Establish control
Communicate your security needs to suppliers.
Ensure that your suppliers are aware of their obligation to secure your data, products, and services. Make sure they understand the consequences of a breach.
Determine if you are willing to permit your suppliers to subcontract work. If you allow subcontracting, assign the appropriate authority to do so. Provide your suppliers with clear instructions on the requirements for these decisions. Explain which types of contracts they can subcontract without seeking your consent and which require your approval before proceeding.
You must require your suppliers to:
- Meet their security obligations
- Include your security requirements in any subcontracting agreements
Set and communicate minimum security requirements.
Set minimum security requirements for suppliers that are justified, proportionate, and achievable. Consider minimum requirements for:
- Security governance
- Personnel security
- Information security
- Physical security.
Make sure your security risks assessment is reflected in your requirements. Consider the security of your suppliers and if they can fulfill your requirements. Be clear in the contract and list your security requirements. Don't expect suppliers to meet your minimum security requirements in certain situations, such as when they only need to access limited data or your premises occasionally. Document these considerations. Give the contractor guidance on the steps you'll take to manage your security requirements. This will help you and the contractor avoid extra work.
Pre-Employment Checks
Specify what pre-employment checks you expect your suppliers to do for their employees. Make sure they are the same as government organisations:
- Verify identity
- Verify nationality
- Verify right to work in given location within India
- Get references from former employers
- Complete Police Verification
If a role or access has a higher security risk, then more checks may be needed. For example, an IT administrator for a managed service provider might have a lot of access to your organisation’s data. You might need extra checks to make sure they can be trusted and to spot any risks that could come from insider threats.
Security Clearance
Your organization is responsible for sponsoring, arranging, and managing security clearances for the duration of a contract.
If contractor employees need access to protectively-marked information classified CONFIDENTIAL or higher, they must be security-cleared to the appropriate level. Anyone without the correct security clearance should not be allowed unescorted access to locations where protectively-marked information is handled or stored.
Security Requirements
Think about having different security rules for different contracts, depending on how risky they are. Don't make all of your suppliers follow the same security rules if it's not necessary.
Explain why the security rules are in place to your suppliers and make sure they pass them on to any subcontractors.
Make sure your minimum security requirements are in your procurement documents and contracts with suppliers.
Think about if you should do the same character checks for workers from service providers that you do for your own people.
If a contractor needs to see official information, have them sign a non-disclosure agreement.
Incorporate security into your contract process, and expect the same from suppliers.
Security should be included in all contract procedures to ensure that security measures are taken and maintained throughout the contract period, even when the contract is terminated or services are transferred to another provider.
Before contracts are signed
Working with the CSO, it is essential to identify security requirements when creating tender documents and evaluate proposals. Suppliers must be able to meet these requirements, and the contract should include the right to terminate if they fail to comply. The agreement on how information and assets are managed and disposed of should also be documented, with legal advice sought when developing contracts.
Conditions for information protectively-marked CONFIDENTIAL or above
Outlines the need for the service provider to ensure that only employees with the necessary security clearance have access to protectively-marked material, and to report any contact with such material by employees without the clearance.
Conditions for official information
Service providers must include contract conditions to mitigate any risks associated with the loss or compromise of official information held by them, especially aggregated information. The contract must also contain terms and conditions to protect the official information if the provider is required to access it.
Permission for subcontracting
Organizations must provide written approval before a service provider can subcontract a service or function that requires access to official information, and written approval is also required if the service provider wishes to change the subcontractor.
Access to protected information
The service provider must ensure that their employees have the necessary security clearance before they are allowed to access confidential information.
Storing and handling protected information
The service provider must ensure their premises and facilities meet the necessary standards for storing and handling official information, up to the specified security classification level.
Information security
The service provider must have systems in place to securely process, store, transmit, and dispose of electronic official information according to set security standards.
Confidentiality
The service provider is obligated to keep official information confidential as per the contract, and this obligation may continue even after the contract has ended.
Conditions for your organisation’s information
When engaging a service provider, it is important to consider legal and jurisdictional risks, such as third-party access to information. The contract should include terms and conditions to protect against this, but in some cases, this may not provide sufficient protection.
During the contract
Companies should provide guidance, tools, and processes to manage security at all levels of the supply chain, and train all parties in their use. Contracts should be renewed regularly and risks reassessed, and suppliers should be asked to act or provide information only when necessary to manage security risks.
Meet your security responsibilities as both supplier and consumer.
Ensure you meet all supplier requirements. Report to senior management on how security is being managed. Pass security requirements to subcontractors. Welcome customer audits, inform them of any issues, and work proactively to improve security. Discuss with your customers if they don't provide guidance on security needs and seek assurance that they're satisfied with the measures taken from your end.
Raise awareness of security in your supply chain.
Supplier relationships can affect many parts of your business. So it's important to teach your team about how contracts will work and the security that goes with them. Explain the security risks to your suppliers in language they understand. Ask your suppliers to tell their people (especially in procurement, security, and marketing) about the risks and their duties for dealing with them.
As staff leave or change roles, your supplier's people may change too. Work with your suppliers to make sure that:
- People who have seen official or secret information remember to keep it confidential.
- New people understand your security requirements.
Spread security information through your supply chain to keep everyone informed about new security risks.
Offer support in case of security incidents.
It's reasonable to expect suppliers to manage security risks according to their contracts. But be ready to give help and support when needed, for example if a security incident could affect your business or the wider supply chain.
Make requirements clear in supplier contracts
In supplier contracts, state clearly what is needed for managing and reporting security incidents or breaches.
Specify how soon after an incident providers must report to you, and who the report should be directed to. It is particularly important for providers to report incidents or potential incidents that would:
- Prevent them from delivering the services they are contracted to provide
- Impact your organization's data (when they are storing or transporting it).
Also make clear what help suppliers can expect from you following an incident, such as help with cleaning up and dealing with losses.
Think about including contract conditions that require providers to tell you about breaches of ICT security that involve other clients' information.
Communicate lessons learnt
When you have learnt lessons from security incidents, tell all suppliers. This will help to stop them becoming victims of 'known and manageable' attacks.