Example of Procedures to Manage the Information Security Risks Associated with the Use of Supplier’s Products or Services

Supplier chain risk management procedure

1.0 Purpose

This Procedure establishes the means with which to assess the risks and opportunities associated with use of supplier’s product or services such as the contracting, procurement, and provision of supplies and services on a corporate and project level, as well as the development of sustainable commercial relations. As part of this commitment, XXX considers it a priority to prevent all risks originating from its supply chain or the goods and services produced or supplied by the companies in its supply chain. The scope XXX, its Group companies, and all operations conducted in countries where the Group is present in a concession business model that intervenes in the entire value chain of the infrastructure sector. This Procedure covers our management approach to the supply chain and reflects our commitment and that of our suppliers

2.0 Scope

These standards apply to all information and information systems that support the operations and assets of the XXX, including those provided or managed by supplier, contractor, or other source, as well as services that are either fully or partially provided, including XXX’s hosted, outsourced, and cloud-based solutions. Principal Offices, employees, contractors, external service providers and system users are required to comply with these supply chain risk management procedure

3.0 Principles of supply chain security

3.1. Understand what needs to be protected and why

You should know:

  • The sensitivity of the contracts you let or will be letting.
  • The value of your information or assets which suppliers hold, will hold, have access to, or handle, as part of the contract.

Think about the level of protection you need suppliers to give to your assets and information, as well as the products or services they will deliver to you as part of the contract.

3.2. Know who your suppliers are and build an understanding of what their security looks like

You should know:

  • Who your suppliers are. You will need to think about how far down your supply chain you need to go to gain understanding and confidence in your suppliers.You may have to rely on your immediate suppliers to provide information about sub-contractors, and it may take some time to ascertain the full extent of your supply chain.
  • The maturity and effectiveness of your suppliers’ current security arrangements. For example you could use CPNI Personnel Security Maturity Model to assess the maturity of your suppliers’ people security arrangements.
  • What security protections you have asked your immediate suppliers to provide, and what they, in turn, have asked any sub-contractors to do:
    • Determine whether or not your suppliers and their sub-contractors have provided the security requirements asked of them.
    • Understand what access (physical and logical) your suppliers have to your systems, premises and information and how you will control it.
    • Understand how your immediate suppliers, control access to, and use of, your information and/or assets – including systems and premises, by any sub-contractors they employ.
  • You should focus your efforts in this area on those parts of your suppliers’ business or systems that are used to handle your contract information, or to deliver the contracted product or service.

3.3. Understand the security risk posed by your supply chain

Assess the risks these arrangements pose to your information or assets, to the products or services to be delivered, and to the wider supply chain.

Sources of risk

Risks to and from the supply chain can take many forms. For example, a supplier may fail to adequately secure their systems, may have a malicious insider, or a supplier’s members of staff may fail to properly handle or manage your information. It could be that you have poorly communicated your security needs so the supplier does the wrong things, or the supplier may deliberately seek to undermine your systems through malicious action (this may be under state influence for national security applications). Use the best information you can to understand these security risks. For example:

  • Common cyber attacks – reducing the impact
  • Insider data collection report
  • Insider risk assessment
  • CPNI Holistic Management of Employee Risk (HomER).

Understanding the risk associated with your supply chain is key to ensuring security measures and mitigations are proportionate, effective and responsive. Use this understanding to decide the appropriate levels of protection you will expect suppliers across your supply chain to provide for any contract information, and contracted products or services.

Plan of action

It may be useful to group different lines of work, contracts or suppliers into different risk profiles, based on considerations such as: the impact on your operations of any loss, damage or disruption, the capability of likely threats, the nature of the service they are providing, the type and sensitivity of information they are processing etc. Each profile will require slightly different treatment and handling to reflect your view of the associated risks. This may make things easier to manage and control. You should document these decisions and share them with suppliers. For example, you may decide that contracts which provide basic commodities such as stationery, or cleaning services require very different approaches to management to those that provide critical services or products.

3.4. Communicate your view of security needs to your suppliers

Ensure that your suppliers understand their responsibility to provide appropriate protection for your contract information and contracted products and services and the implications of failing to do so. Ensure your suppliers adhere to their security responsibilities and include any associated security requirements in any sub contracts they let. You should decide whether you are willing to permit your suppliers to sub-contract and delegate authority to do so appropriately. Give your suppliers clear guidance on the criteria to use for such decisions (e.g. the types of contract that they can let with little/no recourse to you, and those where your prior approval and sign-off must always be sought).

3.5. Set and communicate minimum security requirements for your suppliers

You should set minimum security requirements for suppliers which are justified, proportionate and achievable. Ensure these requirements reflect your assessment of security risks, but also take account of the maturity of your suppliers’ security arrangements and their ability to deliver the requirements you intend to set. It may also be sensible to identify circumstances where it would be disproportionate to expect suppliers to meet the minimum security requirements. For example, this may only be relevant for those suppliers who only need ad hoc, or occasional access to limited and specific data, and/or access to your premises. You should document these considerations and provide guidance on the steps you intend to take to manage these engagements. This approach could help reduce your workload and avoid creating additional, unnecessary work for these parties.

Case by case

Consider setting different protection requirements for different types of contracts, based on the risk associated with them – avoid situations where you force all your suppliers to deliver the same set of security requirements when it may not be proportionate or justified to do so. Explain the rationale for these requirements to your suppliers, so they understand what is required from them. Include your minimum security requirements in the contracts you have with suppliers and in addition, require that your suppliers pass these down to any sub-contractors they might have.

3.6. Build security considerations into your contracting processes and require that your suppliers do the same

Build security considerations into your normal contracting processes. This will help you to manage security throughout the contract, including termination and the transfer of services to another supplier.

Require prospective suppliers to provide evidence of their approach to security and their ability to meet the minimum security requirements you have set at different stages of the contract competition.

Providing support
Develop appropriate supporting guidance, tools and processes to enable the effective management of the supply chain by you and your suppliers, at all levels.

You should:

  • Ensure the security considerations you build into your contracts are proportionate and align with the various stages of the contracting process.
  • Require their adoption in contracts and train all parties on their use.
  • Check that your supporting guidance, tools and processes are being used throughout the whole of your supply chain.
  • Require contracts to be renewed at appropriate intervals, and require reassessment of associated risks at the same time.
  • Seek assurance that your suppliers understand and support your approach to security and only ask them to take action or provide information where it is necessary to support the management of supply chain security risks.
  • Ensure that contracts clearly set out specific requirements for the return and deletion of your information and assets by a supplier on termination or transfer of that contract.

3.7. Meet your own security responsibilities as a supplier and consumer

Ensure that you enforce and meet any requirements on you as a supplier. Provide upward reporting and pass security requirements down to sub-contractors. Welcome any audit interventions your customer might make, tell them about any issues you are encountering and work proactively with them to make improvements. Challenge your customers if guidance covering their security needs is not forthcoming, and seek assurance that they are they happy with the measures you are taking.

3.8. Raise awareness of security within your supply chain

Explain security risks to your suppliers using language they can understand. Encourage them to ensure that key staff (e.g. procurement, security, marketing) are trained on, and understand these risks, as well as their responsibilities to help manage them.

  • Set goals: Establish supply chain security awareness and education for appropriate staff.
  • Information sharing:Promote and adopt the sharing of security information across your supply chain to enable better understanding and anticipation of emerging security attacks..

3.9. Provide support for security incidents

Whilst it is reasonable to expect your suppliers to manage security risks in accordance with the contract, you should be prepared to provide support and assistance if necessary where security incidents have the potential to affect your business or the wider supply chain.

Make requirements clear
You should clearly set out requirements for managing and reporting security incidents in the contract. These should clarify supplier’s responsibilities for advising you about such incidents – reporting timescales, who to report to etc. Suppliers should also be clear about what support they can expect from you if an incident occurs – required ‘clean up’ actions, losses incurred, etc.

Propagate lessons learned
Where lessons have been learnt from security incidents, communicate these to all your suppliers, to help them becoming victims of ‘known and manageable’ attacks.

3.10. Build assurance activities into your supply chain management

  • Require those suppliers who are key to the security of your supply chain, via contracts, to provide upward reporting of security performance and to adhere to any risk management policies and processes.
  • Build the ‘right to audit’ into all contracts and exercise this. Require your suppliers to do the same for any contracts that they have let that relate to your contract and your organisation. (Note that this might not always be possible or desirable, particularly where this relates to a Cloud service).
  • Build, where justified, assurance requirements such as Cyber Essentials Plus, penetration tests, external audit or formal security certifications into your security requirements.
  • Establish key performance indicators to measure the performance of your supply chain security management practice.
  • Review and act on any findings and lessons learned.
  • Encourage suppliers to promote good security behaviours.

3.11. Encourage the continuous improvement of security within your supply chain

  • Encourage your suppliers to continue improving their security arrangements, emphasising how this might enable them to compete for and win future contracts with you. This will also help you to grow your supply chain and choice of potential suppliers.
  • Advise and support your suppliers as they seek to make these improvements.
  • Avoid creating unnecessary barriers to such improvements: acknowledge and be prepared to recognise any existing security practices or certifications they might have that could demonstrate how they meet your minimum security requirements.
  • Allow time for your suppliers to achieve security improvements, but require them to provide you with timescales and plans that demonstrate how they intend to achieve them.
  • Listen to and act on any concerns highlighted through performance monitoring, incidents, or upward reporting from suppliers that may suggest that current approaches are not working as effectively as planned.

3.12. Build trust with suppliers

  • Seek to build strategic partnerships with key suppliers, sharing issues with them, encouraging and valuing their input. Gain their buy-in to your approach to supply chain security, so that it takes account of their needs as well as your own.
  • Let them manage sub-contractors for you, but require them to provide you with appropriate reporting to confirm the status of these relationships.
  • Maintain continuous and effective communications with your suppliers.
  • Look at supply chain management as a shared issue.


All information assets that process, store, receive, transmit or otherwise could impact the confidentiality, integrity, and accessibility of XXX information must meet the required security controls defined in this procedure that are based on the ISMS Risk assessment procedure.

4.1 Supply Chain Risk Management Plan

The following shall be implemented:

a. Develop a plan for managing supply chain risks associated with acquisition, delivery, integration, operations and maintenance, and disposal of the information systems and services:

  1. The Supply Chain Risk Management (SCRM) plan should provide the basis for determining whether a technology, service or information system is fit for purpose and as such the controls need to be tailored accordingly.
  2. The SCRM plan shall include the following:
    • an expression of the supply chain risk tolerance for the agency;
    • acceptable supply chain risk mitigation strategies or controls;
    • a process for consistently evaluating and monitoring supply chain risk;
    • approaches for implementing and communicating the plan;
    • a description of and justification for supply chain risk mitigation measures taken; and associated roles and responsibilities..

b. Review and update the supply chain risk management plan on an annual basis or as required, to address threat, organizational or environmental changes.
c. Protect the supply chain risk management plan from unauthorized disclosure and modification.

4.2 Establish SCRM Team

The following shall be implemented:
a. Establish a supply chain risk management team that consists of the defined roles and is responsible for identifying, assessing, and managing risks while using coordinated efforts.
b. The SCRM team shall consist of personnel with diverse roles and responsibilities for leading and supporting SCRM activities, including risk executives, information technology, contracting, information security, privacy, mission, or business, legal, supply chain and logistics and acquisition.
c. The SCRM team shall be an extension of the security and privacy risk management processes or be included as part of an organizational risk management team.

4.3 Supply Chain Controls and Processes

The following shall be implemented:

  1. Establish processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of information systems in coordination with the identified supply chain personnel.
    • Supply chain elements include organizations, entities, or tools employed for the acquisition, delivery, integration, operations and maintenance, and disposal of systems and system components.
    • Supply chain processes include hardware, software, and firmware development processes;
    • shipping and handling procedures; personnel security and physical security programs;
    • configuration management tools, techniques, and measures to maintain provenance; or other programs, processes, or procedures associated with the development, acquisition, maintenance and disposal of systems and system components.
  2. Employ the following controls to protect against supply chain risks to information assets, systems, system components, or system services and to limit the harm or consequences from supply chain related events (examples):
    • Control Assessments
    • External System Services
    • Acquisition Process
    • Controlled Maintenance
    • Component Authenticity
    • Component Disposal
  3. Document the selected and implemented supply chain processes and controls in an agencydefined document such as a SCRM plan.

4.4 Acquisition Strategies, Tools, and Methods

Acquisition strategies, contract tools, and procurement methods shall be employed to protect against, identify, and mitigate supply chain risks. Examples are as follows:

  • Including incentive programs to system integrators, suppliers, or external services providers to ensure that they provide verification of integrity as well as traceability.
  • Requiring tamper-evident packaging.
  • Using trusted or controlled distribution.
  • stablish compliance standards for all third-party vendors, including manufacturers, suppliers, and distributors.
  • Define user roles and implement security controls to restrict who is able to access your system and what level of clearance they’ve given.
  • Perform a thorough vendor risk assessment prior to signing any contracts.
  • Implement data stewardship standards that define who owns certain data and what they’re to do with that data.
  • Provide comprehensive training for all employees about cyber security protocols.
  • Implement a software solution that provides you with total visibility into your supply chain, so you can quickly identify unusual activity.
  • Work with vendors in your supply chain network to develop a unified disaster recovery plan to ensure business continuity.
  • Establish backup controls to safeguard your data backups.
  • Regularly update your company’s anti-virus, anti-spyware, and firewall software solutions, as well as look into more advanced cyber security measures, such as DNS filtering and network access control.

4.5 Supplier Assessments and Reviews

Supply chain-related risks associated with suppliers or contractors and the system, system component, or system service they provide shall be assessed and reviewed annually. An assessment and review of supplier risk should include security and supply chain risk management processes, foreign ownership, and the ability of the supplier to effectively assess subordinate second tier and third-tier suppliers and contractors. The reviews shall consider documented processes, documented controls, and publicly available information related to the supplier or contractor.

4.6 Notification Agreements

Agreements and procedures with entities involved in the supply chain shall be established for the notification of supply chain compromises including security incident and a privacy breach and the notification of assessment or audit results.

4.7 Inspection of Systems or Components

A process to inspect information systems annually or upon any indications of the tampering of information systems shall be implemented. Indications of a need for inspection include changes in packaging, specifications, factory location, or entity in which the part is purchased, and when individuals return from travel to high-risk locations.

4.8 Component Authenticity

The following shall be implemented:
a. Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system; and
b. Report counterfeit system components to the agency-defined personnel.
Organizations should include in their anti-counterfeit policy and procedures, a means to help ensure that the components acquired and used are authentic and have not been subject to tampering.

4.9 Component Authenticity | Anti-Counterfeit Training
The following agency-defined roles shall be trained to detect counterfeit system components (including hardware, software, and firmware).

  • Personnel conducting configuration management activities
  • System administrators
  • Database administrators
  • Network administrators
  • Procurement personnel

4.10 Component Authenticity | Configuration Control for Component

Configuration control shall be maintained over system components awaiting service or repair and serviced or repaired components awaiting return to service. Organizations shall manage risks associated with component repair including the repair process and any replacements, updates, and revisions of hardware and software components within the supply
chain infrastructure.

4.11 Component Disposal

Defined data, documentation, tools, or system components shall be disposed of without exposing sensitive or operational information, which may lead to a future supply chain compromise. Examples include the following:
a. Monitoring and documenting the chain of custody through the destruction process.
b. Training disposal service personnel to ensure accurate delivery of service against disposal policy and procedures.
c. Implementing assessment procedures for the verification of disposal processes with a frequency that fits agency needs.
d. Using Media Sanitization techniques—including clearing, purging, cryptographic erase, deidentification of personally identifiable information, and destruction—prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal.

5. Enforcement

Violations of this policy or failure to implement provisions of this policy may result in disciplinary action up to and including termination, civil litigation, and/or criminal prosecution.

Leave a Reply