No company is a data island any longer. Greater volumes of data are being shared with third parties than ever before. Consequently, our responsibilities for information security and data protection do not stop at the boundaries of our own company’s infrastructure and systems. Supplier security management is now a high priority for information security managers.
Who Has Your Data?
Your data is handled in numerous ways by third parties these days. The most common example is where you share data to outsource particular business processes like payroll, customer support or telemarketing. Even if your IT services are all managed in house it is likely that your data centre facility is provide by a third party and cloud infrastructure services like AWS and Azure are becoming increasingly popular.
If you outsource software development, there will be a range data security risks to deal with. If the right controls are not put in place, developers may have an opportunity to access your live data, either directly or via poorly controlled test data. The software they create is also a potential risk, if secure coding practices are not in place or testing procedures are not properly followed.
You may work in collaboration with other organisations on research and development projects which require strict confidentiality and agreements on intellectual property. You may be involved in joint tenders where you need to reveal commercially sensitive information about your capabilities and pricing.
It is highly likely that you will also need to manage the risks from third party staff who visit your office, like contractors, cleaners and maintenance engineers. You need to be confident that these individuals are trustworthy, competent and properly insured.
What Does ISO 27001 Say About Supplier Security Management
All worthwhile security standards recognise that you need to manage the risks to data you share with third parties. ISO 27001, for example, identifies supplier security management as an area of concern for organisations and section A15 of Annex A focusses directly on this area. Other mandatory clauses and Annex A control areas in ISO 27001 also have a bearing on how you manage supplier security.
Clause 6.1.2 requires that the organisation define and apply an information security risk assessment process. This applies as much to supplier security risks as internal security risks. The risk assessment process should help you to differentiate between suppliers and based on the results of risk assessment, you can determine whether existing controls are sufficient or whether you require additional measures before you could confidently share data. For example, you may not need to insert confidentiality clauses in a contract with your vending machine supplier, but you will probably want to do it for outsourced software development.
Annex A Control A.7.1.1 details the requirement to carry out pre-employment background checks on your staff. This can equally apply to third party staff. Taking the above example, you would normally require a supplier of outsourced software development to carry out pre-employment checks on its staff. Whereas, you would be less likely to require this of the vending machine supplier. It will, of course, depend on what is revealed in the risk assessment. If the vending machine engineer will access particularly sensitive areas of your office, you may require stricter controls that if they can only access common areas. Typical background checks include references from previous employment, financial history and criminal records checking.
Annex A Control A.15.1.2 deals with addressing security within supplier agreements. A typical approach to this is to have a standard list of security clauses. These may include confidentiality, intellectual property agreements, the acceptable methods for sharing data including the methods of encryption that are to be used, which of the third party’s staff can access your data and labelling requirements for confidential information. It may even cover training requirements for the staff who will work with your data. When writing the security clauses in the supplier contract, make sure that the risks identified in the risk assessment are fully addressed.
The controls detailed in Annex A section A9 refer to access control and restricting access to data to those that need it. It is common for outsourcing agreements to restrict data or system access to a specific team or named list of individuals. This ties in with Control A.15.2.1 (Monitoring and review of suppliers). It is important that you have a process to check your suppliers’ compliance with the security clauses in the agreement, and that things like access lists are maintained and up-to-date. This is often facilitated though an audit clause in the contract.
At the end of the contract with your supplier, you should ensure that confidentiality extends beyond the contract period. You also need to make sure any assets are returned or securely disposed of and that systems access is terminated. This is especially important when the relationship ends on bad terms so, again, contract terms to carter for termination would be the best approach.
Striking a Balance
There is no one-size-fits-all approach to supplier security management. It’s all about striking the balance between security and supplier relationship and matching the appropriate controls to the service being provided. Organisations that are good at supplier management usually streamline the process by creating supplier categories with corresponding rules relating to security requirements. Examples categories would be suppliers with whom you share data externally, suppliers who have access to data only at your locations and supplier who can access data only when you allow it on a case-by case basis, like external support.
If you do not have policies and procedures in place for supplier security management, reviewing your supplier list and identifying categories would be a great place to start. If you would like to discuss this or any aspect of supplier security, please feel to get in touch with me at via simonhunt.org