Académique Documents
Professionnel Documents
Culture Documents
CorrespondingAuthor
[305]-1
CIE42 Proceedings, 16-18 July 2012, Cape Town, South Africa 2012 CIE & SAIIE
1 INTRODUCTION
Information in an organization and the processes, systems and networks are important
business assets which need to be protected to maintain the confidentiality, integrity and
availability.
The Internet and cloud computing have opened up the access points at a global level for
commercial enterprises to carry out business transactions, which has led to increase in speed
of transfer and storage of data capital. However, usage of these resources has brought in a
proliferation of malware and automated attackers. Consequently, achieving, maintaining
and improving information security have become essential to maintain the organizations
competitive edge, cash flow, profitability, legal compliance and commercial image.
It is proposed to carry out Applied Research to find a solution for a real life problem
facing society or an industrial / business organization which will require an action or policy
decision.
Businesses today have great dependence on the secure flow of information within and across
organizations. An insecure environment can cause serious damage to governments,
corporations and society. For supply chains engaged product and service delivery across the
globe, the stakes are particularly high. It is unfortunate that information security is often
treated solely as a technology issue, whereas governance and personnel issues are equally
important.
Though work has been done for defining techniques to control information security related
risks in supply chains, not much work has been done to define a mechanism to assure
management of handling these risks across the supply chain. This paper discusses some
issues pertaining to information security in supply chains as brought out by various
researchers and then proposes a process framework for the management of information
security - how to set priorities, develop processes, assign tasks, carry out the actions, and
monitor the implementation. Government agencies have brought in numerous legislative
controls which also need to be dove-tailed with the operational processes of the
organization.
The organization of this paper is as follows:
! Information flow in supply chains
! Security in supply chains
! Need for information security
! Literature review data security, technology and management aspects
! Process framework for information security
! Concluding remarks
2 INFORMATION FLOW IN SUPPLY CHAINS
A supply chain is represented by a network of suppliers, manufacturers, wholesalers,
distributors, retailers collaboratively working through a focal company to meet the endusers product and service requirements. Business transactions across the network are
supported by a continuous flow of information on products & services, inventories, order
positions, resource availability, financial transactions etc.
Auto e-Hub (autoehub.com) is a supply chain network providing Software as a Service (SaaS)
for the international auto-part market from Taiwan. The system provides solutions to buyers
and sellers of high quality auto parts and aims to bridge the market between domestic autopart suppliers and world-wide automobile Original Equipment Manufacturer (OEM) or the
Aftermarket (AM) procurement offices. Their supply chain network, which is depicted below,
has the following objectives:
305-2
CIE42 Proceedings, 16-18 July 2012, Cape Town, South Africa 2012 CIE & SAIIE
!
!
!
Figure 1: Auto E-Hub Supply Chain Network - The World-Wide Solution For Auto Parts
Industries
(Source: Adapted From Auto E-Hub Website
http://www.autoehub.com/eng/solution_network.htm)
The Auto e-Hub supply chain network depicted above is a very good illustration to show how
information flow extends to many stakeholders across the network whereas the
material/logistics flow applies only to the direct suppliers and customers. Funds flow in
305-3
CIE42 Proceedings, 16-18 July 2012, Cape Town, South Africa 2012 CIE & SAIIE
305-4
CIE42 Proceedings, 16-18 July 2012, Cape Town, South Africa 2012 CIE & SAIIE
!
!
stopped sharing information with Sound-Scan, even though this entailed the loss of
promotional and co-advertising support.
Wal-Mart announced that it would no longer share its sales data with outside
companies like Information Resources Inc. and ACNielsen, which paid Wal-Mart for
the information and then sold it to other retailers (Hays 2004).
Wards 2007 survey of 447 automotive suppliers - more than 28% of the respondents
said that their companys intellectual property had been leaked by at least one
Detroit automaker within the past five years; 16% of these respondents also said that
their intellectual property had been compromised by foreign original-equipmentmanufacturers operating in the United States (Murphy 2007).
In a survey conducted by supplychainaccess.com, an astounding 64% of supply chain
managers pointed to leakage of valuable information by their suppliers to
competitors as one of the most significant threats to their supply chain operations
(Zhang and Li 2006).
305-5
CIE42 Proceedings, 16-18 July 2012, Cape Town, South Africa 2012 CIE & SAIIE
Zhang et al. (2010) have proposed that confidential information may be mistakenly shared
between supply chain partners, resulting in the so-called direct information leakage as a
result of which companies have strong motivations and more than enough capabilities to
collect, analyze, acquire, and utilize information from others to gain competitive
advantage. The access to such information may also lead to wrong inferences.
305-6
CIE42 Proceedings, 16-18 July 2012, Cape Town, South Africa 2012 CIE & SAIIE
Anand and Goyal (2009) have presented data relating to information leakage exists across a
variety of industries. They discuss that a firms operational imperative (optimizing material
flows) may override the informational imperative (optimizing information flows) thus
necessitating their joint management.
Bolhari (2009) discusses a survey conducted jointly by the American Society for Industrial
Security and Pricewaterhouse-Coopers (ASIS/PWC) in 1999 in which it was reported that
Fortune 1000 companies lost more than forty five billion dollars from loss, theft, or
misappropriation of "proprietary information."
Soni and Jain (2011) have discussed several attributes related to resilience of supply chains
flexibility, visibility, collaboration, adaptability, sustainability. Visibility addresses
information about entities and events regarding end-to-end orders, inventory, transportation
& distribution, product design as well as any events in the environment. Recent events such
as the global financial crisis and natural disaster like the tsunami in Japan have
demonstrated that a disruption affecting an entity anywhere in the supply chain can have a
direct impact on an organizations ability to continue its operations.
305-7
CIE42 Proceedings, 16-18 July 2012, Cape Town, South Africa 2012 CIE & SAIIE
Operational: This will cover business processes, support functions and the related
information assets.
Financial: This will look at the financial flow which relates to the operations.
Goodwill: This is at the core, since any disruption in operations and finance flow will
influence the information flow which will affect the goodwill of the organization by
impacting the companys image and reputation.
The table below shows how these views relate to the 3 basic components of any Process
Framework People, Process and Technology:
Table 1: Components Of Information Security Vis--Vis Process Framework Layers
Technology
Process
People
XXX
XXX
XXX
Financial
XX
XX
Goodwill
---
---
XXX
Operational
It is proposed to study different supply chain processes and establish a relationship with
supply chain performance metrics and information security by looking at information
security risks across these processes.
The proposed framework shall be based on Demings Plan-Do-Check-Act principle.
305-8
CIE42 Proceedings, 16-18 July 2012, Cape Town, South Africa 2012 CIE & SAIIE
PLAN
Identify processes of a
typical supply chain
Develop multi-criteria
based risk assessment
methodology
Refine the
Framework
DO
Evaluate risks across the
supply chain processes
ACT
Study relationship
between supply chain
performance metrics and
information security
CHECK
Validate framework
8 REFERENCES
[1]
Ajayi N. and Maharaj M., 2010. Mitigating Information Risk within Supply Chains.
[2]
[3]
[4]
305-9
CIE42 Proceedings, 16-18 July 2012, Cape Town, South Africa 2012 CIE & SAIIE
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
[16]
[17]
[18]
[19]
[20]
[21]
[22]
Closs D.J. and McGarrell E.F., 2004. Enhancing Security throughout the Supply
Chain. Special Report by the IBM Center for the Business of Government.
Dynes S., Brechbhl H. and Johnson M.E., 2005. Information Security in the
Extended Enterprise: Some Initial Results from a Field Study of an Industrial Firm.
Report supported in part by a grant from the World Bank and in part under an award
number 2000-DT-CX-K001 from the Office for Domestic Preparedness, Department of
Homeland Security.
Faisal M.N., Banwet D.K. and Ravi Shankar, 2006. Supply chain risk mitigation:
modeling the enablers. Business Process Management Journal Vol. 12, No. 4, 535-552.
Gunasekaran A. and Ngai E.W.T., 2004. Information systems in supply chain
integration and management. European Journal of Operations Research, Vol. 159,
269-295.
Johnson M.E., 2008. Information Risk of Inadvertent Disclosure: An Analysis of FileSharing Risk in the Financial Supply Chain. Journal of Management Information
Systems, Vol. 25, No. 2, 97123.
Kaur A., Kanda A. and Deshmukh S.G., 2008. Supply chain coordination:
Perspectives, empirical studies and research directions. International Journal of
Production Economics, Vol. 115, No. 2, 316-335.
Knight P., 2003. Supply Chain Security Guidelines. IBM Report presenting a summary
of supply chain security guidelines published by numerous sources.
Poirier C. and Bauer M., 2000. E-supply Chain: Using the Internet to revolutionize
your business. Berrett-Keohler Publishers, San Francisco, California.
Roy A., 2011. Process Framework for Information Security in SCM. Proceedings of the
International conference on Advances in Supply Chain and Manufacturing
Management, Kharagpur.
Sharifnia M., Iranmehr A. and Duroodochi M., 2009. Development of Trust Model for
e-Supply Chain Management. Proceedings of the European and Mediterranean
Conference on Information Systems, Izmir.
Smith G.E., Watson K.J. and Baker W.H., 2008. Perception and Reality: An
introspective Study on Supply Chain Information Security Risk. Issues in Information
Systems, Vol. 9, No. 2, 272-278.
Soni U. and Jain V., 2011. Minimizing the vulnerabilities of supply chain: A new
framework for enhancing the resilience. Proceedings of the IEEE International
Conference on Industrial Engineering and Management, Singapore.
Stefansson G, 2002. Business-to-business data sharing: A source for integration of
supply chains. International Journal of Production Economics, Vol. 75, No. 1-2,
135-146.
Supply Chain Council, 2010. Supply Chain Operations Reference (SCOR) Model
Overview - Version 10.0.
Unger D. and Goel R., 2007. Sharing and Guarding Information: Managing Data
Security in Supply Chain Networks. Alliance Journal of Business Research, Vol. 3,
No. 1, 49-60.
Wadhwa S., Prakash A., Deshmukh S.G. and Wadhwa B., 2009. Information Security
in Flexible Supply Chain Network: A Decision Information Security (DIS) Model. Global
Journal of Enterprise Information System, Vol. 1, No. 2, 25-31.
Wadhwa S. and Saxena A., 2005. Knowledge Management based Supply Chain: An
Evolution Perspective. Global Journal of e-Business and Knowledge Management,
Vol. 2, No.2, 13-29.
Zhang D.Y., Zeng Y., Wang L., Li H. and Geng Y., 2011. Modeling and evaluating
information leakage caused by inferences in Supply Chains. Computers in Industry,
Vol. 62, No. 3, 351-363.
305-10