DPC/G4.6 GOVERNMENT GUIDELINE ON CYBER SECURITY ISMF Guideline 6 - Cyber security in procurement activities Background Considering potential and accounting for actual security risks during procurement is a vital component of holistic security management. Cyber (ICT) security risk management practices are predominately focused on avoiding potential pitfalls when sourcing products and services. By identifying potential flaws or conceivable business impact(s) during the sourcing phase, often costly remediation methods can be minimised or avoided entirely. The old adage ‘a penny saved is a penny earned’ certainly applies to all sourcing activities. In security terms, a penny saved from considering security requirements at the design and initiation phases of procurements reduces multiple risks including: economic, reputational and legal liabilities. Responsible Parties need to assure themselves that appropriate due diligence has been undertaken against prospective equipment and service providers. Particular emphasis in this guideline is placed on verifying that prospective and ongoing suppliers have a demonstrated commitment to ongoing improvement using the underlying quality management principles: ‘Plan-Do-Check-Act’. This guideline supports implementation of ISMF Policy Statement 6. Guidance Business Owners are responsible for determining relevant cyber security requirements prior to finalising sourcing arrangements or procuring equipment and services. The Government of South Australia defines baseline security requirements for whole of government ICT sourcing arrangements. Individual agencies and suppliers to government have roles to play in determining their own security requirements in alignment with the business risk profile which is an indication of risk tolerance and appetite. These factors will often change on a case by case basis. For products and services sourced via whole-of-government arrangements, agency-specific measures are implemented at the Customer Agreement (CA) level. Individually sourced products and services will also need to factor in cyber security policy requirements defined in the Protective Security Management Framework (PSMF) and Information Security Management Framework (ISMF). This guideline highlights the specific policies and standards related to procurement without delving into the entire ‘human factors’ that also need to be catered for when considering a sourcing arrangement. Annex A in the ISMF describes the absolute baseline for cyber security risk management and each facet of security risk management described therein should be considered prior to finalising any ICT procurement. Page 1 of 10 Public-I1-A1 Risk identification Table 1 – Manage risks in the context of an overarching Information Security Management System Applicability Relevant ISMF standards, policies or procedures and controls Responsible Parties must develop or have in place an Information Security Management System (ISMS) that conforms to the principles of AS/NZS ISO/IEC 27001. When the Responsible Party is a Supplier, they must Policy Statement 1 obtain and maintain certification that their information security management system conforms to AS/NZS ISO/IEC 27001 if their contractual obligations require this as described in section 2.1 of the ISMF. Each Responsible Party shall develop and use information security risk management processes as outlined in section 5.1 of the PSMF. The risk assessment process shall include the identification and Policy Statement 2 assessment of security risks for information assets, a summary of the Agency’s response to these risks and provide ongoing monitoring and review of the risks and the potential security exposure(s). All Access to information processing facilities by third parties must be controlled and such controls must be agreed to and defined by way of contractual obligation with the external organisation. Policy Statement 5 Contracts conferring tertiary access (e.g. A supplier who utilises sub-contractors or outsourced suppliers in the fulfilment of their contractual obligations and/or service agreement) should include allowances for designation of deemed eligible participants and the conditions for their access. Responsible Parties may embed the use of an assessment tool as a component of the selection S12.3 process for external organisations, such as the Supplier Security Evaluation Tool (SSET) available to Information Security Forum members. Page 2 of 10 Public-I1-A1 Security in procurement and sourcing activities Table 2 – Establish security requirements at the outset, before going to market Applicability Relevant ISMF standards, policies or procedures and controls Access to Agency and Australian Government information provided to prospective Suppliers during tendering and/or procurement processes shall be limited on a need-to-know basis and commensurate with the Policy Statement 6 applicable controls to the information’s classification. Agencies must stipulate and account for security considerations and controls as defined in the PSMF and ISMF and their subordinate documents during all phases of the procurement process. Responsible Parties must include and consider the security controls required by the PSMF and ISMF as Standard 15 part of their procurement procedures. Information classification controls must be applied during all phases of the tender and/or procurement process. Agencies must include the requirements of the PSMF and ISMF in their procurement procedures and should select only those subsets of controls and procedures S15.1 required according the scope and nature of the All project(s) and/or services, products and materials being considered. Particular attention is drawn to part F, paragraph 4.6 of the PSM which addresses issues such as “Conflict of Interest” declarations and security clearance S15.2 requirements. This constitutes one of the minimum standards for procurement security and is enabled by the PSMF. Suppliers that intend to procure services, products and/or materials via a third party shall obtain written authorisation from the relevant Agency if any classified S15.3 information needs to be shared with or otherwise released to the third party as part of the Supplier’s procurement process. Significant risks identified in the procurement cycle should be reflected in the organisation’s risk register and S15.4 the treatment and/or mitigation strategy should be identified as part of the organisational risk management procedures. All personnel must be subject to a security vetting process. (C) Confidential S15.7 Refer to Security Clearances and Briefings section of the ISM for further guidance. (P) Protected All personnel (including respondents) should be subject to a security vetting process in accordance with Policy 6.1 of S15.8 (SC) Sensitive: the PSPF. Personnel must be subject to this process when Cabinet accessing Commonwealth information. Page 3 of 10 Public-I1-A1 Establish contractual arrangements Table 3 – Define a cyber security accord with prospective suppliers Applicability Relevant ISMF standards, policies or procedures and controls Arrangements involving third party access to Agency information processing facilities shall be based on a formal contract containing, or referring to, all of the Standard 14 security requirements to ensure compliance with the Responsible Party’s security policies, standards and obligations. Third parties and their employees, including sub- contracted service providers, who require access to security classified information must be security cleared to the appropriate level. Utilising a Third Party Contract S14.4 Agreement, the service provider must be required to implement security procedures that ensure that access to Official information assets is restricted to those employees who require access to perform their function. Responsible Parties should establish individual confidentiality agreements with the staff of contractors. Depending on the risk assessment findings and S14.5 sensitivity of information assets or systems, the Responsible Party may wish to undertake a police All records/fingerprint check of an individual or elect to use a vetting process for sensitive Positions of Trust. Responsible Parties shall ensure that contracts with external service providers specify agency-approved information security policies and procedures and must contain provisions to indemnify the Government of South Australia and its agencies against the outcomes Standard 139 of violations to the aforementioned policies and procedures. While the service provider is entrusted with the management of government data, the government continues to own the data and the agency retains the responsibility of custodianship of the data Information used in Electronic Commerce shall be protected from fraudulent activity, misuse, breach of privacy and unauthorised access. Responsible Parties should establish contractual agreements with providers Standard 69 and partners to minimise the risk of potential disputes and should give consideration to PCI DSS compliance for large online transaction-based systems that rely on credit and/or debit card transactions. Page 4 of 10 Public-I1-A1 Periodic review of third party service delivery Table 4 – Ongoing supply arrangements should focus on commitment to continual improvement Applicability Relevant ISMF standards, policies or procedures and controls Responsible Parties shall implement a program of compliance monitoring, periodic performance review Policy Statement 16 and change (improvement) management for