Once you gain better control of your supply chain you will be able to analyse strategic risks to it. For example to:
- Identify any suppliers who continually fail to meet your security and performance expectations.
- Identify critical assets and any over-reliance on single suppliers. This will help you to build further diversity and redundancy into your planning.
4. Communicate your view of security needs to your suppliers
Ensure that your suppliers understand their responsibility to provide appropriate protection for your contract information and contracted products and services and the implications of failing to do so.
Ensure your suppliers adhere to their security responsibilities and include any associated security requirements in any sub contracts they let.
You should decide whether you are willing to permit your suppliers to sub-contract and delegate authority to do so appropriately.
Give your suppliers clear guidance on the criteria to use for such decisions (e.g. the types of contract that they can let with little/no recourse to you, and those where your prior approval and sign-off must always be sought).
5. Set and communicate minimum security requirements for your suppliers
You should set minimum security requirements for suppliers which are justified, proportionate and achievable.
Ensure these requirements reflect your assessment of security risks, but also take account of the maturity of your suppliers' security arrangements and their ability to deliver the requirements you intend to set.
It may also be sensible to identify circumstances where it would be disproportionate to expect suppliers to meet the minimum security requirements. For example, this may only be relevant for those suppliers who only need ad hoc, or occasional access to limited and specific data, and/or access to your premises.
You should document these considerations and provide guidance on the steps you intend to take to manage these engagements. This approach could help reduce your workload and avoid creating additional, unnecessary work for these parties.
Case by case
Consider setting different protection requirements for different types of contracts, based on the risk associated with them - avoid situations where you force all your suppliers to deliver the same set of security requirements when it may not be proportionate or justified to do so.
Explain the rationale for these requirements to your suppliers, so they understand what is required from them.
Include your minimum security requirements in the contracts you have with suppliers and in addition, require that your suppliers pass these down to any sub-contractors they might have.
Setting the minimum - four use case studies
Based on your view and understanding of security risk in the context of your supply chain, what minimum security requirements could you set?
Minimum security requirements will vary on a case by case basis. To help clarify how you would go about setting minimum requirements, we present four case studies to illustrate the different approaches that can be taken.
These requirements are not necessarily cumulative, but the measures you can implement to address one use case can be re-used for others. The case studies also present different approaches to assurance that can be used to gain confidence in the management of a range of different risks.
Case A. Protecting information that you share with suppliers.
You must protect the information you share with your suppliers from any unauthorised access, modification or deletion, which could cause disruption to your organisation and its business.
An IT contractor sold computers stolen from an aviation company which contained details of commercial and military flight plans to pay off debts.
A supplier has a legacy application that wasn't fully patched, yet hosted some sensitive information from the customer.
- Consider asking suppliers to use Cyber Essentials as the baseline level of protection. It significantly reduces vulnerabilities to the most common internet based threats (hacking and phishing1). All suppliers to government are required to demonstrate how they will achieve its five technical controls. Where this level of commitment is not realistic, the new Cyber Security Small Business Guide may provide a more achievable way for suppliers to begin to improve their resilience.
- Where greater assurance is required and you want suppliers to be able to identify with confidence any potential attacker presence on their systems, require suppliers to understand their systems, implement security monitoring and develop an incident response capability.
- To protect against a wider range of attacks, require suppliers to implement a holistic approach to security, following 10 Steps to Cyber Security, ISO27001 (or similar).
- Where appropriate require personnel, physical and procedural controls to protect against fraud, theft, and insider threats. All staff working on a contract should be screened, following the principles outlined by the Cabinet Office Baseline Protective Security Standard (BPSS), and additional checks (eg financial checks) added as required for the role.
- Require the implementation of ICO guidance for protecting and off-shoring personal information, where the personal information is stored, processed or handled as part of a contract.
- Where suppliers use cloud-based services, you should understand that it is not possible to transfer complete responsibility or accountability for protecting information to the provider of that service. This is true in every case. Security requirements to protect information, systems and services should be reflected in the contracts and service agreements you have in place with suppliers, and should inform the choices they make about how the cloud service is deployed and delivered. For HMG, the G-Cloud digital market place, provides a range of service offerings that can be matched against your organisation's needs. As a minimum, it is recommended that suppliers follow NCSC's cloud security principles to frame their security needs.
- Where information is held in a common data environment, whether or not this is cloud-based, it is recommended that this is reviewedusing the ‘Common Data Environments guidance available on the CPNI website at https://www.cpni.gov.uk/digital-built-assets-and-environments.
1 Note that the NCSC has launched a number of new services under the Active Cyber Defence programme to improve basic cyber security. For example, Mail Check encourages the adoption of secure email protocols for the Public Sector. Anyone can register their DMARC/SPF records and they should. It may be worthwhile recommending these to your key suppliers too.
Case B. Specifying security requirements to a supplier who is delivering something to you.
You must ensure that the security properties or requirements needed to protect a product or service, have been effectively specified to the supplier.
A supplier is building a digital service for you that will handle very sensitive information. You have poorly described your security needs and therefore the supplier has delivered something which doesn't deliver the security you need.
You need absolute clarity about your security and functional needs. These must be described clearly and unambiguously to the supplier. If the supplier is delivering an IT system - then it must meet the security requirements that have been specified. For example, Cyber Essentials or any other needs you have set.
In addition, you should consider:
- Be aware of any known gaps in coverage of schemes like Cyber Essentials.
- Requiring additional controls to provide assurance about the product or service to be delivered. If for example, the contract relates to the development of new software tools, or the manufacturing of components, you will need to specify that the supplier follows best practice in these areas.
- In cases where a supply chain is delivering a project or asset/facilities management using collaborative digital engineering systems such mitigation methods would not be effective, further guidance is available at….https://www.cpni.gov.uk/digital-built-assets-and-environments.
- Where a Cloud service is being delivered, you should follow the guidance detailed under Use Case A above.
Case C. Connecting a supplier's systems to yours.
You must ensure that any network connections or data-sharing with third parties does not introduce unmanaged vulnerabilities that have the potential to affect the security of your business systems.
This is a critical consideration for all contracts that include connections to a supplier's system. You will need to decide how you want the supplier to perform the work on your behalf. Will they work at your premises or theirs? How much access and connectivity they will need to carry this out?
Cyber criminals attacked a large commercial company exploiting unprotected supplier connections that were used to manage the customer'senvironmental control systems. This led to significant loss of data, disruption to business and significant damage to the company's reputation.
Where a supplier's systems are connected to yours you should:
- Ensure that the accesses you provide to your systems, services, information and premises is limited, controlled and monitored. This is true for both your supplier's people and their systems. These accesses should be reviewed periodically, and removed when no longer required.
- If you intend that the supplier will perform the contracted work on your systems and premises, ensure these are appropriately segregated from the rest of your network. 10 Steps to Cyber Security, Network Security shows you how to do this.
- Access to contract-related information, contracted products or services should be limited on a 'least privilege' basis.
- Have a secure means to exchange hard and soft copy information with your supplier. For guidance on hard copy exchanges see the Cabinet Office, Government Classification Scheme and for guidance on data in transit/exchanges see 10 Steps to Cyber Security, Home and Mobile Working and the Walled Gardens Architectural Pattern.
- Where organisations use operational technology as part of a system or to deliver services, like other technology it should be treated as 'untrusted', and managed accordingly.
Case D. National security case - where a state actor may target you.
You must be confident that your supply chain security can deal with attacks, and attempted subversion by state actors - but only in those circumstances where your threat model warrants it.
A security guard contracted to a defence company stole, and attempted to sell documents that detailed the electronic warfare systems used to protect UK and NATO ships, to a foreign intelligence service.
In national security cases such as this, you will need to seek professional advice from the NCSC and CPNI, as this is beyond the scope of the guidance provided.
Matters will likely include:
- Adoption of bespoke approaches to security.
- Use of high assurance products, with improved personnel and physical security arrangements.
- Vulnerabilities that might arise in manufacturing or build processes.
- Additional measures to protect the privacy and identity of contracting partners and their procurement activities.
6. Build security considerations into your contracting processes and require that your suppliers do the same
Build security considerations into your normal contracting processes. This will help you to manage security throughout the contract, including termination and the transfer of services to another supplier.
Require prospective suppliers to provide evidence of their approach to security and their ability to meet the minimum security requirements you have set at different stages of the contract competition.
Develop appropriate supporting guidance, tools and processes to enable the effective management of the supply chain by you and your suppliers, at all levels.
- Ensure the security considerations you build into your contracts are proportionate and align with the various stages of the contracting process.
- Require their adoption in contracts and train all parties on their use.
- Check that your supporting guidance, tools and processes are being used throughout the whole of your supply chain.
- Require contracts to be renewed at appropriate intervals, and require reassessment of associated risks at the same time.
- Seek assurance that your suppliers understand and support your approach to security and only ask them to take action or provide information where it is necessary to support the management of supply chain security risks.
- Ensure that contracts clearly set out specific requirements for the return and deletion of your information and assets by a supplier on termination or transfer of that contract.
7. Meet your own security responsibilities as a supplier and consumer
Ensure that you enforce and meet any requirements on you as a supplier.
Provide upward reporting and pass security requirements down to sub-contractors.
Welcome any audit interventions your customer might make, tell them about any issues you are encountering and work proactively with them to make improvements.
Challenge your customers if guidance covering their security needs is not forthcoming, and seek assurance that they are they happy with the measures you are taking.
8. Raise awareness of security within your supply chain
Explain security risks to your suppliers using language they can understand. Encourage them to ensure that key staff (e.g. procurement, security, marketing) are trained on, and understand these risks, as well as their responsibilities to help manage them.
Establish supply chain security awareness and education for appropriate staff. NCSC and CPNI awareness materials may be useful.
Promote and adopt the sharing of security information across your supply chain to enable better understanding and anticipation of emerging security attacks. The Cyber Security Information Sharing Partnership (CiSP) is a great example of a free cyber security information sharing service.
9. Provide support for security incidents
Whilst it is reasonable to expect your suppliers to manage security risks in accordance with the contract, you should be prepared to provide support and assistance if necessary where security incidents have the potential to affect your business or the wider supply chain.
Make requirements clear
You should clearly set out requirements for managing and reporting security incidents in the contract.
These should clarify supplier's responsibilities for advising you about such incidents - reporting timescales, who to report to etc. Suppliers should also be clear about what support they can expect from you if an incident occurs - required 'clean up' actions, losses incurred, etc.
GDPR includes fairly short timescales for telling the Information Commissioner about any incidents, so you and your supply chain need to prepare for this.
Propagate lessons learned
Where lessons have been learnt from security incidents, communicate these to all your suppliers, to help them becoming victims of 'known and manageable' attacks.
< Section I Section III >