7 hours 52 minutes
lesson 11 2011
a 15 supplier relationships
In this lesson, we will cover an understanding off control Set a 15,
the controls it covers and includes what these controls mean
as well as some examples of evidence that you can use in order. It's related to your items.
A 15 supplier relationships
consists of two control areas.
The first control area,
In put one
information security in supplier relationships.
This control area consists of three controls.
The first control is
a 15.1 point one
information security policy for supplier relationships.
This control specifies that information security requirements
for mitigating the risks associated with suppliers access to your organization's acids
shall be agreed with the supplier and formally documented.
Thes Second control
is a 15.1 point two
addressing security within supplier agreements.
This control is something that's really big when it comes to your third party. Risk management
information security requirements
and clauses specific to your organization,
to which third parties need to be compliant
are often overlooked
and neglected from being included in supplier agreements.
Supplier agreements are where you can enforce specific requirements onto your suppliers,
so all relevant information security requirements
need to be established
and agreed upon with each supplier.
This is important for suppliers that may have access to
or provide I t infrastructure components. Full
your organization's information.
The third Control is a 15.1 point three
information and communication technology supply chain.
This is specific to your agreements with suppliers
and that these agreements need to include requirements
that address information security risks
that are specifically associate ID with information and communication technology services
and product supply chain.
This is an especially important concept to be aware of when you use a third party supplier
to host your data center or provide you with cloud services.
One of the biggest risks
is that that service provided either goes out of business.
There is no longer able to provide you with the platform that you require.
There needs to be some sort of fullback agreement
and some way in which the supplier can either transfer you to another supplier
or make some kind of plan to ensure that your services are not affected
by issues that they are facing.
Of course, within reason,
have a discussion with your suppliers
and ensure that you identify any risks around these scenarios
and that these air appropriately included and mitigated in your agreements with your suppliers.
The second control area
is a 15.2
supplier service delivery management.
This area consists of two controls.
The first control is a 15.1 point point to 0.0.1. So
monitoring and review off supplier services
organizations should regularly regularly monitor review an audit
service delivery off their suppliers.
It is important that once we've set up these requirements in the service
that we're staying on top of our supplies and making sure that they are delivering on their agreed upon requirements.
If you have specific requirements that the service provider must be penetrated penetration tested
then for example, the suppliers should be reply supplying you with the reports off these penetration tests.
The second control is a 15.2 point two
managing changes to supply your services,
so in some cases
service providers could change or enhance their services.
All you is an organization would want to make changes or enhancement to the services that you receive from your suppliers.
When changes occur,
it is important to ensure that you maintain
and improve existing information security policies,
any associated procedures and controls,
as well as the requirements, and closes in the various agreements.
It is also important to take into account the criticality off your business information
systems and processes that are involved
in the change.
A reassessment of risks would be required
to ensure that these are appropriately mitigated and managed.
Some examples off documentation or evidence that you can use in this general area
include your information security and business continuity strategies.
When you have a third party involved in your business continuity,
it is important to specify this and include them in any planning
or communication activities pertaining to your business. Continuity.
Make sure that your plans are aligned
and that their recovery targets
meet your recovery targets.
You might also have policies or procedures which concerns suppliers and any of their own upstream or peer suppliers, partners or customers.
So this pertains to how are your third parties managing their third parties? Do they have robust third party risk management processes in place?
There would also be associated records.
We're through God's too
for routine operations,
or commercial or exceptional issues.
You would also be generating some sort of report
regarding performance and compliance off the supplier.
would also generate documents,
whether this these air incidents that the supplier has detected on your behalf,
or whether it's incidents you have raised on your own supplier for a lack off nonperformance,
risk assessment and risk treatment reports must also be
created and maintained for your various third parties,
your contracts or agreements in place with the third parties
specifically showing the information security requirements and clauses included there.
In this lesson,
we covered the to control areas that make up control, set a 15 supplier relationships.
We covered the five controls included in this area
what these controls mean at a high level,
and we also talked about some examples off information and documentation that can be used as evidence during your orders.