Build security considerations into your contracting process and require your suppliers to do the same

Build security considerations into your normal contracting processes. This approach will help you to manage security throughout the contract, including terminating and transferring services to another supplier.

Before contracts are signed

If you’re a contract manager, work with your chief security officer (CSO), or their delegate, to identify essential security requirements when you’re developing tender documents, and for the life of the contract. This step also applies to anyone who is evaluating proposals or tenders.

Aim to ensure security requirements:

• match the assessed risks
• align with the stages of the contracting process.

Get prospective suppliers to give evidence of their approach to security and their ability to meet the minimum security requirements you’ve set. If the supplier is unable to meet your minimum security standards, you should not select them.

If you award a contract subject to a supplier meeting requirements, ensure you follow through and verify they meet requirements before allowing their contract to start.

Consider including the right to terminate the contract if your supplier fails to comply with your security requirements. Failure to comply should include the supplier being unwilling or unable to remedy security breaches.

Ensure you clearly understand which information and assets your supplier will hold on your behalf. Reach and document an agreement on how your information and assets will be managed and disposed of. Include conditions that protect information from risk.

It’s best to seek legal advice when developing contracts.

Conditions for information protectively-marked CONFIDENTIAL or above:

Explicitly identify the highest level of protectively-marked information the supplier will access during the contract.

Require the service provider to prevent all access to protectively-marked material by employees whose security clearances have lapsed, been downgraded or revoked, or are no longer needed.

Where relevant, include conditions requiring the service provider to report to you when any of their employees who don’t have a security clearance have any incidental or accidental contact with protectively-marked material. This condition is particularly important in contracts for security guards, cleaning, and ICT services.

Conditions for official information:

Consider the impact of any loss or compromise of official information held by a service provider, especially aggregated information (collections of information). Include contract conditions to mitigate any assessed risks.

If a contract requires a service provider to access official information, the contract must contain the following terms and conditions.

Permission for subcontracting

The service provider cannot subcontract a service or function that may require access to official information without your organisation’s written approval. Once a subcontracting agreement is in place, the service provider cannot change the subcontractor without your written approval.

Conflicts of interest

The service provider must disclose any potential conflicts of interest that would affect security when they work on behalf of the New Zealand Government.

Access to protected information

The service provider must ensure their employees are cleared to the appropriate level before they are given access to protectively-marked information.

Storing and handling protected information

The service provider’s premises and facilities must meet the minimum standards for storing and handling official information, up to the nominated security classification level.

Information security

The service provider must have systems that meet designated information security standards for processing, storing, transmitting, and disposing of official information that is in electronic formats. Refer to the New Zealand Information Security Manual for more information.

Confidentiality

The service provider must follow directions included in the contract for keeping official information confidential. Confidentiality obligations may extend beyond the end of the contract.

Conditions for your organisation’s information:

Consider legal and jurisdictional risk — such as where service provider’s overseas owners or other stakeholders - may have legal rights that could allow them access your information. If this is a risk, the contract should include terms and conditions to protect against third party access.  However, in other cases these contractual conditions may not provide sufficient protection.

During the contract

Provide or develop supporting guidance, tools and processes, so you and your suppliers can effectively manage security at all levels throughout your supply chain. Train all parties in their use.

Require contracts to be renewed at appropriate intervals and reassess risks at the same time.

Seek assurance that your suppliers understand and support your approach to security. Only ask them to act or provide information when it’s needed to manage supply chain security risks.

Page last modified: 4/05/2022