OCIO/G4.6 Government guideline on cyber security ISMF Guideline 6 Cyber security in procurement activities BACKGROUND Considering potential and accounting for actual security risks during procurement is a vital component of holistic security management. Cyber [ICT] security risk management practices are predominately focused on avoiding potential pitfalls when sourcing products and services. By identifying potential flaws or conceivable business impact(s) during the sourcing phase, often costly remediation methods can be minimised or avoided entirely. The old adage ‘a penny saved is a penny earned’ certainly applies to all sourcing activities. In security terms, a penny saved from considering security requirements at the design and initiation phases of procurements reduces multiple risks including: economic, reputational and legal liabilities. Responsible Parties need to assure themselves that appropriate due diligence has been undertaken against prospective equipment and service providers. Particular emphasis in this guideline is placed on verifying that prospective and ongoing suppliers have a demonstrated commitment to ongoing improvement using the underlying quality management principles: ‘Plan-Do-Check-Act’. This guideline supports implementation of ISMF Policy Statement 6. GUIDANCE Business Owners are responsible for determining relevant cyber security requirements prior to finalising sourcing arrangements or procuring equipment and services. The Government of South Australia defines baseline security requirements for whole of government ICT sourcing arrangements. Individual agencies and suppliers to government have roles to play in determining their own security requirements in alignment with the business risk profile which is an indication of risk tolerance and appetite. These factors will often change on a case by case basis. For products and services sourced via whole-of-government arrangements, agency-specific measures are implemented at the Customer Agreement [CA] level. Individually sourced products and services will also need to factor in cyber security policy requirements defined in the Protective Security Management Framework [PSMF] and Information Security Management Framework [ISMF]. This guideline highlights the specific policies and standards related to procurement without delving into the entire ‘human factors’ that also need to be catered for when considering a sourcing arrangement. Annex A in the ISMF describes the absolute baseline for cyber security risk management and each facet of security risk management described therein should be considered prior to finalising any ICT procurement. ISMF Guideline 6 ISMF Guideline 1 RISK IDENTIFICATION Table 1 – Manage risks in the context of an overarching Information Security Management System Applicability Relevant ISMF standards, policies or procedures and controls Policy Statement 1 Responsible Parties must develop or have in place an Information Security Management System [ISMS] that conforms to the principles of AS/NZS ISO/IEC 27001. When the Responsible Party is a Supplier, they must obtain and maintain certification that their information security management system conforms to AS/NZS ISO/IEC 27001 if their contractual obligations require this as described in section 2.1 of the Information Security Management Framework. Policy Statement 2 Each Responsible Party shall develop and use information security risk management processes as outlined in section 5.1 of the PSMF and supported by the Government of South Australia Risk Management Policy Statement. The risk assessment process shall include the identification and assessment of security risks for information assets, a summary of the Agency’s response to these risks and provide ongoing monitoring and review of the risks and the potential security exposure(s). ALL Access to information processing facilities by third parties must be controlled and such controls must be agreed to and defined by way of contractual obligation with the external organisation. Policy Statement 5 S12.3 Contracts conferring tertiary access (e.g. A supplier who utilises sub-contractors or outsourced suppliers in the fulfilment of their contractual obligations and/or service agreement) should include allowances for designation of deemed eligible participants and the conditions for their access. Responsible Parties may embed the use of an assessment tool as a component of the selection process for external organisations, such as the Third Party Security Assessment Tool [TPSAT] available to Information Security Forum members. Government guideline on cyber security Cyber security in procurement activities v1.3 Page 2 of 7 ISMF Guideline 6 ISMF Guideline 1 SECURITY IN PROCUREMENT AND SOURCING ACTIVITIES Table 2 – Establish security requirements at the outset, before going to market Applicability Relevant ISMF standards, policies or procedures and controls Policy Statement 6 Access to Agency and Australian Government information provided to prospective Suppliers during tendering and/or procurement processes shall be limited on a need-to-know basis and commensurate with the applicable controls to the information’s classification. Agencies must stipulate and account for security considerations and controls as defined in the PSMF and ISMF and their subordinate documents during all phases of the procurement process. ALL [C] Confidential [P] Protected [SC] Sensitive: Cabinet Standard 15 Responsible Parties must include and consider the security controls required by the PSMF and ISMF as part of their procurement procedures. Information classification controls must be applied during all phases of the tender and/or procurement process. S15.1 Agencies must include the requirements of the PSMF and the ISMF in their procurement procedures and should select only those subsets of controls and procedures required according the scope and nature of the project(s) and/or services, products and materials being considered. S15.2 Particular attention is drawn to part F, paragraph 4.6 of the PSM which addresses issues such as “Conflict of Interest” declarations and security clearance requirements. This constitutes one of the minimum standards for procurement security and is enabled by the PSMF. S15.3 Suppliers that intend to procure services, products and/or materials via a third party shall obtain written authorisation from the relevant Agency if any classified information needs to be shared with or otherwise released to the third party as part of the Supplier’s procurement process. S15.4 Significant risks identified in the procurement cycle should be reflected in the organisation’s risk register and the treatment and/or mitigation strategy should be identified as part of the organisational risk management procedures. S15.7 All personnel must be subject to a security vetting process. Refer to Security Clearances and Briefings section of the ISM (ISM pages 75-77) for further guidance. S15.8 All personnel (including respondents) should be subject to a security vetting process in accordance with Policy 6.1 of the PSPF. Personnel must be subject to this process when accessing Commonwealth information. Government guideline on cyber security Cyber security in procurement activities v1.3 Page 3 of 7 ISMF Guideline 6 ISMF Guideline 1 ESTABLISH CONTRACTUAL ARRANGEMENTS Table 3 – Define a cyber security accord with prospective suppliers Applicability Relevant ISMF standards, policies or procedures and controls Standard 14 Arrangements involving third party access to Agency information processing facilities shall be based on a formal contract containing, or referring to, all of the security requirements to ensure compliance with the Responsible Party’s security policies, standards and obligations. S14.4 Third parties and their employees, including sub-contracted service providers, who require access to security classified information must be security cleared to the appropriate level. Utilising a Third Party Contract Agreement, the service provider must be required to implement security procedures that ensure that access to Official information assets is restricted to those employees who require access to perform their function. S14.5 Responsible Parties should establish individual confidentiality agreements with the staff of contractors. Depending on the risk assessment findings and sensitivity of information assets or systems, the Responsible Party may wish to undertake a police records/fingerprint check of an individual or elect to use a vetting process for sensitive Positions of Trust. ALL Standard 139 Standard 69 Refer OCIO/S4.3 Security in an Outsourced Environment Information used in Electronic Commerce shall be protected from fraudulent activity, misuse, breach of privacy and unauthorised access. Responsible Parties should establish contractual agreements with providers and partners to minimise the risk of potential disputes and should give consideration to PCI DSS compliance for large online transaction based systems that rely on credit and/or debit card transactions. Government guideline on cyber security Cyber security in procurement activities v1.3 Page 4 of 7 ISMF Guideline 6 ISMF Guideline 1 PERIODIC REVIEW OF THIRD PARTY SERVICE DELIVERY Table 4 – Ongoing supply arrangements should focus on commitment to continual improvement Applicability Relevant ISMF standards, policies or procedures and controls Policy Statement 16 Responsible Parties shall implement a program of compliance monitoring, periodic performance review and change (improvement) management for third party service delivery agreements. Standard 51 Each Agency shall be responsible for identifying the risks associated with the outsourcing arrangements for their processing facilities and/or service delivery agreements (whether sourced internally or externally to Government), as well as defining the control measures that the contractor or other Third Party is required to implement. At a minimum, controls must include the applicable security controls described in the ISMF, service definitions and delivery expectations such as Service Level Agreements [SLAs] in alignment with OCIO/S4.3 Security in an Outsourced Environment (ISMF Standard 139). S51.2 Responsible Parties shall note that external (third party) service delivery agreements may include supply agreements sourced from other Agencies and/or service delivery partners (e.g. Shared Services SA, Service SA, Service Delivery Group etc.). Standard 11 In addition to periodic self-assessment, each Responsible Party shall be subject to ongoing independent review of Information Security policies, practices and implementation at regular intervals in accordance with the AS/NZS ISO/IEC 27002 standard. ALL OUTSOURCING SOFTWARE DEVELOPMENT Table 5 – Independent reviews, advice and/or certification provide increased assurance Applicability Relevant ISMF standards, policies or procedures and controls Standard 120 Responsible Parties entering into outsourcing arrangements for software development shall seek legal advice to ensure that the Agency’s rights and interests are protected and shall implement the guidance described in the AS/NZS ISO/IEC 27002 standard pertaining to outsourced software development. S120.1 Responsible Parties shall implement the control(s) and guidance described in clause 12.5.5 of the AS/NZS ISOIEC 27002 standard. ALL Government guideline on cyber security Cyber security in procurement activities v1.3 Page 5 of 7 ISMF Guideline 6 ISMF Guideline 1 ADDITIONAL CONSIDERATIONS Agencies should educate their users on the security implications associated with procurement and help them to understand their requirements to ensure the confidentiality, integrity and availability of government information assets. Most importantly, agency personnel should understand the bearing that cyber security in procurement has on continued service availability and the assurance that consistent service levels provide to the community. Some of the differences between outsourcing and the other forms of third party service provision include: the question of liability, planning the transition period to an outsourced environment and potential disruption of operations during any transition, contingency planning arrangements and due diligence reviews, and collection and management of information on security incidents. Therefore, it is important that the organisation plans and manages the transition to such arrangements and has suitable processes in place to manage changes and the renegotiation/termination of contracts that is driven by business requirements. Personnel, including contractors, requiring access to security classified information or resources may need security clearances. (see ISMF Policy Statement 5) Confidentiality and/or non disclosure agreements must be in place for all staff, contractors and/or sub contractors that seek or have in place access to South Australian Government information, materials and/or intellectual property that is not intended for public access. (see ISMF Standard 8) Access provided to third parties (including customers, contractors etc) must be controlled based on the specific business requirements of the responsible party. (see ISMF Standard 13) This guideline does not aim to provide the reader with all of the cyber security responsibilities, obligations and controls related to procurement. It is merely an overview of the information provided in relevant government cyber security policy and the AS/NZS ISO/IEC 27002 standard. It is highly recommended that agencies review such documents in their entirety. The individual requirements of agencies will have direct bearing on what measures are implemented to mitigate identified risk(s). SAMPLE CONTRACTUAL CLAUSES An example schedule containing whole-of-government contractual clauses is embedded in this guideline and may be accessed by double-clicking on the icon below (MS-Word users only). Schedule 32 Security Requirements Example.docx Government guideline on cyber security Cyber security in procurement activities v1.3 Page 6 of 7 ISMF Guideline 6 REFERENCES, LINKS & ADDITIONAL INFORMATION PC030 Protective Security Management Framework [PSMF] OCIO/F4.1 Government of South Australia Information Security Management Framework [ISMF] AS/NZS ISO/IEC 27002:2006 Australian Government Protective Security Policy Framework [PSPF] ID OCIO_G4.6 Classification/DLM PUBLIC-I1-A1 Issued February 2012 (re-designated as ISMF Guideline 6 from Guideline 9 – February 2014) Authority State Chief Information Security Officer Master document location Q:\SecurityRiskAssurance\Policy Development Sub-program\Policy and Standards\ISMF\ISMFguidelines\ISMFguideline6(procurement).docx Records management File Folder: 2011/15123/01 - Document number: 5814760 Managed & maintained by Office of the Chief Information Officer Author Jason Caley, Principal Policy Adviser Reviewer Peter Fowler MACS (Snr. CP), IP3P, CISM, CGEIT, CRISC, MAIES , Director Security and Risk Assurance Compliance Discretionary Review date February 2016 To attribute this material, cite the Office of the Chief Information Officer, Government of South Australia, ISMF Guideline 6. This work is licensed under a Creative Commons Attribution 3.0 Australia Licence Copyright © South Australian Government, 2012. Disclaimer