Establishing Trust: Foundational to Securing the ICT Supply Chain
By Colin Andrews and Patrick Lozada
The Telecommunications Industry Association (TIA) is leading the way on securing the global information communications technology (ICT) supply chain with the development of the global SCS 9001 standard that specifies verifiable and measurable criteria and uses a process-based quality management system to ensure quality and transparency. There are several key measurable processes, ranging from hardware and software identification and traceability to secure development, risk assessment and management, testing, and reporting.
Even with all the right technical processes in place, it is also vital to substantiate an organization’s trustworthiness within the ICT supply chain to make certain that end users have reliable, secure service. But what are the key factors and framework for establishing trust in an organization? While groups of countries have agreed on some common principles, such as the Prague Proposals and the CSIS Criteria for Security and Trust in Telecommunications Networks and Services, none have established specific criteria that can be independently measured and certified. TIA’s Supply Chain Security Work Group’s Trust Team has done just this, outlining a set of principles of trust to demonstrate transparency.
Identifying What Matters Most
One of the most fundamental SCS 9001 Principles of Trust is transparency in decision making. This boils down to a company’s ability to disclose information and provide visibility into relevant aspects of the business including how it is owned and controlled, the ability of auditors to access information about the company in a timely and complete fashion, and violations of global business best practices. Part of that transparency is understanding an organization’s ability to “play fair” and comply with international laws and standards pertaining to corrupt practices or bribery.
Principles of trust that businesses across the world look to as a means of ensuring the integrity of their stakeholders—from employees and shareholders, to customers and suppliers—are varied in form, often influenced by vertical market, regional culture, form of government, and stability of local law structures. TIA’s Principles of Trust take this into account and leverages multinational agreements regarding commercial best practices as its foundation.
Proof is in the Pudding
Unlike technical data that can be collected, analyzed, and measured, assessing the trust of a company must be more of a qualitative process rather than merely a quantitative one. In other words, trust is not absolute. Actually verifying the trustworthiness of a company therefore demands a more complex, strategic framework. The SCS Work Group’s Trust Team worked for months evaluating and determining the requirements for transparency, corporate best practices, and disclosure of relationships with national governments and political entities.
To establish transparency, SCS 9001 Principles of Trust require companies to attest that they are under no legal obligation to establish units of any political party within their company and are not ultimately controlled by any government. That is done in part by verifying that an organization’s Board of Directors includes independent members and has a robust governance structure to address any conflicts of interest, as well as verifying the legal requirements of the jurisdiction in which they are based.
Another way to demonstrate transparency is to provide information about corporate policies, relevant certifications, and provide proof of third-party audit compliance. For example, SCS 9001 Principles of Trust include confirming that a company’s financial statements are audited by a Public Company Accounting Oversight Board (PCAOB) registered accounting institution in full compliance with PCAOB policies. Similarly, companies may be required to confirm that the sale of their products and/or services meet the transparency procedures and requirements of other global entities, such as the World Trade Organization (WTO) or the Organisation for Economic Co-operation and Development (OECD).
Given the rise of nation state-sponsored ICT supply chain attacks, it is also clear that the ability of companies to operate without interference from governments is vital to ensure global security and stability. To help limit political biases and ensure that companies are not subject to political demands, the SCS 9001 Trust Team has identified international frameworks for evaluating constraints on government powers and the effective rule of law. One such framework is the World Justice Project Rule of Law Index,® a global project that evaluates 128 countries and jurisdictions around the globe and measures the extent to which the powers of a government and its officials are limited and held accountable under law. This includes addressing non-governmental checks such as independent auditing and review agencies and media and civil societal oversight that play a vital role in monitoring government actions and holding officials accountable. Companies will also provide copies of anti-corruption and anti-bribery policies, as well as any certifications verifying compliance.
While still in the process of being implemented into the standard, the SCS 9001 Principles of Trust will help service providers, system integrators, manufacturers, and enterprise buyers across all industries ensure that their suppliers do not engage in unfair business practices, accurately report their financials, and are free from the influence of geopolitical interests. These principles, garnered in part from multiple international government and non-government service providers, will help strengthen the integrity of the global ICT supply chain and reduce exposure to cyberattacks that threaten to endanger national security, disrupt business continuity, and devastate consumer confidence.