Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security
Uploaded by babuji

information-security-policy-15-supplier-relationships-v-n10

advertisement 
Information Security Policy 15
Supplier Relationships
Lead Manager
Head of Operations
Responsible Director
Director eHealth
Approved By
Information Governance Steering Group
Date Approved
December 2019
Review Date
December 2021
Version No.
N1.0
THIS DOCUMENT IS CURRENT AS AN ON LINE DOCUMENT
Consultation and Distribution Record
Contributing Authors
IT Compliance Manager
Consultation Process / Stakeholders
Information Governance Steering Group
Distribution
All Staff
Change Record
Date
Author
23 Feb 2017
20 Oct 2017
8 Feb 2018
24 July 2018
11 Mar 2109
1 Oct 2019
S Harris
S Harris
S Harris
S Harris
S Harris
S Harris
Change
First created
Updated
Formatting
Formatting
Updated for NISD
Updated for NISD
Version
No
V0.1
V0.2
V0.3
V0.4
V0.5
V N1.0
THIS DOCUMENT IS CURRENT AS AN ON LINE DOCUMENT
Contents
1
INTRODUCTION ............................................................................................................. 4
2
OBJECTIVES .................................................................................................................... 4
3
SCOPE ............................................................................................................................... 4
4
LOCATION ....................................................................................................................... 4
5
SUPPLIER RELATIONSHIPS : INFORMATION SECURITY IN SUPPLIER
RELATIONSHIPS ..................................................................................................................... 4
6
5.1
Information security policy for supplier relationships ................................................ 5
5.2
Addressing security within supplier agreements ......................................................... 5
5.3
Information and communications technology supplier chain ..................................... 6
SUPPLIER RELATIONSHIPS : SUPPLIER SERVICE DELIVERY MANAGEMENT
6
6.1
Monitoring and review of supplier services ................................................................ 6
6.2
Managing changes to supplier services ....................................................................... 6
7
CONTRACTS AND CONFIDENTIALITY AGREEMENTS ......................................... 6
8
INFORMATION SECURITY POLICY FRAMEWORK (2018) CONTROL ................. 6
9
REFERENCES .................................................................................................................. 6
9.1
GG&C Standard/policy/guidance ............................................................................... 6
9.2
NHSS Standard/policy/guidance ................................................................................. 7
THIS DOCUMENT IS CURRENT AS AN ON LINE DOCUMENT
1
INTRODUCTION
This Policy supports the implementation of the sub-control objectives
relating to Supplier relationships : information security in supplier relationships and
Supplier relationships : supplier service delivery management in the NHS Scotland
Information Security Policy Framework (2018) as part of the Network Information
Systems Regulations (2018). The Policy also supports the Supply Chain Guidance of
the Scottish Government’s Public Sector Action Plan (PSAP).
2
OBJECTIVES
The objective of this policy are
 To ensure protection of the organisation’s assets that is accessible by
suppliers
 To maintain an agreed level of security and service delivery in line with
supplier agreements
3
SCOPE
This policy relates to all suppliers requiring access to GGC information assets or
suppliers hosting GGC information assets..
4
LOCATION
Where the term staff is used it shall be taken to apply to full or part time employees,
contractors, volunteers or third parties that work on behalf of NHS GG&C.
5
SUPPLIER RELATIONSHIPS : INFORMATION SECURITY IN SUPPLIER
RELATIONSHIPS
The two sub controls in this policy are designed to reduce the impact and likelihood
of the following threats, as defined in the Information Security Risk Management
Policy.
Threat Number
T1
T3
T7
T11
T13
T16
T17
T18
T19
T20
NHSGGC Commonly Identified Threats
Deliberate unauthorised access or misuse by known outsiders (including supplier)
Theft or wilful damage by outsiders of data or equipment
Theft of data via Unauthorised Access by Hacker/ Malicious External Actor
Breach of legislation, Privacy/Regulation issue
Inadequate or absent audit trail
Environmental failure like Loss of Electricity
System or network software failure
Supplier withdraws a key product in the solution or end of life
Key supplier becomes insolvent
Supply chain cyber attack
THIS DOCUMENT IS CURRENT AS AN ON LINE DOCUMENT
5.1
Information security policy for supplier relationships

GGC shall ensure that a full assessment of the potential security risks with
using an outsourced provider or a supplier is carried out. This must include
identification of what needs to be protected and why.

GGC shall ensure that the risks associated with outsourcing are managed
through the imposition of suitable controls, comprising a combination of legal,
physical, technical, procedural and managerial controls.

GGC shall ensure that there is an identified service and ehealth owner of
each supplier

GGC should consider the following when selecting an outsourced provider or
a supplier:
5.2

Supplier’s reputation and history.

Quality of services provided to other customers.

Financial stability of the company and commercial record.

Retention rates of the company’s employees.

Quality assurance and security management standards currently followed
by the company (e.g. certified compliance with ISO 9001 and ISO/IEC
27001, Cyber Essentials/Cyber Essentials +).
Addressing security within supplier agreements
Relevant information security requirements must be established with each supplier
that may access, process, store, communicate or provide ICT infrastructure
components for, the organisation’s information.
Requirements must include specifying







what data is held by or accessed by the supplier
when data is held by the supplier the process of sanitization of storage media
that is applied during contract and will be applied at contract termination
the supplier to GGC has subcontracted any services
access method
who within the supplier will be managing he cyber risks for the delivery of the
contract
the basic staff training and awareness raising around cyber risk carried out by
the supplier
Cyber assurance accreditation eg Cyber Essentials, ISO27001 or equivalent
These requirements must be specified in the Supplier Contract.
THIS DOCUMENT IS CURRENT AS AN ON LINE DOCUMENT
5.3
Information and communications technology supplier chain
Access to the Organisations’ assets shall include assurance procedures and must be
in compliance with the GGC Third Party Access Policy.
The contracted supplier must manage all accesses provided to it.
Data can only be transferred by explicit agreement from GGC using a defined secure
method.
6
SUPPLIER RELATIONSHIPS : SUPPLIER SERVICE DELIVERY
MANAGEMENT
6.1 Monitoring and review of supplier services
As a minimum as part of annual contract review each supplier will go through a
reassessment of its access procedures and of the GGC accounts it has been
allocated.
6.2 Managing changes to supplier services
Suppliers must notify GGC of proposed changes to the provision of services and
their impact on existing information security policies, procedures and controls.
Risk Assessment must be carried out for the proposed new service.
7
CONTRACTS AND CONFIDENTIALITY AGREEMENTS
The requirements of information security in supplier relationships, and supplier
service delivery management must be included in supplier contract.
8
INFORMATION SECURITY POLICY FRAMEWORK (2018) CONTROL
36) Supplier relationships: supplier service delivery management
Objective
To maintain an agreed level of security and service delivery in line with supplier agreements.
Sub-control (ISO 27001-CAF-ICO Ref. no.)
Detail
Organisations shall regularly monitor, review and
audit supplier service delivery and associated security
a) Monitoring and review of supplier services (ISO:
provisions.
A.15.2.1) (CAF: A4.a)
b) Managing changes to supplier services (ISO:
A.15.2.2) (CAF: A4.a)
9
9.1
Changes to the provision of services by suppliers,
including maintaining and improving existing
information security policies, procedures and
controls, shall be managed, taking account of the
criticality of business information, systems and
processes involved and re-assessment of risks.
REFERENCES
GG&C Standard/policy/guidance
THIS DOCUMENT IS CURRENT AS AN ON LINE DOCUMENT
9.2
NHSS Standard/policy/guidance
Contract and supplier security: example policy (NHS Digital 2017)
https://www.digital.nhs.uk/media/31609/Contract-and-Supplier-Security-ExamplePolicy/doc/Contract_and_Supplier_Security_-_Example_Policy_230517
THIS DOCUMENT IS CURRENT AS AN ON LINE DOCUMENT
Related documents
«MyCompanyName» «MyCompanyAddrBlock» «LetterDate»
«MyCompanyName» «MyCompanyAddrBlock» «LetterDate»
Your attention is brought to the following: Any material
Your attention is brought to the following: Any material
VALUE CHAIN
VALUE CHAIN
Power Point Presentation
Power Point Presentation
Download
advertisement