CIE42 Proceedings, 16-18 July 2012, Cape Town, South Africa 2012 CIE & SAIIE

MANAGEMENT OF INFORMATION SECURITY IN SUPPLY CHAINS

A PROCESS FRAMEWORK
A. Roy1* and A. Kundu2
1
Department of Industrial Engineering
Indian Institute of Technology Delhi, India
arup2303@gmail.com
2

Department of Mechanical Engineering

Indian Institute of Technology Delhi, India
anirban.kundu.iitd@gmail.com
ABSTRACT
Information in an organization and the associated processes, systems and networks are
important business assets which need to be protected to maintain the confidentiality,
integrity and availability. Information security is important for the management of business
risk to enable organizations mitigate vulnerabilities in order to reduce the threat to both
reputation and business. Though work has been done for defining techniques to control
information security related risks in supply chains, not much work has been done to define a
mechanism to assure management of handling these risks across the supply chain. This paper
discusses some issues pertaining to information security in supply chains as brought out by
various researchers and then proposes a Process Framework for the management of
information security. The proposed framework should identify potential risks and possible
risk management controls for different areas Physical security, Human Resource security,
Technological security, and evolve performance metrics and an audit process to evaluate the
effectiveness of the applied controls. It is expected that the framework will help supply
chain managers collaborate with information security and Information Technology specialists
to establish, implement and maintain information security across the supply chain.

CorrespondingAuthor

[305]-1

CIE42 Proceedings, 16-18 July 2012, Cape Town, South Africa 2012 CIE & SAIIE

1 INTRODUCTION
Information in an organization and the processes, systems and networks are important
business assets which need to be protected to maintain the confidentiality, integrity and
availability.
The Internet and cloud computing have opened up the access points at a global level for
commercial enterprises to carry out business transactions, which has led to increase in speed
of transfer and storage of data capital. However, usage of these resources has brought in a
proliferation of malware and automated attackers. Consequently, achieving, maintaining
and improving information security have become essential to maintain the organizations
competitive edge, cash flow, profitability, legal compliance and commercial image.
It is proposed to carry out Applied Research to find a solution for a real life problem
facing society or an industrial / business organization which will require an action or policy
decision.
Businesses today have great dependence on the secure flow of information within and across
organizations. An insecure environment can cause serious damage to governments,
corporations and society. For supply chains engaged product and service delivery across the
globe, the stakes are particularly high. It is unfortunate that information security is often
treated solely as a technology issue, whereas governance and personnel issues are equally
important.
Though work has been done for defining techniques to control information security related
risks in supply chains, not much work has been done to define a mechanism to assure
management of handling these risks across the supply chain. This paper discusses some
issues pertaining to information security in supply chains as brought out by various
researchers and then proposes a process framework for the management of information
security - how to set priorities, develop processes, assign tasks, carry out the actions, and
monitor the implementation. Government agencies have brought in numerous legislative
controls which also need to be dove-tailed with the operational processes of the
organization.
The organization of this paper is as follows:
! Information flow in supply chains
! Security in supply chains
! Need for information security
! Literature review data security, technology and management aspects
! Process framework for information security
! Concluding remarks
2 INFORMATION FLOW IN SUPPLY CHAINS
A supply chain is represented by a network of suppliers, manufacturers, wholesalers,
distributors, retailers collaboratively working through a focal company to meet the endusers product and service requirements. Business transactions across the network are
supported by a continuous flow of information on products & services, inventories, order
positions, resource availability, financial transactions etc.
Auto e-Hub (autoehub.com) is a supply chain network providing Software as a Service (SaaS)
for the international auto-part market from Taiwan. The system provides solutions to buyers
and sellers of high quality auto parts and aims to bridge the market between domestic autopart suppliers and world-wide automobile Original Equipment Manufacturer (OEM) or the
Aftermarket (AM) procurement offices. Their supply chain network, which is depicted below,
has the following objectives:

305-2

CIE42 Proceedings, 16-18 July 2012, Cape Town, South Africa 2012 CIE & SAIIE

!
!
!

To become a seamless network

To collect the information from N-tier suppliers
To improve information fluency of supply chain to mitigate impact information distortion

Figure 1: Auto E-Hub Supply Chain Network - The World-Wide Solution For Auto Parts
Industries
(Source: Adapted From Auto E-Hub Website
http://www.autoehub.com/eng/solution_network.htm)

The Auto e-Hub supply chain network depicted above is a very good illustration to show how
information flow extends to many stakeholders across the network whereas the
material/logistics flow applies only to the direct suppliers and customers. Funds flow in

305-3

CIE42 Proceedings, 16-18 July 2012, Cape Town, South Africa 2012 CIE & SAIIE

todays e-business systems is also a representation of information flow. Hence, it is

necessary to assure the security of information that flows across the supply chain. This
factor is now gaining more and more importance as business is conducted increasingly
through an e-supply chain which is electronically managed.
Bolhari (2009) has discussed that Poirier and Bauer (2000) proposed three important
constituents involved in e-supply chain management (eSCM):
! E-network (fully connected end-to-end business networks)
! Customer responses which form the central theme of the supply chain strategy
! Technology each of the above constituents can achieve the goal of the supply chain
through support of technology.
These constituents working together form the input into e-SCM to achieve the desired
output i.e. meet customer requirement and achieve customer satisfaction.
3 SECURITY IN SUPPLY CHAINS
Closs and McGarrell (2004) have defined security in supply chains as The application of
policies, procedures, and technology to protect supply chain assets (product, facilities,
equipment, information, and personnel) from theft, damage, or terrorism and to prevent the
introduction of unauthorized contraband, people or weapons of mass destruction into the
supply chain. This definition considers security of supply chains from two aspects soft and
hard. Soft aspect refers to intangible vulnerabilities which in the above definition are
considered as information theft. Hard aspect indicates tangible vulnerabilities, such as
physical thefts (facilities, equipment, and personnel) or physical damages and terrorism.
Hard aspects will have impact on the soft aspects as well.
The focus of this paper is on information security, one of the soft aspects of supply chain
security. The need for information security, issues brought out by researchers in this area
and a proposed framework to look at information security management has been discussed
in the subsequent sections.
4 WHY DO WE NEED INFORMATION SECURITY?
The information that an organization communicates with its supply chain partners is among
the most critical of its assets. The goal of information security is to reduce the enterprises
risk of losses caused by intrusion, system misuse, privilege abuse, tampering, fraud, nonavailability, corruption etc. Protection must be provided against external threats and from
internal abuse (Faisal et al., 2006).
Johnson (2008) has examined cases related to inadvertent disclosure of sensitive business
information through peer-to-peer file-sharing networks by looking at the extent of the
security risk for a group of large financial institutions using a direct analysis of leaked
documents. According to the results of the survey conducted, there is a substantial threat
and vulnerability for large financial firms, a significant link between leakage and leak
sources including the firms employment base and the number of retail accounts, a link
between firm visibility and threat activity and that banks leaking information experience
greater search threat.
Results of different cases relating to compromise of information security have been
presented by Anand and Goyal (2009):
! Newbury Comics - a trendy, 20-store chain selling music records used to report sales
numbers from their 20 stores to Sound-Scan, a private company that electronically
tracks and tallies every single record sold by some 85% of music retailers in USA and
realized that this information was being passed on to its competitors like Wal Mart.

305-4

CIE42 Proceedings, 16-18 July 2012, Cape Town, South Africa 2012 CIE & SAIIE

!
!

stopped sharing information with Sound-Scan, even though this entailed the loss of
promotional and co-advertising support.
Wal-Mart announced that it would no longer share its sales data with outside
companies like Information Resources Inc. and ACNielsen, which paid Wal-Mart for
the information and then sold it to other retailers (Hays 2004).
Wards 2007 survey of 447 automotive suppliers - more than 28% of the respondents
said that their companys intellectual property had been leaked by at least one
Detroit automaker within the past five years; 16% of these respondents also said that
their intellectual property had been compromised by foreign original-equipmentmanufacturers operating in the United States (Murphy 2007).
In a survey conducted by supplychainaccess.com, an astounding 64% of supply chain
managers pointed to leakage of valuable information by their suppliers to
competitors as one of the most significant threats to their supply chain operations
(Zhang and Li 2006).

In summary, information security is important because of the following:

! The key motivator behind information security is the management of business risk
regardless of whether that risk is financial or not, organizations mitigate
vulnerabilities in the enterprise to reduce the threat to their reputation and
customers.
! Information Security Management ensures compliance to regulatory, legislative and
contractual requirements.
5 ISSUES RELATED TO INFORMATION SECURITY IN SUPPLY CHAINS
Different aspects related to information security in supply chains have been discussed in
literature. Some of these are enumerated below, classified on the following basis:
Data security aspects
Technology aspects technologies used for implementing information security.
Management aspects management aspects and also a combination of the above.

5.1 Data Security Aspects

This section looks at aspects related to sharing of data across the supply chain:
Stefansson (2002) has discussed that each companys information system should support both
proprietary and shared data. The proprietary data would be accessible only to those
employees who have legitimate internal business needs. The shared data should be available
to all supply chain stakeholders through appropriate information interfaces hence, there is
a need to look at data security issues in the flow of information between parties in the
supply chain.
Dynes et al. (2005) discuss that all partners within the supply chain must have access to
critical business information such as product specifications, marketing plans, and vast
transactional data on product sales and movement however, firms dealing with supply
chain partners as an extended enterprise often make information security decisions with
very limited information about the threats their systems face, the strength of their systems
against these threats, and the usefulness of additional security measures.
Unger and Goel (2007) have categorized the threats related to information security into
three major categories: technical loss of proprietary information to competitors, system
malfunction of information technology used and compromised bidding systems weaknesses
from inside and outside are discussed.
Kaur et al. (2008) have discussed the importance of a sound information sharing policy in the
context of collaboration in supply chains few papers have looked at the means and
mechanisms of information sharing, trust and IT in supply chain co-ordination.

305-5

CIE42 Proceedings, 16-18 July 2012, Cape Town, South Africa 2012 CIE & SAIIE

Zhang et al. (2010) have proposed that confidential information may be mistakenly shared
between supply chain partners, resulting in the so-called direct information leakage as a
result of which companies have strong motivations and more than enough capabilities to
collect, analyze, acquire, and utilize information from others to gain competitive
advantage. The access to such information may also lead to wrong inferences.

5.2 Technology Aspects

This section looks at aspects related to the technologies used for implementing information
security:
Gunasekaran and Ngai (2004) are of the opinion that researchers and practitioners have not
paid enough attention to the design and implementation of IT systems to enable effective
information sharing and reduce information security risks in SCM.
Smith et al. (2008) have discussed that IT-facilitated collaboration has improved customer
service and satisfaction by enabling sharing of information for coordinated decision-making
to help achieve maximum efficiency for all supply chain partners. However, this has also
increased the firms vulnerability to a variety of IT-specific risks such as hacking, malware,
unauthorised access etc.
Wadhwa et al. (2009) have proposed a Decision Information Security Model to build a
network security management system for the supply chain with features of confidentiality,
authentication and availability.
Sharifnia et al. (2009) are of the opinion that requirements for secure e-Supply Chain
Management applications include but are not limited to identification and authentication,
authorization, non-repudiation, integrity and privacy. They have proposed that to
adequately support the needs of secure and trusted e-SCM applications, effective risk
analysis and appropriate deployment of alternate countermeasures are essential.
Ajayi and Maharaj (2010) discuss that the range of e-business technologies have not only
opened up newer opportunities in SCM, but have simultaneously increased the threat and
risk of information flows which may be transformed or modified, consequently increasing the
associated risks.
5.3 Management Aspects
This section looks at related management aspects and also a combination of the above two
categories:
Knight (2003) discusses different components related to information security risks in supply
chains physical security, access control, data security, human resource security, incident
reporting and investigations, crisis management & disaster recovery. Global multi-vendor
supply chains prevalent today require greater collaboration on addressing these security
issues.
Faisal et al. (2006) discuss that efficient coordination for customer satisfaction and
sustaining competency across the supply chain requires complex flow of information,
materials, and funds across multiple functional areas both within and among the supply
chain partners. In this context, natural and man-made disasters impact management
approaches in the context of supply chains as organizations now rely on their partners
spanning several nations and continents hence the protection of information as part of a
business continuity plan assumes great significance.
Wadhwa and Saxena (2005) discuss how knowledge management has provided new
opportunities to create and retain greater value from supply chains based on the harnessing
of core business competencies. Knowledge sharing in a supply chain is an evolution over
information sharing hence the availability and integrity of information, which is the basis
for knowledge creation, is vital across supply chain partners.

305-6

CIE42 Proceedings, 16-18 July 2012, Cape Town, South Africa 2012 CIE & SAIIE

Anand and Goyal (2009) have presented data relating to information leakage exists across a
variety of industries. They discuss that a firms operational imperative (optimizing material
flows) may override the informational imperative (optimizing information flows) thus
necessitating their joint management.
Bolhari (2009) discusses a survey conducted jointly by the American Society for Industrial
Security and Pricewaterhouse-Coopers (ASIS/PWC) in 1999 in which it was reported that
Fortune 1000 companies lost more than forty five billion dollars from loss, theft, or
misappropriation of "proprietary information."
Soni and Jain (2011) have discussed several attributes related to resilience of supply chains
flexibility, visibility, collaboration, adaptability, sustainability. Visibility addresses
information about entities and events regarding end-to-end orders, inventory, transportation
& distribution, product design as well as any events in the environment. Recent events such
as the global financial crisis and natural disaster like the tsunami in Japan have
demonstrated that a disruption affecting an entity anywhere in the supply chain can have a
direct impact on an organizations ability to continue its operations.

5.4 Summary Of Findings

Issues highlighted in the previous sections may be summed up as follows:
! Information leakage and misappropriation take place in the supply chain network.
! This information leakage and misappropriation can lead to the following:
o Demand imperative may override the information imperative.
o Product and service deliveries may not be optimal.
o Firms may lose their competitive edge.
! Vulnerabilities in supporting IT infrastructure may not be adequately controlled
which increases the risk of intrusion, data loss, reduced availability and loss of
business hours.
! Information reliability and consequently knowledge generation may be compromised.
! Human resource requirements in relation to information security may be overlooked.
6 Process Framework For Information Security In Supply Chain Management
The previous section has looked at various aspects related to information security in supply
chains as discussed by researchers. However, not much work has been done to define a
mechanism to enable the focal company of the supply chain identify and appropriately
address these issues. Hence, it is proposed to evolve an integrated Process Framework for
establishing, implementing, monitoring and sustaining a Management System for addressing
Information Security of the supply chain.
A report of the American Productivity & Quality Center (2011) discusses how the use of a
process framework effectively reduces the time needed to develop consensus among the
stakeholders. Process frameworks are typically built based on deep understanding of the
organizations operations and wide experience across a variety of organizations.
A process framework in an organization brings in a consistent set of practices which can be
implemented at any level of the organization. This helps the organizations to:
! Manage the company's key processes and roles & responsibilities
! Facilitate integration of business processes
! Align processes and performance improvement with corporate strategy
! Facilitate benchmarking against best practices
A multi-layered view of information security is proposed to develop the Framework:

305-7

CIE42 Proceedings, 16-18 July 2012, Cape Town, South Africa 2012 CIE & SAIIE

Figure 3: Information Security A Multi-Layered View

(Source: Roy A., 2011. Process Framework For Information Security In SCM.)
!
!
!

Operational: This will cover business processes, support functions and the related
information assets.
Financial: This will look at the financial flow which relates to the operations.
Goodwill: This is at the core, since any disruption in operations and finance flow will
influence the information flow which will affect the goodwill of the organization by
impacting the companys image and reputation.

The table below shows how these views relate to the 3 basic components of any Process
Framework People, Process and Technology:
Table 1: Components Of Information Security Vis--Vis Process Framework Layers

Technology

Process

People

XXX

XXX

XXX

Financial

XX

XX

Goodwill

---

---

XXX

Operational

Level Of Importance (X low, XX medium, XXX high)

It is proposed to study different supply chain processes and establish a relationship with
supply chain performance metrics and information security by looking at information
security risks across these processes.
The proposed framework shall be based on Demings Plan-Do-Check-Act principle.

305-8

CIE42 Proceedings, 16-18 July 2012, Cape Town, South Africa 2012 CIE & SAIIE

PLAN

Identify processes of a
typical supply chain

Identify threats &

vulnerabilities across the
supply chain processes

Develop multi-criteria
based risk assessment
methodology
Refine the
Framework

DO
Evaluate risks across the
supply chain processes

ACT

Study relationship
between supply chain
performance metrics and
information security

CHECK

Validate framework

Figure 4: Proposed Process Framework

7 CONCLUSION
Supply chain networks have extended far and wide across geographical borders and involve
firms with diverse business interests coming together for delivery of products and services at
optimum levels. Information flow in these complex networks is critical for optimizing the
material and finance flows which form the fulcrum of the supply chain. Data security,
technology and management aspects related to information security in the supply chain have
been discussed in previous research. It is unfortunate that information security is often
treated solely as a technology issue, whereas governance and personnel issues are equally
important. It is now proposed to develop a Process Framework to look at these aspects
together to evolve and maintain consistent business practices to assure the management of
information security across the supply chain.

8 REFERENCES
[1]
Ajayi N. and Maharaj M., 2010. Mitigating Information Risk within Supply Chains.
[2]
[3]
[4]

Proceedings of the International Research Symposium in Service Management,

Mauritius.
American Productivity & Quality Centre, 2011. Using Process Frameworks and
Reference Models: to get real work done. APQC Best Practices Report.
Anand K.S. and Goyal M., 2009. Strategic Information Management under Leakage in
a Supply Chain. Management Science, Vol. 55, No. 3, 438-452.
Bolhari A., 2009. Electronic-Supply Chain Information Security: A Framework for
Information Security in e-SCM (e-SCIS). Proceedings of the 7th Australian Information
Security Management Conference, Perth.

305-9

CIE42 Proceedings, 16-18 July 2012, Cape Town, South Africa 2012 CIE & SAIIE

[5]
[6]

[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
[16]
[17]
[18]
[19]
[20]
[21]
[22]

Closs D.J. and McGarrell E.F., 2004. Enhancing Security throughout the Supply
Chain. Special Report by the IBM Center for the Business of Government.
Dynes S., Brechbhl H. and Johnson M.E., 2005. Information Security in the
Extended Enterprise: Some Initial Results from a Field Study of an Industrial Firm.
Report supported in part by a grant from the World Bank and in part under an award
number 2000-DT-CX-K001 from the Office for Domestic Preparedness, Department of
Homeland Security.
Faisal M.N., Banwet D.K. and Ravi Shankar, 2006. Supply chain risk mitigation:
modeling the enablers. Business Process Management Journal Vol. 12, No. 4, 535-552.
Gunasekaran A. and Ngai E.W.T., 2004. Information systems in supply chain
integration and management. European Journal of Operations Research, Vol. 159,
269-295.
Johnson M.E., 2008. Information Risk of Inadvertent Disclosure: An Analysis of FileSharing Risk in the Financial Supply Chain. Journal of Management Information
Systems, Vol. 25, No. 2, 97123.
Kaur A., Kanda A. and Deshmukh S.G., 2008. Supply chain coordination:
Perspectives, empirical studies and research directions. International Journal of
Production Economics, Vol. 115, No. 2, 316-335.
Knight P., 2003. Supply Chain Security Guidelines. IBM Report presenting a summary
of supply chain security guidelines published by numerous sources.
Poirier C. and Bauer M., 2000. E-supply Chain: Using the Internet to revolutionize
your business. Berrett-Keohler Publishers, San Francisco, California.
Roy A., 2011. Process Framework for Information Security in SCM. Proceedings of the
International conference on Advances in Supply Chain and Manufacturing
Management, Kharagpur.
Sharifnia M., Iranmehr A. and Duroodochi M., 2009. Development of Trust Model for
e-Supply Chain Management. Proceedings of the European and Mediterranean
Conference on Information Systems, Izmir.
Smith G.E., Watson K.J. and Baker W.H., 2008. Perception and Reality: An
introspective Study on Supply Chain Information Security Risk. Issues in Information
Systems, Vol. 9, No. 2, 272-278.
Soni U. and Jain V., 2011. Minimizing the vulnerabilities of supply chain: A new
framework for enhancing the resilience. Proceedings of the IEEE International
Conference on Industrial Engineering and Management, Singapore.
Stefansson G, 2002. Business-to-business data sharing: A source for integration of
supply chains. International Journal of Production Economics, Vol. 75, No. 1-2,
135-146.
Supply Chain Council, 2010. Supply Chain Operations Reference (SCOR) Model
Overview - Version 10.0.
Unger D. and Goel R., 2007. Sharing and Guarding Information: Managing Data
Security in Supply Chain Networks. Alliance Journal of Business Research, Vol. 3,
No. 1, 49-60.
Wadhwa S., Prakash A., Deshmukh S.G. and Wadhwa B., 2009. Information Security
in Flexible Supply Chain Network: A Decision Information Security (DIS) Model. Global
Journal of Enterprise Information System, Vol. 1, No. 2, 25-31.
Wadhwa S. and Saxena A., 2005. Knowledge Management based Supply Chain: An
Evolution Perspective. Global Journal of e-Business and Knowledge Management,
Vol. 2, No.2, 13-29.
Zhang D.Y., Zeng Y., Wang L., Li H. and Geng Y., 2011. Modeling and evaluating
information leakage caused by inferences in Supply Chains. Computers in Industry,
Vol. 62, No. 3, 351-363.

305-10