DPC/G4.6
GOVERNMENT GUIDELINE ON CYBER SECURITY ISMF Guideline 6 - Cyber security in procurement activities
Background
Considering potential and accounting for actual security risks during procurement is a vital component of holistic security management. Cyber (ICT) security risk management practices are predominately focused on avoiding potential pitfalls when sourcing products and services. By identifying potential flaws or conceivable business impact(s) during the sourcing phase, often costly remediation methods can be minimised or avoided entirely. The old adage ‘a penny saved is a penny earned’ certainly applies to all sourcing activities. In security terms, a penny saved from considering security requirements at the design and initiation phases of procurements reduces multiple risks including: economic, reputational and legal liabilities. Responsible Parties need to assure themselves that appropriate due diligence has been undertaken against prospective equipment and service providers.
Particular emphasis in this guideline is placed on verifying that prospective and ongoing suppliers have a demonstrated commitment to ongoing improvement using the underlying quality management principles: ‘Plan-Do-Check-Act’. This guideline supports implementation of ISMF Policy Statement 6.
Guidance
Business Owners are responsible for determining relevant cyber security requirements prior to finalising sourcing arrangements or procuring equipment and services. The Government of South Australia defines baseline security requirements for whole of government ICT sourcing arrangements. Individual agencies and suppliers to government have roles to play in determining their own security requirements in alignment with the business risk profile which is an indication of risk tolerance and appetite. These factors will often change on a case by case basis.
For products and services sourced via whole-of-government arrangements, agency-specific measures are implemented at the Customer Agreement (CA) level. Individually sourced products and services will also need to factor in cyber security policy requirements defined in the Protective Security Management Framework (PSMF) and Information Security Management Framework (ISMF).
This guideline highlights the specific policies and standards related to procurement without delving into the entire ‘human factors’ that also need to be catered for when considering a sourcing arrangement. Annex A in the ISMF describes the absolute baseline for cyber security risk management and each facet of security risk management described therein should be considered prior to finalising any ICT procurement.
Page 1 of 10 Public-I1-A1
Risk identification
Table 1 – Manage risks in the context of an overarching Information Security Management System
Applicability Relevant ISMF standards, policies or procedures and controls
Responsible Parties must develop or have in place an Information Security Management System (ISMS) that conforms to the principles of AS/NZS ISO/IEC 27001. When the Responsible Party is a Supplier, they must Policy Statement 1 obtain and maintain certification that their information security management system conforms to AS/NZS ISO/IEC 27001 if their contractual obligations require this as described in section 2.1 of the ISMF. Each Responsible Party shall develop and use information security risk management processes as outlined in section 5.1 of the PSMF. The risk assessment process shall include the identification and Policy Statement 2 assessment of security risks for information assets, a summary of the Agency’s response to these risks and provide ongoing monitoring and review of the risks and the potential security exposure(s). All Access to information processing facilities by third parties must be controlled and such controls must be agreed to and defined by way of contractual obligation with the external organisation. Policy Statement 5 Contracts conferring tertiary access (e.g. A supplier who utilises sub-contractors or outsourced suppliers in the fulfilment of their contractual obligations and/or service agreement) should include allowances for designation of deemed eligible participants and the conditions for their access. Responsible Parties may embed the use of an assessment tool as a component of the selection S12.3 process for external organisations, such as the Supplier Security Evaluation Tool (SSET) available to Information Security Forum members.
Page 2 of 10 Public-I1-A1
Security in procurement and sourcing activities
Table 2 – Establish security requirements at the outset, before going to market
Applicability Relevant ISMF standards, policies or procedures and controls
Access to Agency and Australian Government information provided to prospective Suppliers during tendering and/or procurement processes shall be limited on a need-to-know basis and commensurate with the Policy Statement 6 applicable controls to the information’s classification. Agencies must stipulate and account for security considerations and controls as defined in the PSMF and ISMF and their subordinate documents during all phases of the procurement process. Responsible Parties must include and consider the security controls required by the PSMF and ISMF as Standard 15 part of their procurement procedures. Information classification controls must be applied during all phases of the tender and/or procurement process. Agencies must include the requirements of the PSMF and ISMF in their procurement procedures and should select only those subsets of controls and procedures S15.1 required according the scope and nature of the All project(s) and/or services, products and materials being considered. Particular attention is drawn to part F, paragraph 4.6 of the PSM which addresses issues such as “Conflict of Interest” declarations and security clearance S15.2 requirements. This constitutes one of the minimum standards for procurement security and is enabled by the PSMF. Suppliers that intend to procure services, products and/or materials via a third party shall obtain written authorisation from the relevant Agency if any classified S15.3 information needs to be shared with or otherwise released to the third party as part of the Supplier’s procurement process. Significant risks identified in the procurement cycle should be reflected in the organisation’s risk register and S15.4 the treatment and/or mitigation strategy should be identified as part of the organisational risk management procedures. All personnel must be subject to a security vetting process. (C) Confidential S15.7 Refer to Security Clearances and Briefings section of the ISM for further guidance.
(P) Protected All personnel (including respondents) should be subject to a security vetting process in accordance with Policy 6.1 of S15.8 (SC) Sensitive: the PSPF. Personnel must be subject to this process when Cabinet accessing Commonwealth information.
Page 3 of 10 Public-I1-A1
Establish contractual arrangements
Table 3 – Define a cyber security accord with prospective suppliers
Applicability Relevant ISMF standards, policies or procedures and controls
Arrangements involving third party access to Agency information processing facilities shall be based on a formal contract containing, or referring to, all of the Standard 14 security requirements to ensure compliance with the Responsible Party’s security policies, standards and obligations. Third parties and their employees, including sub- contracted service providers, who require access to security classified information must be security cleared to the appropriate level. Utilising a Third Party Contract S14.4 Agreement, the service provider must be required to implement security procedures that ensure that access to Official information assets is restricted to those employees who require access to perform their function. Responsible Parties should establish individual confidentiality agreements with the staff of contractors. Depending on the risk assessment findings and S14.5 sensitivity of information assets or systems, the Responsible Party may wish to undertake a police All records/fingerprint check of an individual or elect to use a vetting process for sensitive Positions of Trust. Responsible Parties shall ensure that contracts with external service providers specify agency-approved information security policies and procedures and must contain provisions to indemnify the Government of South Australia and its agencies against the outcomes Standard 139 of violations to the aforementioned policies and procedures. While the service provider is entrusted with the management of government data, the government continues to own the data and the agency retains the responsibility of custodianship of the data Information used in Electronic Commerce shall be protected from fraudulent activity, misuse, breach of privacy and unauthorised access. Responsible Parties should establish contractual agreements with providers Standard 69 and partners to minimise the risk of potential disputes and should give consideration to PCI DSS compliance for large online transaction-based systems that rely on credit and/or debit card transactions.
Page 4 of 10 Public-I1-A1
Periodic review of third party service delivery
Table 4 – Ongoing supply arrangements should focus on commitment to continual improvement
Applicability Relevant ISMF standards, policies or procedures and controls
Responsible Parties shall implement a program of compliance monitoring, periodic performance review Policy Statement 16 and change (improvement) management for third party service delivery agreements. Each Agency shall be responsible for identifying the risks associated with the outsourcing arrangements for their processing facilities and/or service delivery agreements (whether sourced internally or externally to Government), as well as defining the control measures that the contractor or other Third Party is required to Standard 51 implement. At a minimum, controls must include the applicable security controls described in the ISMF, All service definitions and delivery expectations such as Service Level Agreements (SLAs) in alignment with Security in an Outsourced Environment (ISMF Standard 139). Responsible Parties shall note that external (third party) service delivery agreements may include supply S51.2 agreements sourced from other Agencies and/or service delivery partners In addition to periodic self-assessment, each Responsible Party shall be subject to ongoing Standard 11 independent review of Information Security policies, practices and implementation at regular intervals in accordance with the AS/NZS ISO/IEC 27002 standard.
Outsourcing software development
Table 5 – Independent review,s advice and/or certification provide increased assurance
Applicability Relevant ISMF standards, policies or procedures and controls
Responsible Parties entering into outsourcing arrangements for software development shall seek legal advice to ensure that the Agency’s rights and interests Standard 120 are protected and shall implement the guidance All described in the AS/NZS ISO/IEC 27002 standard pertaining to outsourced software development. Responsible Parties shall implement the control(s) and S120.1 guidance described in clause 12.5.5 of the AS/NZS ISOIEC 27002 standard.
Page 5 of 10 Public-I1-A1
Additional considerations
Agencies should educate their users on the security implications associated with procurement and help them to understand their requirements to ensure the confidentiality, integrity and availability of government information assets. Most importantly, agency personnel should understand the bearing that cyber security in procurement has on continued service availability and the assurance that consistent service levels provide to the community.
Some of the differences between outsourcing and the other forms of third party service provision include the question of liability, planning the transition period to an outsourced environment and potential disruption of operations during any transition, contingency planning arrangements and due diligence reviews, and collection and management of information on security incidents. Therefore, it is important that the organisation plans and manages the transition to such arrangements and has suitable processes in place to manage changes and the renegotiation/termination of contracts that is driven by business requirements.
Personnel, including contractors, requiring access to security classified information or resources may need security clearances. (see ISMF Policy Statement 5).
Confidentiality and/or non-disclosure agreements must be in place for all staff, contractors and/or sub-contractors that seek or have in place access to South Australian Government information, materials and/or intellectual property that is not intended for public access. (see ISMF Standard 8).
Access provided to third parties (including customers, contractors etc) must be controlled based on the specific business requirements of the responsible party. (see ISMF Standard 13).
This guideline does not aim to provide the reader with all the cyber security responsibilities, obligations and controls related to procurement. It is merely an overview of the information provided in relevant government cyber security policy and the AS/NZS ISO/IEC 27002 standard. It is highly recommended that agencies review such documents in their entirety. The individual requirements of agencies will have direct bearing on what measures are implemented to mitigate identified risk(s).
Sample contractual clauses
An example schedule containing whole-of-government contractual clauses is found in Appendix 1.
Page 6 of 10 Public-I1-A1
References, links and additional information
• PC030 Protective Security Management Framework • Information Security Management Framework • AS/NZS ISO/IEC 27002:2006 • Australian Government Protective Security Policy Framework
Document Control
ID DPC/G4.6 Version 1.4 Classification/DLM Public-I1-A1 Compliance Discretionary Original authorisation date February 2012 Last approval date February 2019 Next review date February 2020
Licence
With the exception of the Government of South Australia brand, logos and any images, this work is licensed under a Creative Commons Attribution (CC BY) 4.0 Licence. To attribute this material, cite Department of the Premier and Cabinet, Government of South Australia, 2019.
Page 7 of 10 Public-I1-A1
APPENDIX 1
SCHEDULE XX
SECURITY REQUIREMENTS
2 DEFINITIONS
In this Schedule: 2.1 “Australian Government Protective Security Policy” means the protective security policy established by the Australian Government and updated from time to time. A copy of the current version may be viewed at http://www.protectivesecurity.gov.au/; 2.2 “Information Security Management Framework” means the South Australian Government ISMF which describes information and cyber security policies, subordinate standards and supporting controls that are applied at an agency level. Agencies are required to describe the policies and standards expected of their suppliers in order to achieve or maintain organisational and governmental security objectives. A copy of the current version may be viewed at https://dpc.sa.gov.au/digital/security; 2.3 “Certification” means the process by which an organisation’s ISMS is examined against the AS/NZS ISO/IEC 27001 standard by an accredited certification body; 2.4 “ISMS” or “Information Security Management System” “ISMS” or “Information Security Management System” means a management system based on a systematic business risk approach to establish, implement, operate, monitor, review, maintain and improve information security. It is an organisational approach to information security; and 2.5 “AS/NZS ISO/IEC 27001” means the standard for information security that focuses on an organisation’s ISMS.
3 SUPPLIER RESPONSIBILITIES
3.1 In supplying the Deliverables, the Supplier must be aware of, comply with and promote the use of: 3.1.1 policies, standards, guidelines and other requirements as set out in this Schedule xx (as amended from time to time); and 3.1.2 any additional policies, standards, guidelines and other requirements as notified by the State from time to time throughout the Term. 3.2 For the avoidance of doubt, an amendment or addition to the policies, standards, guidelines and other requirements pursuant to the preceding sub-clause may arise from any implementation by the State of the Australian Government Protective Security Policy. 3.3 The Supplier must ensure that other suppliers and sub-contractors they engage with (in the provision of Deliverables) are aware of, comply with and promote the use of the policies, standards, guidelines and other requirements as contemplated by the preceding sub-clauses 0 and 0. 3.4 The Supplier must provide each Customer with a quote detailing any additional costs it will incur as a result of the Supplier complying with, and implementing any: 3.4.1 policy, standard, guideline or other requirement additional to that contained in this Schedule on execution of this Agreement; or 3.4.2 amendment to a policy, standard, guideline or other requirement contained in this Schedule.
Page 8 of 10 Public-I1-A1
The quote must be open for acceptance by the Customer for at least twenty (20) Business Days. If accepted by the Customer the quote will take effect as if it had been raised by a Customer Order. Unless the quote is accepted, the Supplier is not obliged to comply with or implement those requirements in clauses 0 and 0 in relation to which the quote was provided. 3.5 The Supplier must comply with AS/NZS ISO/IEC 27001 and AS/NZS ISO/IEC 27002.
4 POLICIES, STANDARDS, GUIDELINES AND OTHER REQUIREMENTS
Without limiting the above provisions, the Supplier must be aware of, comply with and promote the use of the following policies, guidelines, standards and other requirements as amended from time to time:
Comply Policies, Standards, Guidelines and other requirements Note with
3.1 PC030 Protective Security Management Framework ✓
3.2 Information Security Management Framework ✓
3.3 StateNet Conditions of Connection ✓
3.4 StateNet Information Security Architecture ✓
3.5 State ICT Support Plan ✓
Such other policies, standards, guidelines and other 3.6 requirements as notified by the State from time to time
5 ASSESSMENT FOR COMPLIANCE WITH AS 27001
5.1 The Supplier must:
5.1.1 undertake continuous improvement reviews (at least annually) of its ISMS for facilities, operations, practices and provision of Services, against the parts of AS/NZS ISO/IEC 27001 and AS/NZS ISO/IEC 27002 the State reasonably considers may relate to matters affecting the security of any of the State’s ICT Infrastructure or a Customer’s ICT Infrastructure;
5.1.2 by (insert agreed date), obtain AS/NZS ISO/IEC 27001 Certification for the scope of services defined in this Agreement;
5.1.3 for the scope of services that are currently certified to AS/NZS ISO/IEC 27001, maintain continuous AS/NZS ISO/IEC 27001 Certification for the scope of services defined in this Agreement;
5.1.4 consult with the State in relation to any issues arising from improvement reviews and audits;
5.1.5 agree with the State a plan of action to address and resolve the issues arising from the improvement reviews and audits; and
Page 9 of 10 Public-I1-A1
5.1.6 provide the State with the results and reports from the continuous improvement reviews described in clause 0 and any audits of the ISMS. These reports will be used by the Supplier to demonstrate to the State the Supplier’s commitment to ongoing ISMS improvement and the broader implementation, deployment and introduction of ISMS information security controls.
5.2 The Supplier must conduct the activities set out in clause 5.1 at no additional charge.
Page 10 of 10 Public-I1-A1