Why Nutanix decided to get ISO 28000 certification?

Nutanix depends on having a reliable and resilient supply chain. Security threats exploit the complexity of our supply chain infrastructure, putting the delivery of our products at risk. Security, in particular cybersecurity, if not well managed, not only would affect Nutanix’s bottom line, but also affect the reputation and the ability to innovate and maintain strong customer relationships.

Stanford University did a study of 11 manufacturers and 3 “innovator” logistic providers and identified several commercial benefits of supply chain security such as a 26% reduction in customer attrition and 20% increase in number of new customers; a 38% reduction on theft/ loss/ pilferage, a 37% reduction in tampering; and a 30% reduction in problem identification and problem resolution time.

Supply chain security encompasses vulnerabilities in sourcing and manufacturing, supply chain continuity, risks in transportation, and vendor management. In addition to that vulnerabilities go beyond technology risks and include people and facilities at Nutanix and the manufacturer supporting Nutanix’s business.

Nutanix uses the industry standard ISO 28000 that addresses Security Management System for the Supply Chain security and innovatively incorporated Cyber security risk into the program by developing a Supply Chain Security Management System (SCSM).  Getting certified for ISO 28000 with Cybersecurity as part of the overall scope of the program, is the first in the industry and speaks volume of how seriously committed Nutanix is on cyber security and supply chain security.  The program also leverages the ISO/IEC 20243-1:2018, Open Trusted Technology Provider Standard (O-TTPS) standard to define supplier requirements around secure product design and secure supply chain management.

The challenges that many companies face today from manufacturing and supply chain security point o view can be broadly classified under the following categories - introduction of counterfeit hardware or hardware vulnerabilities, compromised firmware / software or software vulnerabilities, malicious modification of Nutanix products as it is getting loaded on the hardware and theft of parts. Nutanix developed the objectives as shown below to address the industry challenges, established a closed loop management system that includes risk assessment, risk mitigation and continual improvement in each of the areas:

  1. Prevent the integration of counterfeit or compromised parts into Nutanix products
  2. Prevent the installation of compromised firmware/software into parts or products
  3. Prevent unauthorized access to Nutanix intellectual property and proprietary information
  4. Prevent the theft of Nutanix parts, sub-assemblies and products
  5. Ensure that Nutanix is meeting all laws and regulatory requirements

We have worked with suppliers and vendors and established a secure and stable supply chain. This means that suppliers and vendors, in addition to complying with applicable international and domestic laws and regulations, are compliant to Nutanix’s Supply Chain Security Management (SCSM) system. Nutanix’s SCSM program supports this policy through the following activities:

RISK ASSESSMENT

Nutanix identifies and assesses potential supply chain security threats using a process that follows the requirements of ISO 28000 and leverages the ISO 31000:2018, Risk management and HB 167:2006, Security risk management standards. The process ranks threats as either Low, Medium, or High Risk.

RISK MANAGEMENT 

For threats that are considered Medium or High Risk, Nutanix puts in place strategies to reduce the likelihood that a risk occurs, minimize the consequences if it does occur and more importantly eliminate such risks from occurring in the future.

EMERGENCY PREPAREDNESS AND INCIDENT RESPONSE

Nutanix has developed procedures to respond to threats that occur outside the scope of the normal risk assessment process, to ensure that our response is consistent with our program objectives.

TRAINING

All employees that are covered by the scope of the program are provided with training on the program and how it impacts their work. The training is conducted periodically through webinars, seminars or in-class training.

SUMMARY

In Summary, Nutanix recognized the impact of the broader security risk in the supply chain to our customers and became a leader in the industry by not only establishing a Supply Chain Security Management System to address the risks but becoming certified to ISO 28000, an international standard, with an innovative tweak to include cyber-security into the scope of the program.