02) Does your organisation have formal agreements in place that mandate suppliers (and downstream suppliers) must have implemented a defined level of information security?
Supply Chain Management Trickle Down Security
Written by Haydn Brooks
Created on March 18, 2019
Modified on September 19, 2019

Answer yes if your organisation ensures that all third parties with access to client data have a formal agreement in place that mandates them to have implemented a defined level of information security controls.

It is important that in your supplier contracts you have defined a level of information security requirements that your suppliers must meet, and that you have imposed audit rights over the supplier to make sure you can get assurance that the requirements are being met.

The contract should also mandate that the supplier has to ‘trickle down’ these requirements onto any of their suppliers who have access to your data.

The following is a list of example security clauses that may need to be included in your contracts:

  • Right to audit. This is a clause that gives your organisation the right to audit and test the supplier’s security controls periodically, or upon significant changes to the relationship.
  • Notification about security breaches. This is a clause requiring the supplier to inform you in a timely manner regarding any security breaches that may impact your business. Generally, this clause is aligned to GDPR’s data breach notification requirements as well.
  • Adherence to security practices. This is a clause requiring the provider to adhere to your defined set of security requirements (such as those measured on Risk Ledger). This looks to prevent security gaps or conflicts that could impair security performance. This clause should also include a ‘trickle down’ requirement that ensures the supplier mandates and checks that its own suppliers fulfil the same security requirements as defined by this clause.
  • Response time to vulnerabilities. This clause can be included in the above adherence to security practices clause. It requires the supplier to provide, in a timely manner, proper treatment for known vulnerabilities that may impact your business.
  • Communication of changes. This clause requires the supplier to inform you in a timely manner of any changes in its environment that may impact your own businesses risk profile.
How to implement the control:
Risk Ledger recommends that you use a solicitor to ensure all of your supplier contracts contain the relevant clauses to ensure that all risks (security and other risks) are minimised. Risk Ledger helps you to make sure your suppliers comply with your information security requirements, to find out more contact us at info@riskledger.com!

If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.