Last updated: 
2 weeks 6 days ago
Blog Manager
I'm the Information Security Manager at Janet and through this blog I'll be sharing some of my experiences, ideas and thoughts on information security topics.

Group administrators:

Information security management, suppliers and policy

Friday, August 11, 2017 - 15:55
Through the work done to gain ISO 27001 certification within Jisc we have had to explore, review, understand and improve how we deal with information security issues in products and services we obtain from suppliers. We must understand the requirements of our systems and services, the security implications, features and properties of our suppliers’ products and services, and how information security becomes an integral part of the relationship with the supplier.
Annex A of ISO/IEC 27001:2013 specifies five controls around the topic of supplier relationships. To help support and guide our work in this area we have explicitly established a Jisc wide “Information security policy for supplier relationships”.  This policy must be followed by all members of staff involved in procuring or purchasing of goods and services, as well as by members of staff responsible for maintaining relationships with the suppliers of those goods and services.
To help our members develop their own policies in this area, we are publishing the current (as per the data of this blog post) content of the policy below. Please feel free to reuse this content as per the community site’s Creative Commons Attribution Share Alike licence (CC BY-SA 3.0 - http://creativecommons.org/licenses/by-sa/3.0/).
 
This blog post is not a controlled document, and does not reflect Jisc policy at the time of reading.
 
Context
Many of our information assets are either entrusted to our suppliers, or are stored, processed and protected by products and services supplied to us. Consequently to protect our information assets we must ensure that the management of information security risk is an integral part of our relationship with these suppliers. It is not sufficient to assume that responsibility for these issues are transferred to suppliers.
The information security of the supply-chain is also increasingly important. Just as we are dependent on our suppliers to provide us with information security, they are also dependent on their own suppliers. To protect our information we must build upon established relationships to secure our supply-chain.
Policy
Specification
Purchasers must determine a number of different issues before they are able to set requirements for our suppliers.
  • The information assets the supplier will have access to
  • The nature of the information asset (for example, personal data)
  • The type of access required to those assets (read only, read/write)
  • The extent of the access required (full records, partial records)
  • How we would control risks to the information ourselves based on a risk assessment
  • The most effective way to ensure these risks are controlled

Particular attention needs to be given when suppliers are handling information classified as SENSITIVE by our information classification scheme (WI-GEN-003), such as when the information is commercially sensitive, given to us in confidence or contains personal data.

Once these issues have been determined, the findings should be incorporated into the procurement process so that the agreement with the eventual supplier provides our information assets with protection. It is important that the level of protection required is proportionate – too much security can lead to increased costs and usability issues.
Requirements
Agreements with suppliers must be clear as to what Jisc information assets they will be provided access to, and by what methods. If information is subject to further restrictions such as intellectual property rights, or agreements with other parties, this should also be made clear. If the product or service processes or stores personal data on behalf of Jisc, the data protection officer should be notified. The data protection officer will need to ensure that our responsibilities under current data protection legislation are being upheld. Where applicable the supplier should also be informed of Jisc Technologies’ Information Security Policy (ISM-POL-001) and Data Protection Policy (MF-POL-030).
Agreements with suppliers should also contain provision for verifying and validating the information security controls that are in place. This could be through evidence of an existing and recognised standard (for example ISO 27001 or Cyber Essentials) or potentially through our own auditing. New or changed risks and vulnerabilities that need controlling may arise during the life of the agreement, so it is important that agreements with suppliers take this into account.
Certificates may be provided by a supplier as evidence that particular systems or controls are in place. A competent member of staff must check the certificates for validity and applicability. For ISO 27001 certificates this would normally be a member of the Quality and Information Security Teams, but training is also available to other members of staff.
Requirements should account for the types and sizes of organisations likely to be supplying the product or service to Jisc. Smaller suppliers are less likely to hold formal certification even if they are taking the correct steps to ensure that the product or service is secure. Additional support and guidance may need to be provided alongside any requirements if the supplier is a sole trader or small business.  
Supply Chain
We may require our suppliers to perform the same diligence to their supply chain as we do to our own suppliers, taking into account the affect that an information security failure of one of their suppliers has on us. Again this could also be through evidence of an existing, recognised, standard such as ISO 27001.
Thoroughly analysing the supply chain of every supplier to Jisc would be a lengthy and resource consuming process, and so we need to prioritise this effort. Where particularly sensitive assets, or a wide range of access to our assets are involved, we may wish to obtain more thorough assurances that the supplier has thoroughly analysed their own supply chain. This can be achieved through an audit, either of the supplier by our own staff, or by recognised internal or external audits conducted by the supplier.
The nature of the relationships between entities in the supply chain may also need to be understood. For example, is the supplier merely a reseller of a product and another company is responsible for resolving security issues with the product? 
Monitoring and Review
Purchasers and service managers must regularly review supplier performance to ensure that their commitments to our information security are upheld. Normally this would be done by monitoring service levels and by tracking any issues that have arisen. Regular audits of the type mentioned above, and regular reviews may be appropriate where more sensitive assets are involved. The results of any audit or review should be recorded and reviewed, and any identified corrective actions followed up on.
Agreements can be changed or renewed. The purchaser must ensure that the information security impact of any changes is managed, taking into account the risks and business requirements involved. This may be particularly important if the supplier is adopting or deploying new technologies, or the information we provide to them changes.
Responsibilities
The purchaser is responsible for ensuring that this policy is adhered to. The implementation of this policy in procurement processes is the responsibility of the head of procurement.
The information security manager will support staff throughout this process, providing subject matter expertise and assisting with any risk management work and providing guidance to any audit process.