Supply chain cyber security policy (premium)
Increasingly, organisations are recognising cyber security as a strategic risk, touching every aspect of their business, including the way they interact with suppliers and customers.
This supplier cyber security policy is intended to assist your organisation in producing a contract, or a schedule or addendum to a contract, describing the cyber security requirements a supplier (or other person) must comply with before it can do business with your organisation.
The template may be edited to align with a variety of goals, from managing a handful of specific risks when a new supplier's system begins interacting with your own, to attempting to achieve a cyber security benchmark across your entire supply chain.
The content of the policy you produce will depend on the type of interaction you have with the other business, what risks you have identified in your B2B interactions, and how much risk/effort the other organisation is willing to have transferred to it under the contract.
The policy includes suggestions about which terms to choose and opportunities to add additional terms, allowing organisations to mould them to their specific needs. It is delivered with extensive guidance, to allow purchasers to bridge the knowledge gap between legal and technical expertise.
This is an extended version of our standard supplier cyber security policy. It contains all the provisions of that document and in addition includes clauses relating to auditing, breach detection, breach response and policy updating.
This policy was created and is maintained by Emma Osborn of OCSRC (https://www.ocsrc.co.uk) in collaboration with SEQ Legal.Ask about this document
Supply chain cyber security policy (premium) contents
- Introduction: purpose of cyber security document; Providerto protectCustomerinterests regarding cyber security.
- Definitions: definitions.
- Status of this Policy: document forms part of contract.
- Cyber security risks: cyber security is a strategic risk; reference to identified risks; Data protection impact assessments; cyber security risk assessments.
- Cyber security approach: processing data compliance; Providerto maintain minimum level of security ;Providerto maintain adequate level of security;Providerto maintain equivalent level of security.
- Cyber security requirements: compliance with applicable standards; implementation of cyber security controls (access); cyber security training requirements; implementation of technical controls.
- Evidential requirements and auditing: evidence of meeting cyber security requirements; reducing risks; independent audit to prove compliance; requirement of audited standards compliance evidence; evidence of self-assessed compliance; ongoing standards compliance.
- Detecting cyber security breaches: logging of system activities; retention of logs beyond the term; recording of system access; monitoring of system; compliance with laws when monitoring system; monitoring of system; review of system logs.
- Responding to cyber security breaches: supply of logs for disciplinary action; supply of system logs in the event of a cyber security breach; supply of logs to third parties for investigation; revoking of access to the system; prohibition of employees accessing system; triggering an investigation following complaint; notification of unusual activity or mistakes; notification of breach in Customersystem; notification of breach inProvidersystem; notifying Information Commissioner's Office in case of breach.
- System and Policyreviews and updates: notification of changes to IT system; notification of changes to shared data/system; notification of new threats; notification of security vulnerability ; responsibility for reviewing policy; timing of updates; ad hoc reviews and updates; review considerations.
- Actions upon termination: managing termination of contract; provision of data on contract termination ; deletion of Customerdata ; provision of a record of data retained by the other party; access credentials revoked; requirements remaining in force.
ANNEX 1 (EVIDENCE REQUIRED OF COMPLIANCE)
- List of evidence of compliance with cyber security policy.
ANNEX 2 (ADEQUATE ENCRYPTION STANDARDS)
- List of adequate encryption standards.
ANNEX 3 (FORM OF NOTIFICATION OF CYBER SECURITY BREACH)
- Introduction: identification of person giving cyber security breach notification.
- Description of cyber security breach: prompt for description of cyber security breach.
- Parts of: prompt for specification of affected system parts.
- Proportion of data assets affected: prompt for insertion of proportion of data assets affected.
- Is personal data concerned?: details of effects of breach on personal data.
- Likely consequences of breach: prompt to identify likely consequences of breach.
- Measures taken to address breach: prompt to describe measures taken to address breach.
- Has anyone other than the Customerbeen notified of the breach?: details of who has been notified of cyber security breach.
- Late report of breach: reasons for later report of cyber security breach.
- Contact details: details of person handling cyber security breach.