topic Re: Supply chain risk management (SCRM) in CISSP Study Group

Supply chain risk management (SCRM)

Mahender — Fri, 20 Sep 2024 10:57:54 GMT

14. Supply chain risk management (SCRM) is a means to ensure that all the vendors or links in
the supply chain are reliable, trustworthy, reputable organizations. Which of the following
are true statements? (Choose all that apply.)
A. Each link in the supply chain should be responsible and accountable to the next link in
the chain.
B. Commodity vendors are unlikely to have mined their own metals or processed the oil for
plastics or etched the silicon of their chips.
C. If the final product derived from a supply chain meets expectations and functional
requirements, it is assured to not have unauthorized elements.
D. Failing to properly secure a supply chain can result in flawed or less reliable products, or
even embedded listing or remote control mechanisms.

The answer given in ISC2 is A, B, D, but I believe the correct answer is A and D. Please correct me if I am wrong.

Re: Supply chain risk management (SCRM)

ericgeater — Fri, 20 Sep 2024 11:35:34 GMT

Companies buy materials which are used to make other products, because making products is their business. Extracting / mining / procuring is someone else's business entirely.

But, buying materials means the purchaser are abstracted from a thorough knowledge of the provenance of the raw materials. If a purchaser orders heavy sweet crude oil, and the vendor sends light sweet crude oil, they will not be able to make any products which require heavy sweet crude.

That's a very simplified answer, of course.

Re: Supply chain risk management (SCRM)

Mahender — Fri, 20 Sep 2024 13:21:26 GMT

So, you mean the answer is A & D alone?

Re: Supply chain risk management (SCRM)

VincentNgVS — Fri, 20 Sep 2024 14:22:21 GMT

The ISC2 answer of A, B, and D is correct.

Let’s break down why statement B is accurate:

Statement B: Commodity vendors are unlikely to have mined their own metals or processed the oil for plastics or etched the silicon of their chips.

This statement highlights the complexity and specialization within supply chains. Commodity vendors typically source raw materials from various suppliers rather than producing them themselves. For example:

Metals: A vendor selling metal components is unlikely to have mined the ore themselves. Instead, they purchase raw metals from mining companies.
Plastics: Similarly, a vendor providing plastic parts is unlikely to have processed the crude oil into plastic. They buy processed plastic from chemical companies.
Silicon chips: Vendors selling silicon chips usually purchase silicon wafers from specialized manufacturers who handle the intricate process of etching silicon.

This separation of roles is common in supply chains, where different stages of production are handled by specialized entities 1 2. This specialization allows each entity to focus on their core competencies, leading to more efficient and cost-effective production processes.

Why B is correct:

Specialization: Each link in the supply chain focuses on specific tasks, leading to efficiency and expertise in those areas 1.
Complexity: Modern supply chains are highly complex, with multiple layers of suppliers and sub-suppliers 2. It’s impractical for a single vendor to manage all stages of production.

Sources:

I hope this clarifies why statement B is included as a correct answer.

Re: Supply chain risk management (SCRM)

Mahender — Fri, 27 Sep 2024 04:15:38 GMT

Thanks