned this information would be "an attractive target to attackers", so it should be held in a "secure repository with strong security architecture underpinning its design". "A vulnerability that exists anywhere within the supply chain, whether in your direct suppliers, or the suppliers that they sub-contract out to, could impact you organisation," said the report. "For large organisations decisions around the practicality and usefulness of understanding beyond the primary tier should be evaluated, and only the information on direct contractors should initially be captured." The report recommended the following terms for inclusion in contracts: 1. Incident management response and notification time frames. 2. Ability to audit suppliers and subcontractors. 3. Data management (only necessary data may be transferred out of the organisational network). 4. Data integrity (is data protected via authentication and encryption and will it be segregated if held on a supplier platform?). 5. Management controls for suppliers' access to physical sites, information systems and intellectual property. 6. Any requirements that your direct suppliers should be demanding from their supply chain