On Communication, Contracts, and Meeting Expectations

本文是网络安全供应链风险管理(C-SCRM)系列文章的第二部分。.

在购买产品或服务时, or when partnering with another organisation, you get access to something that your business needs. 

这可能是制造产品所需的材料或现成部件. It might be specialist skills and expertise that your organisation lacks. It could be support-tools to enable you to work (such as IT), or it could be supporting services that you prefer not to do yourself, because it is more cost-efficient to concentrate on what you do well. 

不管你想要什么, it is important to understand what the security risks are, and the security requirements placed on each party. 沟通不清楚可能会导致问题的进一步发展. 

You might have specific security requirements for that product or service, 要么是为了你自己的目的, or because a client of yours requires them from you. 如果你不事先解释这些产品或服务的网络安全要求, your supplier won’t know what you need. This will make it hard for them to meet your (unspoken) expectations, and the relationship might not go as well as you’d hoped.

您的法律团队将能够详细说明不同情况下的法律措辞, 但是，您必须考虑每种情况下的安全需求并提前讨论它们. 提前起草可用于不同情况的安全要求将是有用的.

As well as clauses intended to protect company confidential information, 很可能对敏感的保护有具体的要求, IP or financial information or personally identifiable information, in line with the Data Protection Act responsibilities. And t在这里 may well be additional security-related requirements, depending on the nature of the product or service to be supplied. 

安全需求和合同

有几个与安全相关的要求需要考虑包括在与供应商的合同安排中, 如:

• 与所提供的特定产品或服务相关的任何安全要求. 这将因供应商的不同而有很大差异——在场外托管的培训日的供应将不具有与提供IT基础设施相同的安全需求. 在投放市场之前，必须(尽可能地)确定这些要求.
• 定义安全责任——解释所有需要清楚理解和实现的内容.
• 他们有适当的计划和程序，使他们能够快速有效地应对网络安全事件.
• 他们通知你任何可能影响任何一方网络安全的安全问题或事件.
• 他们与您分享他们所掌握或了解的任何可能有助于您减轻此类网络安全事件的信息.
• 他们有适当的业务连续性计划，使他们能够继续为您提供服务.
• 作为采购过程的一部分(例如在供应商问卷中)提供的所有与安全相关的信息构成合同的一部分. 这是因为合同的授予可能取决于风险分析和供应商评估期间提供的信息是否准确. 
• That your supplier manages their own supply chain risk to the same (or other, agreed) level of security as you are managing yours.
• 信息分类——您所看到的“机密”可能意味着完全不同的东西，并且在您的供应商环境中被非常不同地对待.
• Right to audit / conduct regular assessment of their security practices, and to monitor and measure performance. You’ll need to be able to check that everything is going to plan, including the management of any security gaps.
• 沟通不可能遵守安全需求的任何情况的细节, so that the resulting security gap can be managed. 理解这些差距, 并努力管理它们, 一旦供应商澳门十大正规赌博娱乐平台，将成为管理供应链安全的重要组成部分吗. 
• 为可能影响您的已知漏洞提供适当的处理. 
• Provision of independent evidence (for instance, by third party audit) that they are complying with contractual requirements. 这并不适用于每个供应商，而是取决于合同所带来的风险.
• 及时沟通组织中可能影响您业务的任何其他变化. Nobody likes to discover with no notice that, 例如, 一个重要的知识资源正在被重新分配，无法为您提供支持.

它是, 当然, 重要的是要认识到你是一个持续的供应链的一部分，应该准备好以同样的方式支持你的客户. 你的客户会, 如果还没有, 我在问你这些问题, so it is worth having the answers prepared.

对供应商进行分类

Not all the clauses outlined above will be relevant to all suppliers. 合同协议应与所提供的产品或服务相关，并与每个供应商所带来的风险成比例. 例如, 要求低风险供应商通过第三方审核提供独立的证据，证明他们遵守了你的要求，这将过于严格，并对关系产生负面影响. 

Example: Use different levels of due diligence depending on your assessment

Don’t forget to include your cloud or SaaS services for consideration. These are just as important as on-premise—perhaps even more so.

考虑为每个供应商制定风险概况，作为供应商评估过程的一部分, based on a range of things including:

• What they are supplying and how important it is to your business.
• Whether data is being shared and handled electronically.
• Whether the supplier has access to your systems.
• 他们是否提供产品或服务来支持信息处理和/或通过互联网提供您的数据.
• 以及供应商的所在地.

Once you have a risk profile for a supplier, you can manage them based on this profile at every stage of procurement. Low risk suppliers should have different questionnaires to complete, less strenuous assessments post-contract, and a different set of contractual clauses to the higher-risk suppliers.

Do tell your suppliers you are developing your C-SCRM programme; be transparent and reassure them that you are not interested in their sensitive data but are working for the benefit of both. 

结论

在一般情况下, 虽然, 通过总结这些条款, we can see that at some level they are applicable to all, 要求:

1. Clear and regular communication of any security gaps or incidents, 重大变化和收集任何有用的信息以减少任何一方的风险. 
2. Identification and inclusion of security requirements, both in general and specifically for the product or service being supplied.
3. 您的供应商及其供应商的良好安全实践、治理和管理.
4. Audit, monitoring and measuring rights.

当然, 如果你必须依靠你的合同条款来确保你期望收到的东西被交付, 这段关系已经破裂了. But at least by clearly communicating in the contract what you expect, your supplier will know exactly what you want from the beginning—and so will you.

In future posts, we will talk about:  

• Planning for success when outsourcing C-SCRM
• Developing a C-SCRM policy and programme
• Assessing current suppliers: w在这里 are the security gaps?
• Reviewing current processes: what could we do better?
• Implementing and embedding a C-SCRM programme

对CSP

CSP是一家专业的安全咨询公司，帮助我们的客户驾驭这个日益互联的世界. 我们的团队可以:

• advise on security requirements, based on your situation
• assess your suppliers against your security requirements at every stage:
  1. reviewing their responses to security questions
  2. reviewing security clauses in contracts
  3. auditing your selected suppliers for compliance with your security requirements.
•  与您合作，加强您的政策和流程，以提高整个采购过程的安全性. 

请十大网博靠谱平台 在这里 或者呼唤我们 0113 5323763 谈谈我们能帮上什么忙.