NHS DSPT: Managing Risk - A4 Supply Chain

A4.a Supply Chain

‍

Key Point:
Your organisation must understand and manage security and information governance (IG) risks that arise from your supply chain, particularly where external suppliers support essential functions. This includes ensuring suppliers implement appropriate security measures when handling your data or systems.

‍

Overview:
This outcome focuses on integrating cyber security and IG into your approach when working with external suppliers. It requires a thorough assessment of the risks suppliers pose and implementing controls to mitigate them.

‍

How to Meet the Requirement:
Identify all suppliers involved in your essential functions and evaluate how their systems, networks, and services impact your operations. Understand what security controls are necessary to protect your organisation from supply chain risks, especially those that may affect critical functions.

‍

You should review contracts to ensure they contain appropriate security and data protection obligations, including clauses on incident management, audit rights, and service level agreements (SLAs). Make sure suppliers with access to personal or sensitive data comply with data protection laws.

‍

Evidence to Provide:
Submit documentation such as:

‍

• Supplier contracts and agreements
• Data sharing or processing agreements
• Incident response plans
• Due diligence reports on suppliers
• Contract databases and procurement policies

‍

Make sure your evidence clearly demonstrates how your organisation manages supply chain risks and aligns with security and IG requirements.

‍

Indicators of Good Practice:

‍

• You understand which suppliers pose risks to your essential functions and have documented this in your supply chain management processes.
• Contracts include appropriate security and data protection clauses.
• Suppliers are regularly assessed for compliance with security and IG standards.

‍

Managing Supply Chain Risks

‍

Identifying Risks:
Your supply chain risks should be identified during your scoping exercise, where you determine which systems, networks, and services supporting your essential functions rely on external suppliers. This includes understanding how suppliers may impact your organisation in case of disruption or security breaches.

‍

Contracts and Security Obligations:
Review and update contracts with suppliers to include key cyber security obligations. These may cover:

‍

• Right to audit: Permission to audit supplier systems and services, especially in case of security incidents.
• Incident management: Requirements for suppliers to report incidents affecting your organisation.
• Assurance: Ongoing assurance that suppliers meet security requirements, through regular reviews or audits.
• Vulnerability management: Ensuring suppliers keep systems patched and secure.
• SLAs: Clear security-related service levels, including response times for security incidents.

‍

Contracts should also include data protection clauses, ensuring that suppliers handling personal data comply with UK GDPR and other legal requirements.

‍

Supplier Assurance:
Regularly seek assurance that your suppliers comply with your security and IG requirements. This involves engaging with suppliers to ensure they meet the standards outlined in their contracts and agreements, and documenting any issues encountered during these interactions. Flag unresolved issues in your DSPT submission, along with any steps you’ve taken to mitigate these risks.

‍

Incident Response and Due Diligence

‍

Supply Chain Incidents:
Your incident response plans should include potential supply chain incidents that could compromise data security. This may involve working with suppliers to ensure they have robust incident response capabilities, and recording any near-miss incidents that have implications for data protection.

‍

International Data Transfers:
Ensure that any data transfers to suppliers outside the UK are covered by legal protections, such as International Data Transfer Agreements (IDTAs). All countries where data is processed by suppliers should be documented in your information assets and flows register.

‍

A4 Supply Chain: Key Considerations

‍

Cyber Security Obligations in Contracts:
Carefully review supplier contracts to ensure they include appropriate clauses addressing security, such as audit rights, incident reporting, and security governance expectations. These should be tailored to the risk posed by the supplier and the sensitivity of the data or systems they handle.

‍

Supplier Assurance and Monitoring:
Establish ongoing monitoring and assurance processes with your suppliers. This may include audits, regular security reviews, and updates on their security posture. Ensure that any weak points identified are addressed promptly.

‍

Incident Management in the Supply Chain:
Ensure your incident response procedures include protocols for managing and mitigating incidents that occur within your supply chain. Document any supply chain-related incidents or near-misses, and incorporate lessons learned into your wider risk management framework.

‍

Protect your organisation from supply chain risks by ensuring your suppliers meet the highest security and data protection standards. Need help with supplier assessments, contract reviews, or risk management? Periculo can support you in securing your supply chain and safeguarding your essential functions. Contact us now to get started!