Supplier Security Requirements
Define security requirements for the procurement and supply of hardware, software, data, and cloud and other IT services to satisfy the information security strategy and objectives of the organization.
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for Supplier Security Requirements at each level of maturity.
- 2Basic
- Practice
- Begin to define information security requirements and criteria for procurement activities, and identify and use industry standard generic templates and clauses.
- Outcome
- There is some understanding among suppliers of key security requirements.
- Metrics
- # of security requirements and questions included in key procurement documents such as RFIs.
- % of procurement activities for which supplier security requirements have been defined.
- Practice
- Begin to conduct some supplier compliance audits (e.g. following an incident).
- Outcome
- Some issues of supplier non-compliance are beginning to be uncovered.
- Metrics
- # of audits of suppliers.
- % of suppliers complying with security requirements.
- # of identified supplier breaches of requirements.
- # of security incidents involving suppliers.
- 3Intermediate
- Practice
- Define standard information security requirements and criteria for most procurement activities.
- Outcome
- There is an increased understanding among suppliers of the levels of security expected, which reduces the risk of security breaches.
- Metrics
- # of security requirements and questions included in key procurement documents such as RFIs.
- % of procurement activities for which supplier security requirements have been defined.
- Practice
- Proactively conduct audits of supplier compliance in a structured manner.
- Outcome
- Key issues of supplier non-compliance are evident, and steps can be taken to rectify them.
- Metrics
- # of audits of suppliers.
- % of suppliers complying with security requirements.
- # of identified supplier breaches of requirements.
- # of security incidents involving suppliers.
- 4Advanced
- Practice
- Define comprehensive information security requirements and criteria for all IT-related procurement activities, and include security patches and updates as part of all contracts.
- Outcomes
- Supplier security is up-to-date and relevant to current business activities and priorities.
- Supplier-related security breaches are rare.
- Metrics
- # of security requirements and questions included in key procurement documents such as RFIs.
- % of procurement activities for which supplier security requirements have been defined.
- Practice
- Include indirect suppliers in audits of supplier compliance.
- Outcome
- There is organization-wide confidence that all suppliers (direct and indirect) are adhering to security requirements, and that any issues of non-compliance are effectively rectified.
- Metrics
- # of audits of suppliers (including indirect suppliers).
- % of suppliers complying with security requirements.
- # of identified supplier breaches of requirements.
- # of security incidents involving suppliers.
- 5Optimized
- Practice
- Continually review and update information security requirements and criteria; base these on the latest insights from the security industry, vendors, and research.
- Outcomes
- Supplier security is exemplary and informed by the latest security insights.
- Risk of excessive security measures or that of failure due to the weakest link is minimized.
- Metric
- # of updates to security requirements and criteria per time period.
- Practice
- Continually review and improve as appropriate the supplier compliance audit process.
- Outcome
- The supplier compliance audit process is kept effective and relevant.
- Metric
- Frequency of review cycle.