Principle
Information security requirements should be considered at all stages throughout the relationshipwith external suppliers.
Objective
To protect critical and sensitive information when being handled by external suppliers or whenbeing transmitted between the organisation and the supplier.
CF16.1.1
There should be a process for managing the security of relationships with external suppliers. This process should involve the information security function, and include:
a) identifying and categorising all types of external supplier used by the organisation, enterprise-wide
b) agreeing security arrangements (eg based on business security requirements and compliance needs) for each supplier
c) validating security arrangements for each supplier d) handling termination of a relationship with a supplier.
CF16.4 Cloud Computing Policy CF16.5 Cloud Service Contracts
AREA CF16 – External Supplier
Management
List of Topics
CF16.1 External Supplier Management Process CF16.2 Hardware / Software Acquisition CF16.3 Outsourcing
Organisations typically work with many external suppliers and agree different security arrangements depending on the products and services provided by the supplier. The types of external service provider an organisation may use include outsource providers, offshore service providers and cloud service providers. Managing the security of relationships with external suppliers can be supported with a tool such as the ISF’s Third Party Security Assessment Tool (TPSAT).
CF16.1.2
All external suppliers working with the organisation should be:
a) identifi ed (typically by business owners) and recorded in a register (or equivalent)
b) categorised from an information security perspective (eg as critical, important or standard) c) assigned a business owner and information security contact.
CF16.1.3
Critical suppliers should be subject to a relationship assessment (sometimes referred to as a due diligence review), which covers:
a) dealings with the supplier (eg details of provider history, previous and current business arrangements and dispute information)
b) contract requirements (eg non-disclosure agreements, sub-contracting, roles and responsibilities, and termination clauses)
c) implications of the service(s) provided (eg information handled, underlying technology infrastructure, business dependency and sub-contractors used)
d) their demonstrable level of maturity in relation to information security and their degree of commitment to information security.
CONTROL FRAMEWORK
www.securityforum.org
CF
Copyright © 2011 Information Security Forum • 2011 Standard of Good Practice CF16.1
CF16.1 External Supplier Management Process
(continued)CF16.1.4
A baseline set of security arrangements should be defi ned, and used as the foundation for agreeing security arrangements with each external supplier.
CF16.1.5
Additional, specialised controls should be:
a) identifi ed for each external supplier to meet particular business and security requirements (eg as a result of a business relationship assessment, an information risk assessment, legal or regulatory requirements, or contractual arrangements)
b) agreed by both parties (ie the organisation and the external supplier) c) defi ned in a contract
d) deployed in practice.
FUNDAMENTAL
Baseline information security arrangements represent mandatory security controls and other measures an organisation would typically expect an external supplier to implement to protect the organisation’s critical and sensitive information. Defi ning a set of common security arrangements allows the organisation to focus on agreeing additional security controls, which are often specifi c to the organisation, supplier, business purpose, or the industry sector / jurisdiction in which the organisation operates. Baseline security arrangements typically cover: governance, risk and compliance; system management; access management; security monitoring and response; network connections; electronic communications; business control; and system development.
CF16.1.6
A contract should be established with each external supplier, which includes agreed security arrangements (baseline and additional), such as the ‘right to audit’ and contract termination / exit activities.
CF16.1.7
The information security status of each external supplier should be assessed / validated on a regular basis, using a consistent and approved methodology (eg based on an industry standard). The categorisation of the external supplier should be used to determine:
a) who will perform the assessment (eg an independent specialist or external auditor) b) the level of detail the assessment will involve
c) the frequency with which the assessment is performed.
CF16.1.8
A consistent method for securely handling the termination of relationships with external suppliers should be established, which includes:
a) designating individuals responsible for managing the termination
b) revocation of physical and logical access rights to the organisation’s information
c) return, transfer or secure destruction of assets (eg back-up media storage, documentation, hardware and authentication devices)
d) coverage of license agreements and intellectual property rights e) rehearsal and refi nement of termination activities.
CONTROL FRAMEWORK
www.securityforum.org
CF
FUNDAMENTAL
CF16.1 2011 Standard of Good Practice • Copyright © 2011 Information Security Forum
CF16.1 External Supplier Management Process
(continued)CF16.1.9
Alternative (contingency) arrangements should be established to ensure that the organisation’s business processes can continue in the event that the external supplier is not available (eg due to contract termination, a disaster, a dispute with the external supplier or the supplier ceases trading). These arrangements should be based on the results of a risk assessment, and include:
a) the provision of alternative, secure facilities for business processes to continue
b) escrow of information and closed / proprietary technologies (eg application source code and cryptographic keys) using a trusted external party, such as a legal representative, lawyer or equivalent
c) recovery arrangements to ensure continued availability of information stored at an outsource provider or in the cloud
d) alignment with the organisation’s business continuity programme.
Related areas / topics
CF9.3 External Network Connections
ISF resources
Information Security in Third Party Relationship Management
Third Party Security Assessment Tool (TPSAT) Information security for external suppliers: A common baseline
CONTROL FRAMEWORK
www.securityforum.org
CF
Copyright © 2011 Information Security Forum • 2011 Standard of Good Practice CF16.2
CF16.2 Hardware / Software Acquisition
Principle
Robust, reliable hardware and software should be acquired (eg purchased or leased) followingconsideration of security requirements and identifi cation of any security defi ciencies.