A15 Supplier Relationships

00:02

lesson 11 2011

00:04

a 15 supplier relationships

00:10

In this lesson, we will cover an understanding off control Set a 15,

00:15

the controls it covers and includes what these controls mean

00:20

as well as some examples of evidence that you can use in order. It's related to your items.

00:31

A 15 supplier relationships

00:34

consists of two control areas.

00:37

The first control area,

00:39

isn't it?

00:40

In put one

00:42

information security in supplier relationships.

00:46

This control area consists of three controls.

00:51

The first control is

00:53

a 15.1 point one

00:57

information security policy for supplier relationships.

01:02

This control specifies that information security requirements

01:06

for mitigating the risks associated with suppliers access to your organization's acids

01:12

shall be agreed with the supplier and formally documented.

01:19

Thes Second control

01:22

is a 15.1 point two

01:26

addressing security within supplier agreements.

01:30

This control is something that's really big when it comes to your third party. Risk management

01:37

Often

01:38

information security requirements

01:41

and clauses specific to your organization,

01:44

to which third parties need to be compliant

01:48

are often overlooked

01:49

and neglected from being included in supplier agreements.

01:55

Supplier agreements are where you can enforce specific requirements onto your suppliers,

02:04

so all relevant information security requirements

02:07

need to be established

02:09

and agreed upon with each supplier.

02:14

This is important for suppliers that may have access to

02:19

process,

02:20

store,

02:21

communicate

02:23

or provide I t infrastructure components. Full

02:27

your organization's information.

02:32

The third Control is a 15.1 point three

02:38

information and communication technology supply chain.

02:46

This is specific to your agreements with suppliers

02:51

and that these agreements need to include requirements

02:54

that address information security risks

02:58

that are specifically associate ID with information and communication technology services

03:05

and product supply chain.

03:09

This is an especially important concept to be aware of when you use a third party supplier

03:15

to host your data center or provide you with cloud services.

03:21

One of the biggest risks

03:23

is that that service provided either goes out of business.

03:27

There is no longer able to provide you with the platform that you require.

03:32

There needs to be some sort of fullback agreement

03:36

and some way in which the supplier can either transfer you to another supplier

03:42

or make some kind of plan to ensure that your services are not affected

03:46

by issues that they are facing.

03:50

Of course, within reason,

03:53

have a discussion with your suppliers

03:54

and ensure that you identify any risks around these scenarios

03:59

and that these air appropriately included and mitigated in your agreements with your suppliers.

04:08

The second control area

04:10

is a 15.2

04:12

supplier service delivery management.

04:15

This area consists of two controls.

04:18

The first control is a 15.1 point point to 0.0.1. So

04:26

monitoring and review off supplier services

04:30

organizations should regularly regularly monitor review an audit

04:36

service delivery off their suppliers.

04:41

It is important that once we've set up these requirements in the service

04:46

agreement,

04:46

what supplies

04:48

that we're staying on top of our supplies and making sure that they are delivering on their agreed upon requirements.

04:58

If you have specific requirements that the service provider must be penetrated penetration tested

05:03

every quarter,

05:05

then for example, the suppliers should be reply supplying you with the reports off these penetration tests.

05:15

The second control is a 15.2 point two

05:19

managing changes to supply your services,

05:26

so in some cases

05:28

service providers could change or enhance their services.

05:32

All you is an organization would want to make changes or enhancement to the services that you receive from your suppliers.

05:42

When changes occur,

05:44

it is important to ensure that you maintain

05:46

and improve existing information security policies,

05:51

any associated procedures and controls,

05:55

as well as the requirements, and closes in the various agreements.

06:00

It is also important to take into account the criticality off your business information

06:05

systems and processes that are involved

06:10

in the change.

06:13

A reassessment of risks would be required

06:16

to ensure that these are appropriately mitigated and managed.

06:21

Some examples off documentation or evidence that you can use in this general area

06:29

include your information security and business continuity strategies.

06:35

When you have a third party involved in your business continuity,

06:41

it is important to specify this and include them in any planning

06:46

or communication activities pertaining to your business. Continuity.

06:50

Make sure that your plans are aligned

06:53

and that their recovery targets

06:56

meet your recovery targets.

07:00

You might also have policies or procedures which concerns suppliers and any of their own upstream or peer suppliers, partners or customers.

07:12

So this pertains to how are your third parties managing their third parties? Do they have robust third party risk management processes in place?

07:29

There would also be associated records.

07:32

We're through God's too

07:33

contact points

07:35

for routine operations,

07:38

escalation

07:40

or commercial or exceptional issues.

07:44

You would also be generating some sort of report

07:46

regarding performance and compliance off the supplier.

07:51

Incident management

07:54

would also generate documents,

07:56

whether this these air incidents that the supplier has detected on your behalf,

08:01

or whether it's incidents you have raised on your own supplier for a lack off nonperformance,

08:09

risk assessment and risk treatment reports must also be

08:13

created and maintained for your various third parties,

08:18

your contracts or agreements in place with the third parties

08:22

specifically showing the information security requirements and clauses included there.

08:39

In this lesson,

08:41

we covered the to control areas that make up control, set a 15 supplier relationships.

08:50

We covered the five controls included in this area

08:54

what these controls mean at a high level,