Questions to ask suppliers to help firms gain confidence in their cyber security.
.
The NCSC released guidance in December 2020, offering a series of questions firms can ask their suppliers to gain confidence in their cyber security. This forms part of their collection of supply chain security guidance
Their recommended questions cover 10 topics areas:
They suggest firms should understand who has responsibility for cyber security at the supplier organisation. Knowing who the risk owners are is a key part of gaining confidence in your supplier.
Given that data breaches are so common, preparing for such an event reducing the potential harm that a breach can cause is key.
Firms should understand how, and be satisfied that, a supplier protects its network from external and internal harms.
Firms should understand how a supplier protects the data on their networks. Basic controls can go a long way to mitigating many of the harms that could befall data on a network.
Type your content here…
It is important that firms know if any of their supplier's services to them are offshored and if so, how those services meet relevant information security controls.
Firms and suppliers need to understand and be in compliance with data protection laws.
Firms should understand what personnel security controls are in place at their supplier.
Firms should understand how their supplier physically protects its premises, data and assets.
Firms should understand how the supplier is gaining confidence that their security controls are working in practice.
There are several important considerations firms may want to include in their contract with the supplier including:
> Are there any specific risk mitigations or controls in your contract with the supplier which must be passed down to all subcontractors?
> Would you wish to be informed if the supplier changes subcontractors?
>Does the supplier hold (or would you require them to hold) any cyber security certifications, such as Cyber Essentials, Cyber Essentials Plus or ISO27001?
> Will the supplier (or any subcontractors employed by the supplier) connect, or have access to, your data, IT network or premises? If so, how will this be limited, controlled, and monitored?
> For any remote access to your data or IT network, (for example in cases of outsourced IT support), do you have a remote access support agreement in place?
> Do you log their remote access sessions on your systems, with logs captured to reflect the work done?
> Contract exit – what provisions are in the contract for secure deletion or return of your data/assets at contract exit, including transfer of services, data or assets to another supplier?
> How will you monitor for changes in the information risk profile of the supplier over time? This can occur, for example, when the volume of data being processed by the supplier significantly increases, when different types of data are introduced (e.g. personal data or commercially sensitive data), or when new technology is introduced (e.g. mobile access platforms).
> Should you include a “right to audit” and/or regular reporting on security in your contract with the supplier? Should you require your supplier to build in a “right to audit” into contracts with their suppliers/subcontractors, where this affects the service to you?
