Supplier Security
Define security requirements pertaining to the procurement and supply of hardware, software, services, and data.
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for Supplier Security at each level of maturity.
- 1Initial
- Practice
- Rely on the best endeavours of staff.
- Outcome
- The organization may behave on an ad hoc basis because staff may respond differently due to no documented processes or procedures and their differing levels of experience and traininig backgrounds.
- Metric
- # Customer in/consistency complaints/accalaids.
- 2Basic
- Practice
- Include basic information security requirements and expectations in procurement activities.
- Outcome
- There is increased participation by key third parties and business partners in securing the organization's assets.
- Metric
- # Security requirements and questions included in key procurement documents such as RFIs; # Suppliers complying with security requirements # Security incidents involving suppliers
- 3Intermediate
- Practice
- Define detailed security requirements for suppliers using a structured approach and ensure adherence to them in major procurements.
- Outcome
- There is increased understanding by suppliers of expected security reducing risk of security breaches.
- Metric
- # Suppliers complying with security requirements # Audits of suppliers # Identified breaches of requirements # of security incidents involving suppliers
- 4Advanced
- Practice
- Review detailed security requirements for suppliers regularly and ensure adherence to them in all procurement activities.
- Outcome
- Supplier security is up-to-date and relevant to current business activities and priorities; there is increased confidence that security requirements are being complied with.
- Metric
- # Suppliers complying with security requirements # Audits of suppliers # Identified breaches of requirements # Security incidents involving suppliers
- 5Optimized
- Practice
- Define, review and update supplier information security requirements regularly across the business ecosystem.
- Outcome
- A consistent and up-to-date approach to security is applied across the supply chain with less risk of overly strong security or failure due to weakest link.
- Metric
- # Audits of suppliers # Identified breaches of requirements; # Security incidents involving suppliers