Supplier Security policy

Purpose and scope

This policy sets out the requirements to be met when engaging with individuals or organisations external to RoS (‘third parties’), which require access to RoS information asset/s. Third parties include contractors, suppliers, service providers, partners and other stakeholders supporting our delivery.

This policy covers activities undertaken under contractual or commercial arrangements, including the supply of goods and services to or by us, and to activities conducted under other non-commercial agreements or arrangements.

This policy covers access to all our information assets, whatever their format or sensitivity, and wherever they are created, used or stored. Information assets include all our data and electronic information, software and applications, hardware and equipment, and hardcopy information.

This policy is subordinate to the overarching RoS Information Security Policy.

Risk management

Third party access to our information assets must be risk-assessed by staff prior to access being enabled. Risk assessment must consider each of the following as applicable:

The level and duration of the access and privileges required by the third party, restricting these to the minimum required to perform the agreed tasks – these should be monitored over time and third parties made aware of this.

The security controls implemented by the third party - all prospective suppliers must be subject to the third-party due diligence process administered by procurement colleagues, prior to being enabled with access.

The suitability of personnel to access our information assets - all contractor staff must be subject to the required vetting for their role, prior to being enabled with access.

The legal controls implemented between us and the third party – agreements and arrangements must be formally documented and include details of the respective information security responsibilities of each party, including how data will be transferred, deleted or destroyed upon termination/cessation.

Risks to information assets which are identified must be recorded and assessed by staff. A named risk owner must be identified, made aware of the risk, and lead on risk treatment or tolerance.

Risks to information assets must be reviewed during the lifetime of the arrangement with the third party to ensure that any changing risk exposure is identified and treated appropriately.

This policy should be brought to the attention of any third party with whom we enter an arrangement or agreement requiring the provision of access to our information assets, and should form part of our procurement and supply/purchasing procedure.

Third party obligations

Third parties must:

Implement appropriate organisational and technical security controls to protect our information assets, and monitor these to prevent unauthorised access or use.

Provide details of the organisational and technical security controls in place to protect our information assets, and the monitoring of these, on request.

Demonstrate alignment with all relevant RoS information security policies, guidelines and procedures, and compliance with the law.

Inform us without delay of any of the following events which might compromise the confidentiality, availability, or integrity of our information assets:

• Relevant security events or incidents, including near misses
• Deficiencies in security controls that can not be immediately remediated
• Changes to security controls
• Employee actions or procedural failures

Report such events to our IT Security Team, Procurement account lead and Data Protection Officer, and supply post-event information detailing the cause, protective measures, lessons learned and improvement actions without delay.

Third party supply chains

With regard to their own sub-contractors and suppliers, third parties must:

Conduct security due diligence of each sub-contractor or supplier, prior to allowing the subcontractor to access any of our information assets.

Satisfy themselves that each sub-contractor or supplier has implemented appropriate organisational and technical security controls to protect our information assets, equivalent to those implemented by the third party itself, and monitor these to prevent unauthorised access or use.

Ensure that each sub-contractor or supplier enters into any written agreements or undertakings required by us.

Provide the name, address and location of any sub-contractor or supplier on request.

Provide details of the organisational and technical security controls in place to protect our information assets, and the monitoring of these, on request.

Roles and responsibilities

All RoS staff and contractors are bound by the commitments of this policy and are required to effectively operate the various procedures and controls which facilitate compliance in practice.

Colleagues with responsibilities for systems and processes which support information assets are responsible for ensuring that the principles of this policy are accounted for, whether in design, development or operation.

The RoS Information Security Group (ISG) has operational ownership of this policy and is responsible for ensuring its fulfilment in practice.

The RoS Departmental Security Officer (DSO), Senior Information Risk Owner (SIRO), and Information Asset Owners (IAO’s), who constitute our Information Assurance Group (IAG), have strategic oversight and overall accountability for information security within RoS.

Third parties will support this policy’s fulfilment in practice.

This policy should be part of the publication scheme. Internally all employees should be made aware of the policy. Any third-party suppliers engaged to conduct work for or on behalf of RoS must also be made aware of this policy. The policy must be a mandatory read for all colleagues out-with core Registration roles, GPC cardholders and contractors working within these areas.

Approval and review

This policy will be reviewed and approved by the Information Security Group (ISG) annually, unless earlier review is appropriate.