Proof Of Concept For An ICT SCRM Enterprise Assessment
Proof Of ConceptFor An ICT SCRMEnterprise Assessment PackageSupply Chain Management CenterRH Smith School Of BusinessUniversity Of Maryland College ParkFinal ReportSubmitted To: Mr. Jon Boyens, NIST ITLTeam Members: Sandor Boyson, Thomas Corsi,Hart Rossman, Holly Mann, Jessica RichmondAdvisors: Taylor Wilkerson, Gary LynchDecember 1, 2012
I. Executive SummaryThe Supply Chain Management Center of The RH Smith School OfBusiness, University Of Maryland has completed a third phase of researchfor NIST ITL built upon its prior activities; and developed an Enterprise ICTSCRM Assessment Package as a proof of concept.This Package is delivered through an ICT SCRM Portal, featuring fourmajor functions:-An Initiatives Section, featuring upgradeable summaries of majorpublic and private sector ICT SCRM initiatives;
-A Library Section, featuring a spectrum of related policy studies,case studies, research reports, etc;-A Forum Section that enables collaboration groups to form aroundspecific ICT SCRM topic areas;-An Enterprise Assessment Section composed of:-A Strategic Readiness Tool that profiles an enterprise’s riskmanagement posture and organizational development status.-A NIST Principles/Practices Tool that drills down on the tenmajor principles embedded in NIST IR 7622 and asks a
portfolio of operational questions associated with eachprinciple.-A Cyber Chain Mapping Tool that provides a rapid methodto build a working global map of cyber supply chain assets,transactions and vulnerabilities.
-A Results Area that enables enterprises to view their ICTSCRM baseline status against three benchmarks: a group ofpeer enterprises; the Community Framework Model; and anICT SCRM Capability/Maturity Level.In the August-November, 2012 time period, our team accomplished all theabove deliverables and presented a Portal prototype incorporating all thedeliverables at the October 15-16 NIST ITL Workshop on Supply ChainRisk Management.II. Project HighlightsUnlike previous ICT SCRM research activities undertaken by the RH SmithSchool Of Business for NIST, this project was engaged in the design andprototyping of a Portal that could combine a sophisticated technicalarchitecture and advanced functionality to meet a real need for thegovernment and private sectors.Our team’s technical activities were focused on selecting portal software thatwas open source and compatible with similar government initiatives. OurSmith School CIO, Ms. Holly Mann, led the effort to produce a technicalarchitecture that was robust, secure and highly cost effective. Drupal was
selected as the software foundation for the project. Please see Appendix 1:NIST SCRM Portal Technical Architecture for details.In addition, we launched a significant functionality study to understandcurrent offerings in the marketplace; and to refine the User Interface andnavigational elements of the Portal. We did a detailed comparison ofexisting cyber web sites and presented a wire frame of recommended Portalfunctional areas. This effort was led by Ms. Jessica Richmond and herbackground report on portal design was instrumental in our projectdevelopment efforts. Please see Appendix 2: NIST SCRM Portal Designfor details.To complete the design process, we conducted detailed research intoenterprise assessment methodologies both within and outside the ICT SCRMdiscipline; and sought to understand best practices in evaluating thecapability/maturity levels of enterprise supply chains and cyber systems.Among the sources consulted (by area of assessment) were:Strategic Readiness: Field visits and extended discussions were held withthe Risk Group of the Security Exchange Commission; with the ExecutiveDirector of the Independent Distributors Of Electronics Association (IDEA);with the Center For Advanced Life Cycle Engineering (CALCE) UniversityOf Maryland; and with the Principal of the Marsh Supply Chain RiskManagement Practice among others.NIST Principles/Practices: This assessment area was prepared utilizing theNIST IR 7622 as well as previous Smith research for NIST. In addition, weevaluated a variety of capability/maturity models, from the Supply ChainCouncil’s SCOR Model to the Supply Chain Risk Leadership Council’semerging maturity criteria.Cyber Chain Map: This assessment area was the most exploratory. Itattempted to link a variety of tools such as network planning tools, Googlemaps and CVSS Scoring into an easy to use mapping exercise that couldshow both cyber as well as traditional supply chain hubs, nodes, transactionsand vulnerabilities.Field Testing The Assessment Tools: A support for our assessmentdevelopment activities was the TM Forum, a twenty five year old 800member global organization of telecommunications industry providers. Thisorganization selectively recruited a small member pool to validate our
survey instruments and provide feedback.All efforts were made to protectthe confidentiality of participant information. The survey website used SSL(secure socket layer )and HTTPS technology; and all comparative resultswere anonymized.The survey was opened for a two week period starting 8am on Monday,September 17 and running through 8am on Tuesday, October 2. TM Forumparticipants started by going to: https://cyberchain.rhsmith.umd.edu. Whenthe participants first landed on the main page, they saw a Register link.Since this was a closed focus group, they had to register for the site andsubmit a request for approval. Once approved, the system generated anemail that enabled them to log onto the site and set a password. Once theassessments were completed, the Results enabled each participant enterpriseto review the organization’s cyber supply chain capability/maturity level;Community Framework score; and individual/as well as benchmarkedresults.Three large Commercial Service Providers from North America, Australia,Europe took the survey and provided feedback. There were significantdifferences among respondents in many areas of ICT SCRM, asdemonstrated in the table below regarding who contributes to riskmanagement policy in each organization.Readiness SurveyWho contributes significantly to cyber risk management policydevelopment?ParticipantBoD / RiskAudit CmtChiefExecChiefFinancialChiefRiskSource /ProcureVP SupplyChainCSP #1?CSP #2CIOCSP #3CIO StrongCopyright2011 TeleManagementAll Rights Reserved. 3 2012 Tel eManagementForum Forum,3v2011.1v2011.1CIO Moderate/Some Weak/Not Availablewww.tmforum.org
Overall, the respondents were pleased with the experience. As one noted“we have completed the Survey and found it very useful with lots of food forthought”. Ms. Christy Coffey, TM Forum Program Coordinator, came to ourOctober 16 NIST Workshop Portal Demonstrator, and presented thisfeedback to the workshop audience.III. Conclusions/RecommendationsA. The Portal Concept Has Demonstrated Initial ViabilityThis project has demonstrated the initial viability of an open source-basedICT SCRM Portal that could provide involved federal agencies andenterprises with a best practices clearing house/website. The ICT SCRMAssessments could provide these key actors with state of the art, researchbased tools to evaluate their own ICT SCRM status and improve their ownPrograms.By providing a user-interface/ web-based front end and search tools, thisdynamic proof-of-concept database could eventually scale to help public andprivate organizations:-Search for and discover emerging ICT SCRM Practices in hardware;software; network management; and system integration-Gain access to a Benchmarking Mechanism for evaluatingeffectiveness of /confidence levels in response measures that targetspecific threat categories across the ICT supply chain.-Stay current with the latest Audit/Compliance/accreditation activities,including methods/issues in assessment and disclosure of risks.-Support organizational decision making around participating in aspecific external industry practice group.-Participate in building future-forward Information-sharing modelsthat instill transparency and confidence in ICT SCRM data exchangesamong members of an industry or a supply chain:
These models could develop as brokerage-style concepts wherebyanonymity of benchmarking data is maintained through devices such ascommunity ratings of criticality of common components across ICTcompanies and ratings of effectiveness of practices matched to those levelsof criticality; or as subscription-style concepts whereby enterprises willsubscribe to alerts from a community cyber threat event/practice board.B. The Need To Scale Up Portal ServicesAny next steps should build on the existing portal platform and functionalityto achieve rapid scale up and diffusion. NIST should consider scaling theportal to serve as a core component of its community-building activities inICT SCRM; to serve as the information hub of the universe of initiatives andresearch resources; and to support the launch and diffusion of its key policydocuments such as the NIST IR 7622 and Special Publication.Under its own auspices or through an agreement with the Smith School,NIST has an opportunity to provide a key mechanism in advancing the ICTSCRM discipline.A next phase of portal development might include the following activities:-Create a Portal Advisory Group to help guide the scale up of theportal and outreach to users.-Engage key community initiatives in updating the content of theirofferings/activities in the Initiatives Section of the portal.-Expand the Library content area of the portal.-Deploy a network of online forums in support of NIST’s ICT SCRMpolicy work.-Massively expand the number of participant enterprises whocomplete the Enterprise Assessments; and develop a rich, segmentedbenchmarking repository and refined capability/maturity model.A Virtual ICT Supply Chain Risk ManagementTechnical Assistance Center
More specifically, we would like to advance an umbrella concept thatwe believe captures all the key elements of a next phase in building outthe NIST/University Of Maryland ICT Supply Chain Risk ManagementPortal. The concept is that of an “open source” ICT Supply Chain RiskManagement Technical Assistance Center that can leverage ourtechnology infrastructure and online content for community creationpurposes.We envision an intensive year-long project to iterate/complete theportal-based Center; to operate the portal/grow the community &demonstrate utility to a much broader audience; and to measure value.This Center would serve as the virtual hub of the ICT supply chainrisk management community and provide the following services:-Unrestricted open access to parts of the portal, such as the Libraryfunction, that could benefit the whole community, as jointly defined withNIST.-Screening/On Line Registration of participants for those parts of theportal, such as the Supply Chain Threat Crowdsourcing Function, thatrequire the validation of credentials as subject matter experts, companyrepresentatives or industry practitioners through the use of layeredmechanisms such as a central authentication service (CAS) and resumesubmissions/reviews.-Enterprise Assessments that would enable organizations tobenchmark practices in ICT SCRM against peer groups and to determinecapability/maturity levels. Combined with the Map Function discussedbelow, a Cumulative Risk Score could be assigned to an organization.-ICT Supply Chain Mapping and Vulnerability Analyses that wouldallow an organization to rapidly construct a topographical map of keyphysical and IT network hubs, nodes and process flows; upload data andautomatically generate CVSS ratings by geographic coordinates.-Crowd Sourced ICT Supply Chain Threat Assessment that wouldidentify emerging threats, attack vectors, effectiveness of possibleresponse options and contagion surveillance in real time.
-Moderated collaboration forums that would engage experts andpractitioners on topics of special interest to the ICT SCRM community.-A dynamic, continuously updating Library that would synthesize newbest practices content from internal portal sources (forums, enterpriseassessments, threat analyses); and external scans of professional andacademic sources.The Virtual Technical Assistance Center would produce, archive andwide cast regular material work products (monthly supply chain threatbulletins and summaries of top forum topics; quarterly report series; andsynthesis of enterprise assessment/mapping data findings).We encourage NIST to leverage the platform and toolset that has been builtin this project and use them to expand its institutional connectivity andinfluence over the emerging discipline of ICT SCRM.
APPENDIX 1: PORTAL ARCHITECTURETechnical Architecture Overview for CyberChainThe CyberChainwebsitewill helporganizationspreparefor global cyber supplychainchallengesthrough utilizingthe online tools,resources andassessments available in this site. This documentincludes a summary of technical approach andcomponents used to develop this site.Framework ApproachThe decision tobuildthesiteusing benefits:n No licensing fees or contractual obligations.n No proprietary “black box.” This means that everythingin the Drupal framework is transparent to aprogrammer with the knowledge tolookat the sourcecode.n Drupal has been an active open source application forover 10 years. It is a mature application that has beenadopted and used bythousands of developers. Thesedevelopers contribute custom built modules that can beleveraged the Drupalcommunity, at no cost.n Compatibility withexternal applications anddatabasesare essential. PHP and MySQLwill be utilized foradditional program code and common datastore.n Persistent designtechniques are appliedusing thisplatform. This means the site willautomatically adaptfor usage with mobile devices. The user experience willbe exactly the same without the need to maintainaseparate mobile site.n Passwordsecurity inthe Drupal frameworkis incompliance with government agencies. A dedicatedDrupal security team reviewsall submitted modulesforsecurity compliance and doesnot publish those withunresolved security issues. We will utilize SSLcertificates, aswell as, an administrative approvalprocess to gainaccess to this site. The data containedinBasic Server Configuration¡ Virtual Machine¡ HTTPS/SSLconnections¡ Operating System:CentOS6.x¡ Web Server: Apache2.x¡ Database Server:MySQL 4.x¡ PHP5.x¡ Drupal 7Drupal Modules
this site will notbe visible to anyone otherthan theauthorized person utilizingthe tools or administeringthe site.n The site will be hosted at the University of Maryland,Robert H. Smith School of Business, unless otherwisespecified in agreement betweenRHS and NIST.Site ContentTA 1 – ASSESSMENTSThi tab containsfou sub tabs1 RespondentProfile,2 StrategicReadines Survey 3 NISTPrinciples/Practices,an 4 Results.1.2.Registration/Profile – the site requires registrationfor a login account to obtain accessto the toolsandresources. All registration requestswill be reviewedand approved bya system administrator. A respondentprofile is created for each authorized account. Theinformation contained in this profile provides thefoundation forindividual and peer benchmarkedresults.Strategic Readiness Survey– will be completed by theauthorized user and serves as the basis toaccess thestructural readinessof theirorganization to meet thechallengesof cyber supply chain risk management.3.NIST Principles/Practices – are designed todistillbest practices developed by NISTinto a series ofspecificquestionsabout their operatingpractices.4.Results - ‐ once the authorizeduser has completed ALLof the assessment parts, this tab will be displayed.Thistab contains foursub tabs a)Capability/Maturity Level,b) Community FrameworkScore, c) Individual Results,d) Peer BenchmarkResultsa) Capability/Maturity Level: This sectiondefinesthree levels of capability/ maturity in cyber- ‐supplychain risk management:¡ Emergent Phase: Limited planning andimplementation ofcritical cyber supplychain risk management factors, with stovepiped efforts.¡ Diligent Phase: Steady efforts to enactsupply chain controls, with emphasisonenterpriseintegration.ASSESSMENT FUNCTIONS¡ Users must complete theassessments in sequence.¡ New assessmentsand subtabs will become visibleonlyuponcompletionofeach.¡ Users have the ability tosave the submission AsDraft, allowing them toreturn laterto editandsubmit the finalassessment.¡ Users may view theirindividual submissionshowever they cannot edittheirsubmissions oncefinalresponses have beensubmitted.¡ Results for capabilitymaturity and communityframework are derivedthrough a setof complexformulas based on a pointsystem.
¡ Proficient Phase: Seasonedimplementationand achievement of process improvementsacross the extended supplychain,including enterprise partners.Your organizationis placed inone of these levels basedon an evaluation of your performance in eachtier.b) Community FrameworkScore: This sectionusesthe Community Framework Model forcybersupplychain risk management developed by theUniversity Of Maryland in cooperation with NISTand industrygroups. This Model consists of threetiers: Governance, Systems- ‐Integration andOperations. Each tier has a distinct set of attributesor activities andyour score on eachtier measuresthe extensiveness and completeness of yourorganizational coverage of these activities. There isa set of possible points allocated toeachtier and,based uponyour assessment responses you receivea portion of those allocated points. Higher scoresare indicative of more activities beingperformed ineach tier.c) Individual/Peer Benchmarked Results: Thissection providesa summary of youranswersoneach of thequestions and allows you to compareyour answers toyour peer benchmark group.TAB 2 – CYBER CHAINMAPThis tab contains a composite networkvulnerability mapping exercise. This tool will
allowusers to setupsupplychainriskscenarios.The composite systemwillgenerate and executethe components for each scenario, composes therisk data, definesthethreatsandoverall riskassessment.TAB 3 – INITIATIVESThis tab containsa viewablelink totheoriginaldetailed matrix of ICTSCMinitiatives.In addition,eachinitiativeis preparedasindividual content inorder toallow theusers toconduct a full textsearch to locate specific initiatives that meet theirsearchcriteria.The ICTSCM initiativescategorized by document author,and purpose.
TAB 4 – LIBRARYThis tab contains a document repository ofresearchpapers, casestudies, andreportson ICTSCM related materials. Users can create their ownfoldersanduploadrelatedICTSCM relateddocuments for the cyber chain community.TAB 5 – FORUMSThis tab consists of four major components: theforumitself, categories, topics and messages.Users can create new forumcategories, and replyto messages that will appear as a threadedconversation.Users will see the number of topicsand responses posted withineach category,andthe date/time/author of theposts.
Dec 01, 2012 · -A Library Section, featuring a spectrum of related policy studies, case studies, research reports, etc; -A Forum Section that enables collaboration groups to form around specific ICT SCRM topic areas; -An Enterprise Assessment Section composed of: -A Strategic Readiness Tool that profiles an enterprise’s risk managemen
since 1950 E. German, Suhl choke-bore barrel mark PROOF MARKS: GERMAN PROOF MARKS, cont. PROOF MARKS: ITALIAN PROOF MARKS, cont. ITALIAN PROOF MARKS PrOOF mark CirCa PrOOF hOuse tYPe OF PrOOF and gun since 1951 Brescia provisional proof for all guns since 1951 Gardone provisional proof for all guns
PROOF MARKS: BELGIAN PROOF MARKSPROOF MARKS: BELGIAN PROOF MARKS, cont. BELGIAN PROOF MARKS PrOOF mark CirCa PrOOF hOuse tYPe OF PrOOF and gun since 1852 Liege provisional black powder proof for breech loading guns and rifled barrels - Liege- double proof marking for unfurnished barrels - Liege- triple proof provisional marking for
Bruksanvisning för bilstereo . Bruksanvisning for bilstereo . Instrukcja obsługi samochodowego odtwarzacza stereo . Operating Instructions for Car Stereo . 610-104 . SV . Bruksanvisning i original
2154 PROOF MARKS: GERMAN PROOF MARKS, cont. PROOF MARK CIRCA PROOF HOUSE TYPE OF PROOF AND GUN since 1950 E. German, Suhl repair proof since 1950 E. German, Suhl 1st black powder proof for smooth bored barrels since 1950 E. German, Suhl inspection mark since 1950 E. German, Suhl choke-bore barrel mark PROOF MARKS: GERMAN PROOF MARKS, cont.
PROOF MARKS: GERMAN PROOF MARKSPROOF MARKS: GERMAN PROOF MARKS, cont. GERMAN PROOF MARKS Research continues for the inclusion of Pre-1950 German Proofmarks. PrOOF mark CirCa PrOOF hOuse tYPe OF PrOOF and gun since 1952 Ulm since 1968 Hannover since 1968 Kiel (W. German) since 1968 Munich since 1968 Cologne (W. German) since 1968 Berlin (W. German)
10 tips och tricks för att lyckas med ert sap-projekt 20 SAPSANYTT 2/2015 De flesta projektledare känner säkert till Cobb’s paradox. Martin Cobb verkade som CIO för sekretariatet för Treasury Board of Canada 1995 då han ställde frågan
service i Norge och Finland drivs inom ramen för ett enskilt företag (NRK. 1 och Yleisradio), fin ns det i Sverige tre: Ett för tv (Sveriges Television , SVT ), ett för radio (Sveriges Radio , SR ) och ett för utbildnings program (Sveriges Utbildningsradio, UR, vilket till följd av sin begränsade storlek inte återfinns bland de 25 största
Hotell För hotell anges de tre klasserna A/B, C och D. Det betyder att den "normala" standarden C är acceptabel men att motiven för en högre standard är starka. Ljudklass C motsvarar de tidigare normkraven för hotell, ljudklass A/B motsvarar kraven för moderna hotell med hög standard och ljudklass D kan användas vid
