Versions Compared

Version Old Version 1 New Version 2
Changes made by

Jan Tenenberg

Jan Tenenberg

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Introduction

[Organization Name] Vertic Ltd Pty and its core business exists in a wider economic environment in which effective relationships with suppliers are critical to its continued success. However, recent information security breaches have shown that sometimes a third-party supplier can represent a significant weakness in the defences of our information assets. It is very important therefore that our relationships with suppliers are based on a clear understanding of our expectations and requirements in the area of information security. These requirements must be documented and agreed in a way that leaves no doubt about the importance we place on the maintenance of effective controls to reduce risk.It is up to Vertic Pty to demonstrate to our stakeholders that the choices we make regarding suppliers are done with due diligence and that the ongoing monitoring and review of the service supplied is performed in an effective way. The purpose of this document is to set out the organisation’s information security policy in the area of supplier relationships.

...

In general, information security requirements will vary according to the type of contractual relationship that exists with each supplier and the goods or services delivered.

However, the following (or some of the below) will generally apply.

  • The information security requirements and controls must may be formally documented in a contractual agreement which may be part of, or an addendum to, the main commercial contract

  • Separate Non-Disclosure Agreements must be used where a more specific level of control over confidentiality is required

  • Appropriate due diligence must be exercised in the selection and approval of new suppliers before contracts are agreed

  • The information security provisions in place at existing suppliers (where due diligence was not undertaken as part of initial selection) must be clearly understood and improved where necessary

  • Remote access by suppliers must be via approved methods that comply with our information security policies

  • Access to Vertic Ltd Pty information must be limited where possible according to clear business need

  • Basic information security principles such as least privilege, segregation of duties and defence in depth must be applied

  • The supplier will be expected to exercise adequate control over the information security policies and procedures used within sub-contractors who play a part in the supply chain of delivery of goods or services to [Organization Name]

  • Vertic Ltd Pty will have the right to audit the information security practices of the supplier and, where appropriate, sub-contractors

  • Incident management and contingency arrangements must be put in place based on the results of a risk assessment

  • Awareness training will be carried out by both parties to the agreement, based on the defined processes and procedures

  • A Supplier Information Security Checklist may be required for completion by external suppliers

The selection of required controls must be based upon a comprehensive risk assessment considering information security requirements, the product or service to be supplied, its criticality to the organization and the capabilities of the supplier.

...