0% found this document useful (0 votes)

82 views

Supplier Relationships: Information Security Policy 15

This document outlines NHS GG&C's information security policy regarding supplier relationships. It aims to ensure protection of organizational assets accessible by suppliers and maintain an agreed security level per supplier agreements. Key points include conducting risk assessments before engaging suppliers, specifying security requirements in contracts, monitoring supplier access and services, and managing changes to supplied services. The policy implements controls from the NHS Scotland Information Security Policy Framework to reduce risks from threats such as unauthorized access, theft, and non-compliance.

Uploaded by

Jay Doshi Shashikant

Available Formats

Download as DOCX, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

82 views

Supplier Relationships: Information Security Policy 15

Uploaded by

Jay Doshi Shashikant

Available Formats

Download as DOCX, PDF, TXT or read online on Scribd

You are on page 1/ 7

Information Security Policy 15

Supplier Relationships

Lead Manager Head of Operations

Responsible Director Director eHealth
Approved By Information Governance Steering Group
Date Approved December 2019
Review Date December 2021
Version No. N1.0

THIS DOCUMENT IS CURRENT AS AN ON LINE DOCUMENT

Consultation and Distribution Record
Contributing Authors IT Compliance Manager

Consultation Process / Stakeholders Information Governance Steering Group

Distribution All Staff

Change Record
Date Author Change Version
No
23 Feb 2017 S Harris First created V0.1
20 Oct 2017 S Harris Updated V0.2
8 Feb 2018 S Harris Formatting V0.3
24 July 2018 S Harris Formatting V0.4
11 Mar 2109 S Harris Updated for NISD V0.5
1 Oct 2019 S Harris Updated for NISD V N1.0

THIS DOCUMENT IS CURRENT AS AN ON LINE DOCUMENT

Contents
1 INTRODUCTION..............................................................................................................4
2 OBJECTIVES....................................................................................................................4
3 SCOPE...............................................................................................................................4
4 LOCATION.......................................................................................................................4
5 SUPPLIER RELATIONSHIPS : INFORMATION SECURITY IN SUPPLIER
RELATIONSHIPS.....................................................................................................................4
5.1 Information security policy for supplier relationships................................................5
5.2 Addressing security within supplier agreements.........................................................5
5.3 Information and communications technology supplier chain.....................................6
6 SUPPLIER RELATIONSHIPS : SUPPLIER SERVICE DELIVERY
MANAGEMENT 6
6.1 Monitoring and review of supplier services................................................................6
6.2 Managing changes to supplier services.......................................................................6
7 CONTRACTS AND CONFIDENTIALITY AGREEMENTS.........................................6
8 INFORMATION SECURITY POLICY FRAMEWORK (2018) CONTROL.................6
9 REFERENCES...................................................................................................................6
9.1 GG&C Standard/policy/guidance................................................................................6
9.2 NHSS Standard/policy/guidance.................................................................................7

THIS DOCUMENT IS CURRENT AS AN ON LINE DOCUMENT

1 INTRODUCTION
This Policy supports the implementation of the sub-control objectives
relating to Supplier relationships : information security in supplier relationships and
Supplier relationships : supplier service delivery management in the NHS Scotland
Information Security Policy Framework (2018) as part of the Network Information
Systems Regulations (2018). The Policy also supports the Supply Chain Guidance of
the Scottish Government’s Public Sector Action Plan (PSAP).

2 OBJECTIVES
The objective of this policy are
 To ensure protection of the organisation’s assets that is accessible
by suppliers
 To maintain an agreed level of security and service delivery in line
with supplier agreements

3 SCOPE

This policy relates to all suppliers requiring access to GGC information assets or
suppliers hosting GGC information assets..

4 LOCATION

Where the term staff is used it shall be taken to apply to full or part time employees,
contractors, volunteers or third parties that work on behalf of NHS GG&C.

5 SUPPLIER RELATIONSHIPS : INFORMATION SECURITY IN SUPPLIER

RELATIONSHIPS
The two sub controls in this policy are designed to reduce the impact and
likelihood of the following threats, as defined in the Information Security Risk
Management Policy.

Threat Number NHSGGC Commonly Identified Threats

T1 Deliberate unauthorised access or misuse by known outsiders (including supplier)
T3 Theft or wilful damage by outsiders of data or equipment
T7 Theft of data via Unauthorised Access by Hacker/ Malicious External Actor
T11 Breach of legislation, Privacy/Regulation issue
T13 Inadequate or absent audit trail
T16 Environmental failure like Loss of Electricity
T17 System or network software failure
T18 Supplier withdraws a key product in the solution or end of life
T19 Key supplier becomes insolvent
T20 Supply chain cyber attack

THIS DOCUMENT IS CURRENT AS AN ON LINE DOCUMENT

5.1 Information security policy for supplier relationships
 GGC shall ensure that a full assessment of the potential security risks
with using an outsourced provider or a supplier is carried out. This must
include identification of what needs to be protected and why.
 GGC shall ensure that the risks associated with outsourcing are managed
through the imposition of suitable controls, comprising a combination of
legal, physical, technical, procedural and managerial controls.
 GGC shall ensure that there is an identified service and ehealth owner
of each supplier
 GGC should consider the following when selecting an outsourced provider
or a supplier:
 Supplier’s reputation and history.
 Quality of services provided to other customers.
 Financial stability of the company and commercial record.
 Retention rates of the company’s employees.
 Quality assurance and security management standards currently
followed by the company (e.g. certified compliance with ISO 9001 and
ISO/IEC 27001, Cyber Essentials/Cyber Essentials +).

5.2 Addressing security within supplier agreements

Relevant information security requirements must be established with each supplier

that may access, process, store, communicate or provide ICT infrastructure
components for, the organisation’s information.

Requirements must include specifying

 what data is held by or accessed by the supplier

 when data is held by the supplier the process of sanitization of storage
media that is applied during contract and will be applied at contract
termination
 the supplier to GGC has subcontracted any services
 access method
 who within the supplier will be managing he cyber risks for the delivery of
the contract
 the basic staff training and awareness raising around cyber risk carried out by
the supplier
 Cyber assurance accreditation eg Cyber Essentials, ISO27001 or

equivalent These requirements must be specified in the Supplier Contract.

THIS DOCUMENT IS CURRENT AS AN ON LINE DOCUMENT

5.3 Information and communications technology supplier chain

Access to the Organisations’ assets shall include assurance procedures and must be
in compliance with the GGC Third Party Access Policy.

The contracted supplier must manage all accesses provided to it.

Data can only be transferred by explicit agreement from GGC using a defined secure
method.

6 SUPPLIER RELATIONSHIPS : SUPPLIER SERVICE DELIVERY

MANAGEMENT

6.1 Monitoring and review of supplier services

As a minimum as part of annual contract review each supplier will go through a
reassessment of its access procedures and of the GGC accounts it has been
allocated.

6.2 Managing changes to supplier services

Suppliers must notify GGC of proposed changes to the provision of services and
their impact on existing information security policies, procedures and controls.
Risk Assessment must be carried out for the proposed new service.

7 CONTRACTS AND CONFIDENTIALITY AGREEMENTS

The requirements of information security in supplier relationships, and supplier
service delivery management must be included in supplier contract.

8 INFORMATION SECURITY POLICY FRAMEWORK (2018) CONTROL

36) Supplier relationships: supplier service delivery management

Objective
To maintain an agreed level of security and service delivery in line with supplier agreements.
Sub-control (ISO 27001-CAF-ICO Ref. no.) Detail
Organisations shall regularly monitor, review and
a) Monitoring and review of supplier services (ISO: audit supplier service delivery and associated security
A.15.2.1) (CAF: A4.a) provisions.

Changes to the provision of services by suppliers,

b) Managing changes to supplier services (ISO: including maintaining and improving existing
A.15.2.2) (CAF: A4.a) information security policies, procedures and
controls, shall be managed, taking account of the
criticality of business information, systems and
processes involved and re-assessment of risks.

9 REFERENCES

9.1 GG&C Standard/policy/guidance

THIS DOCUMENT IS CURRENT AS AN ON LINE DOCUMENT

9.2 NHSS Standard/policy/guidance

Contract and supplier security: example policy (NHS Digital 2017)

https://www.digital.nhs.uk/media/31609/Contract-and-Supplier-Security-Example-
Policy/doc/Contract_and_Supplier_Security_-_Example_Policy_230517