Supply Chain. Example Policy. Author: A Heathcote Date: 24/05/2017 Version: 1.0

Transcription

1 Example Policy Author: A Heathcote Date: 24/05/2017 Version: 1.0 Copyright 2017 Health and Social Care Information Centre. The Health and Social Care Information Centre is a non-departmental body created by statute, also known as NHS Digital.

2 Contents 1 Purpose 3 2 Scope 3 3 Applicability 3 4 Guidance 3 Terminology 3 Policy 3 General 3 Security Risks in the Supply Chain 4 Product Supplier Security 4 Service Supplier Security 5 5 Key Words 6 Copyright 2017 Health and Social Care Information Centre. 2

3 1 Purpose The purpose of this Supply Chain Security Example Policy is to provide exemplar guidance in line with HMG and private sector best practice for the implementation of an organisation wide Supply Chain Security Policy. This is in order to allow the reader to produce the necessary policies and guidance for their business area in line with the Department for Health, the wider NHS, health and social care and HMG requirements. 2 Scope The drafting of any policy governing Supply Chain Security in support of NHS or health and social care business functions. 3 Applicability This Example Policy is applicable to and designed for use by any NHS, health and social care or associated organisations that use or have access to NHS systems and/or information and data at any level. 4 Guidance This Example Policy provides guidance on the production of a Supply Chain Security Policy. The Example Policy is in italics with areas for insertion shown as <> and the rationale for each paragraph or section, where required, in [.]. Terminology Term SHALL SHOULD MAY Meaning/Application This term is used to state a Mandatory requirement of this policy This term is used to state a Recommended requirement of this policy This term is used to state an Optional requirement Policy General <Insert organisation name> shall identify Threats, Vulnerabilities and Risks within the supply chain by carrying out appropriate risk assessment and management. <Insert organisation name> shall implement relevant mitigations to counter identified Threats, Vulnerabilities and Risks within the supply chain. <Insert organisation name> shall that ensure that relevant staff are trained as appropriate in the security requirements of the supply chain. <Insert organisation name> shall ensure that security requirements, including Copyright 2017 Health and Social Care Information Centre. 3

4 security incident response, are included in every contract. <Insert organisation name> should ensure that the security aspects of all supplier contracts are closely managed and monitored. <Insert organisation name> shall ensure that once a supplier is accepted in the formal supply chain, the security team works with them to address any vulnerabilities and security gaps. <Insert organisation name> should ensure that any breach of security or security requirements by the supplier leads to an immediate termination of the contract. <Insert organisation name> shall ensure that legacy support for products at the end of life is assured and where required there is a continued supply of authorised updates and parts. <Insert organisation name> shall ensure that tight controls on access to systems, data and information by service suppliers are imposed. <Insert organisation name> shall ensure that access to software by suppliers is limited to a strict Need to Know (NTK). <Insert organisation name> shall ensure that access to hardware by suppliers is limited to a strict NTK. <Insert organisation name> shall ensure that access to control systems by suppliers is limited to a strict NTK. <Insert organisation name> shall ensure that all suppliers are authorised and escorted when on site. [This section should be used to provide clear direction that all normal security practices (including security management, security risk management, security incident management and security education and awareness related policies, standards, procedures and process) as mandated by the organisation will be followed when dealing with the supply chain.] Security Risks in the Supply Chain Supply chain security risks could include: Third party service providers such as maintenance or utility services, or hardware and software suppliers that could have physical or virtual access to systems and information without the NTK. Poor information security practices by lower-- tier suppliers. Compromised software or hardware purchased from suppliers. Software security vulnerabilities in supply chain management or supplier systems. Counterfeit hardware or hardware with embedded malware. Third party data storage and retention of data without authority. Product Supplier Security <Insert organisation name> shall ensure that controls are in place to manage and monitor production processes. <Insert organisation name> shall ensure that suppliers software and/or Copyright 2017 Health and Social Care Information Centre. 4

5 hardware design process is documented, repeatable and measurable. <Insert organisation name> shall ensure that the mitigation of known vulnerabilities is factored into the suppliers product design. <Insert organisation name> shall ensure that the supplier has and follows documented processes to stay current on emerging vulnerabilities and can demonstrate capabilities to address new zero day vulnerabilities. <Insert organisation name> shall ensure that the supplier performs adequate levels of virus and malware protection and detection. <Insert organisation name> shall ensure that component purchases are as ordered, of the required quality, are not counterfeit or have been tampered with. <Insert organisation name> should ensure that source code is obtained for all purchased bespoke software. <Insert organisation name> shall establish the origin of all parts, components and systems. <Insert organisation name> shall ensure that the supplier has adequate controls in place to perform configuration management, quality assurance and processes to test code quality or vulnerabilities. <Insert organisation name> should ensure that suppliers adequately tamper proof their products. <Insert organisation name> shall ensure that suppliers distribution processes are secure. <Insert organisation name> shall ensure that the supplier assures security through product life-- cycle. [The examples provided in this section should be tailored dependant on the size and structure of the organisation and the type of products procured by the organisation through the supplier chain.] Service Supplier Security <Insert organisation name> shall ensure that suppliers have appropriate physical and personnel security measures in place, for their premises, staff, products and working practices. <Insert organisation name> shall ensure that suppliers have adequate access controls; both system and physical, in place. This should include: The protection and storage of customer data. Data retention policy. Destruction of data at contract end. <Insert organisation name> shall ensure that adequate employee background checks are conducted by suppliers on their staff. <Insert organisation name> shall ensure that approved and authorised distribution channels are established and clearly documented. <Insert organisation name> shall ensure that adequate disposal processes are in place and documented. Copyright 2017 Health and Social Care Information Centre. 5

6 [The examples provided in this section should be tailored dependant on the size and structure of the organisation and the type of services procured by the organisation through the supplier chain.] 5 Key Words Access, Contract, Data, Disposal, Distribution, Hardware, Information, Malware, Product, Risks, Secure, Software, Source code, Supplier, Systems, Threats, Virus, Vulnerabilities Copyright 2017 Health and Social Care Information Centre. 6