GOV024
Why supply chain security matters
Most organisations rely on suppliers to deliver products, systems, and services. These suppliers become an extension of your business and broaden the risks you’re exposed to.
A ‘supply chain’ can be described as ‘a network of organisations connected by a series of relationships involving the supply of goods or services.
Supply chains can be large and complex, involving many suppliers doing many different things. For example, some organisations may:
- outsource to a payroll provider whose systems are hosted in the cloud and maintained by another software provider
- partner with another organisation (for example, an NGO) to provide front-line services, and the partner in turn uses several providers to support their business.
Many organisations are not aware of all of the suppliers who make up their supply chain.
Securing your supply chain can be challenging because it can be difficult to identify vulnerabilities or recognise where they could be introduced and exploited.
Understand the threats and risks from your supply chain
GOV025
The threats from your supply chain come in many forms. For example, a supplier may:
- fail to adequately secure their systems
- have a malicious insider working for them
- carry out malicious acts for their own gain.
Or, you may fail to clearly communicate your security requirements, so a supplier does the wrong things.
You could be exposed to a combination of the following risks:
- harm to your people or customers
- loss of data
- privacy breaches
- loss of intellectual property
- disrupted services
- financial risks
- reputational risks.
Consider a range of threat scenarios
The following examples illustrate potential supply chain relationships and risks.
A contractor exploits their access to your premises
A maintenance contractor with after-hours access steals and sells your computers to pay off debts. The computers contain intellectual property belonging to several companies you work with.
A supplier to one of your direct suppliers is hacked
A supplier to the original party you contracted with has their ICT systems hacked. (In 2017, this happened to an Australian defence contractor. The hacker stole highly sensitive commercial information on the build and design of new fighter jets, navy vessels, and surveillance aircraft. The contractor — a 4th level supplier — had failed to implement and maintain security measures appropriate to the nature of the work.)
A direct supplier fails to disclose details of its third-party suppliers
You seek system support from your direct supplier only to find that the support is being provided through overseas based third-parties. The accessibility of your sensitive information and/or intellectual property from outside the country makes it more susceptible to theft or compromise.
A direct supplier fails to carry out due diligence on its own supply chain
Your direct supplier is unwilling to take responsibility for a password weakness vulnerability that has been detected in your system. The vulnerability has been created by one of its third-party suppliers or contractors. Your system remains in a vulnerable state while you seek satisfaction from the direct supplier and may make remediation of the vulnerability slower and more expensive.
Your IT provider is caught up in a global cyber intrusion campaign
A widespread campaign targets service providers who manage IT and cloud providers who store information. You are one of several government agencies and private companies whose sensitive information and valuable intellectual property is compromised and sold on to other parties.
A contractor working for a supplier steals information
A security guard contracted to a supplier, steals documents containing national security information. They attempt to sell the documents to a foreign intelligence service.
New IT equipment is found to be vulnerable
An interruption to your supply chain means that an alternate IT equipment provider is quickly needed. The equipment from the new supplier contains a deliberate vulnerability that has been introduced in the factory. This vulnerability is later exploited by a state actor.
Your people procure IT without authorisation
A team starts using a new cloud-based service to co-design a new product without going through a procurement process or engaging with your IT security people. Your intellectual property is exposed through this ‘shadow IT procurement’.
A third party exploits their access to your information
You purchase an information technology solution in a software-as-a-service (SaaS) arrangement. You are unaware that it is hosted offshore by a third party. Staff from the offshore provider use their authorised access to the systems storing and processing your information to steal your intellectual property and your clients’ personal information.
You fail to adequately brief a supplier on your security needs
You engage an external supplier to help with launching a new product. However, you don’t communicate your security needs adequately, especially the sensitivity of the information they have access to. The supplier shares your information more widely than you would like and reduces the impact of your product launch.
Principles of supply chain security
GOV026
Follow these principles to gain and maintain control of your supply chain. The twelve principles are divided into four stages, covering the process of securing your supply chain (GOV5).
Understand the risks
- Understand what needs to be protected and why
- Know who your suppliers are and build an understanding of their security measures
- Understand the security risks posed by your supply chain.
Establish control
- Communicate your view of security needs to your suppliers
- Set and communicate minimum security requirements for your suppliers
- Build security considerations into your contracting process and require your suppliers to do the same
- Meet your own security responsibilities as a supplier and consumer
- Raise awareness of security within your supply chain
- Provide support for security incidents.
Check your arrangements
- Build assurance activities into your supply chain management.
Seek continuous improvement
- Encourage the continuous improvement of security within your supply chain
- Build trust with suppliers.
Source: Centre for the Protection of National Infrastructure (CPNI), 2018(external link)
Understand what needs to be protected and why
GOV027
You should know:
- the sensitivity of contracts you let
- the value of the information or assets that suppliers hold, access, or handle as part of their contracts with you
- the impact on your organisation of loss or harm to information or assets that suppliers hold, access, or handle.
Think about the level of protection your suppliers need to provide for your assets and information as part of the contract, as well as the products or services they will deliver.
Remember that under the Public Records Act 2005, your organisation remains responsible for managing and protecting official records when they’re held offsite.
When you outsource an operation, you must meet the requirements for protecting information outlined in the:
- Management protocol for information security
- New Zealand Information Security Manual(external link).
Know who your suppliers are and build an understanding of their security measures
GOV028
You should know who your suppliers are, and who supplies or supports them. Think about how far down your supply chain you need to go to understand who your suppliers are, and to have confidence in them.
You may have to rely on your immediate suppliers for information about sub-contractors, and it may take time to discover the full extent of your supply chain.
Try to establish the answers to the following questions.
- How effective are your suppliers’ current security arrangements? How long have their arrangements been in place?
- Which security measures have you asked your immediate suppliers to provide? Which measures have they, in turn, asked their sub-contractors to provide?
- Have your suppliers and their sub-contractors provided the security requirements you asked for?
- What access (physical and technological) will your suppliers have to your systems, premises, and information? How will you control that access?
- When suppliers are working on your premises, what other information (beyond the information you’ve granted them explicit access to) might they be able to access or view?
- How will your immediate suppliers control their subcontractors’ access to, and use of, your information and assets? (Remember to include your systems and premises).
Focus on the parts of your suppliers’ business or systems that handle your contract information or deliver the contracted product or service.
Understand the security risks posed by your supply chain
GOV029
Assess the risks your contract arrangements pose to your information or assets, to the products or services to be delivered, and to the wider supply chain.
Risks to and from the supply chain can take many forms. For example, a supplier may:
- fail to adequately secure their systems
- have a malicious insider working for them
- contract work to someone who fails to manage your information properly
- undermine your systems through malicious acts (if the system involves national security, the malicious acts may be backed by a hostile state).
Or your communication about security needs might be poor, so the supplier does the wrong things.
Use the best information you can to understand these security risks.
Communicate your view of security needs to your suppliers
GOV030
Make sure your suppliers understand their responsibility to protect your information, and their products and services. Make sure they understand the implications of failure.
Decide whether you are willing to let your suppliers sub-contract work. If you allow them to sub-contract, delegate authority appropriately to allow them to do so. Give your suppliers clear guidance on the criteria for these decisions. Tell them which types of contract they can sub-contract with without referring to you, and which types need your approval and sign-off.
Ensure your suppliers:
- fulfil their security responsibilities
- include your security requirements in any sub-contracting arrangements.
Set and communicate minimum security requirements for your suppliers
GOV031
You should set minimum security requirements for suppliers which are justified, proportionate, and achievable. Consider your minimum requirements for:
- security governance
- personnel security
- information security
- physical security.
Make sure these requirements reflect your assessment of security risks. But also take account of how well established your suppliers’ security arrangements are. Consider their ability to meet your intended requirements.
Be specific. If you just include a general condition in the contract that the service provider must comply with the PSR, it’s unlikely to be appropriate or enforceable.
Identify circumstances where it might be disproportionate to expect suppliers to meet your minimum security requirements. For example, suppliers who only need ad hoc or occasional access to limited and specific data, or to your premises. Document these considerations.
Give the contractor guidance on the steps you plan to take to manage your security requirements. This guidance could reduce your workload and avoid additional, unnecessary work for contractors.
Confirming people’s suitability with pre-employment checks
Specify the minimum pre-employment checks you expect your suppliers to conduct for their employees. Align your minimum checks with the base pre-employment checks conducted by government organisations:
- confirm their identity
- confirm their nationality
- confirm their right to work in New Zealand
- check references with their former employer(s)
- conduct a criminal record check.
When you identify an increased security risk related to a specific role or the nature of the access your supplier has, additional checks could be necessary. For example, an IT administrator for a managed service provider may have broad access to your organisation’s information. You may require further checks to ensure they are trustworthy and identify factors in their life that may increase the risk of insider threat.
Get security clearance for any contractors who’ll handle protectively-marked information
Your organisation is responsible for sponsoring, arranging, and managing security clearances throughout the life of a contract.
If a contractor’s employees need to access protectively-marked information classified CONFIDENTIAL or above, you must ensure each person has a security clearance to the appropriate level. Check with the New Zealand Security Intelligence Service (NZSIS) to find out if any of the employees already hold a valid security clearance.
Anyone who doesn’t hold the correct security clearance should not have unescorted access to anywhere that protectively-marked information is handled or stored.
Set security requirements case by case
Consider setting different security requirements for different types of contracts, based on their associated risks. Avoid forcing all your suppliers to deliver the same set of security requirements when it may not be proportionate or justified.
When you set security requirements, explain the rationale for them to your suppliers. And require your suppliers to pass these requirements down to any sub-contractors.
Include your minimum security requirements in your procurement documents and the contracts you have with suppliers.
If your organisation conducts character checks for your own people, consider whether to conduct the same checks for service providers’ employees.
If a contractor needs access to official information, they should sign a non-disclosure agreement.
Build security considerations into your contracting process and require your suppliers to do the same
GOV032
Build security considerations into your normal contracting processes. This approach will help you to manage security throughout the contract, including terminating and transferring services to another supplier.
Before contracts are signed
If you’re a contract manager, work with your chief security officer (CSO), or their delegate, to identify essential security requirements when you’re developing tender documents, and for the life of the contract. This step also applies to anyone who is evaluating proposals or tenders.
Aim to ensure security requirements:
- match the assessed risks
- align with the stages of the contracting process.
Get prospective suppliers to give evidence of their approach to security and their ability to meet the minimum security requirements you’ve set. If the supplier is unable to meet your minimum security standards, you should not select them.
If you award a contract subject to a supplier meeting requirements, ensure you follow through and verify they meet requirements before allowing their contract to start.
Consider including the right to terminate the contract if your supplier fails to comply with your security requirements. Failure to comply should include the supplier being unwilling or unable to remedy security breaches.
Ensure you clearly understand which information and assets your supplier will hold on your behalf. Reach and document an agreement on how your information and assets will be managed and disposed of. Include conditions that protect information from risk.
It’s best to seek legal advice when developing contracts.
Conditions for information protectively-marked CONFIDENTIAL or above:
Explicitly identify the highest level of protectively-marked information the supplier will access during the contract.
Require the service provider to prevent all access to protectively-marked material by employees whose security clearances have lapsed, been downgraded or revoked, or are no longer needed.
Where relevant, include conditions requiring the service provider to report to you when any of their employees who don’t have a security clearance have any incidental or accidental contact with protectively-marked material. This condition is particularly important in contracts for security guards, cleaning, and ICT services.
Conditions for official information:
Consider the impact of any loss or compromise of official information held by a service provider, especially aggregated information (collections of information). Include contract conditions to mitigate any assessed risks.
If a contract requires a service provider to access official information, the contract must contain the following terms and conditions.
Permission for subcontracting
The service provider cannot subcontract a service or function that may require access to official information without your organisation’s written approval. Once a subcontracting agreement is in place, the service provider cannot change the subcontractor without your written approval.
Conflicts of interest
The service provider must disclose any potential conflicts of interest that would affect security when they work on behalf of the New Zealand Government.
Access to protected information
The service provider must ensure their employees are cleared to the appropriate level before they are given access to protectively-marked information.
Storing and handling protected information
The service provider’s premises and facilities must meet the minimum standards for storing and handling official information, up to the nominated security classification level.
Information security
The service provider must have systems that meet designated information security standards for processing, storing, transmitting, and disposing of official information that is in electronic formats. Refer to the New Zealand Information Security Manual for more information.
Confidentiality
The service provider must follow directions included in the contract for keeping official information confidential. Confidentiality obligations may extend beyond the end of the contract.
Conditions for your organisation’s information:
Consider legal and jurisdictional risk — such as where service provider’s overseas owners or other stakeholders - may have legal rights that could allow them access your information. If this is a risk, the contract should include terms and conditions to protect against third party access. However, in other cases these contractual conditions may not provide sufficient protection.
During the contract
Provide or develop supporting guidance, tools and processes, so you and your suppliers can effectively manage security at all levels throughout your supply chain. Train all parties in their use.
Require contracts to be renewed at appropriate intervals and reassess risks at the same time.
Seek assurance that your suppliers understand and support your approach to security. Only ask them to act or provide information when it’s needed to manage supply chain security risks.
Meet your own security responsibilities as a supplier and consumer
GOV033
Ensure that you enforce and meet any requirements on you as a supplier.
Report to your senior management team so they know how security is being managed.
Pass security requirements down to sub-contractors.
Welcome your customer’s audits, tell them about any issues you encounter, and work proactively with them to improve security.
Challenge your customers if they don’t provide guidance about their security needs. Seek assurance that they’re happy with the measures you’re taking.
Raise awareness of security within your supply chain
GOV034
Supplier relationships can interact with many of your organisation’s touchpoints. So it’s important to educate your people about how contracts will operate and what the associated security arrangements are.
Explain security risks to your suppliers using language they can understand. Encourage your suppliers to explain the risks to their people (especially if they work in procurement, security, and marketing), so they know their responsibilities to help manage them.
Your supplier’s people may change over time due to staff turnover or role changes. Work with your suppliers to ensure that:
- people who accessed official or protectively-marked information are reminded of the continuing need to maintain confidentiality
- new people understand your security requirements.
If your supplier has people who require national security clearances, make sure they are familiar with the obligations set out in Getting and maintaining a national security clearance.
Share security information across your supply chain to keep them up to date with emerging security attacks.
Provide support for security incidents
GOV035
It’s reasonable to expect your suppliers to manage security risks according to their contracts. But be prepared to provide support and assistance if necessary. For example, when security incidents could potentially affect your business or the wider supply chain.
Make requirements clear in supplier contracts
In your contracts with suppliers, clearly set out requirements for managing and reporting security incidents or breaches.
Clarify their responsibilities for advising you about incidents. For example, make it clear how soon after an incident they need to report to you, who the report should go to, and so on. It’s particularly important to ensure your service providers report incidents or suspected incidents that affect:
- their ability to deliver their contracted services
- your organisation’s information (when they’re holding or transporting it).
You should also clearly state what support your suppliers can expect from you following an incident. For example, support with clean-up and handling losses.
Consider clarifying how your supplier will manage security incidents or breaches.
Consider including contract conditions that require providers to report to you about breaches of ICT security that involve other clients’ information.
Communicate lessons learnt
When you’ve learnt lessons from security incidents, communicate them to all your suppliers. Help to stop them becoming victims of ‘known and manageable’ attacks.
Build assurance activities into your supply chain management
GOV036
When suppliers are key to the security of your supply chain, make it a condition of their contracts to:
- report to your senior management team on security performance
- follow any risk management policies and processes you specify.
Build the ‘right to audit’ into all contracts and exercise it. Require your suppliers to do the same for contracts they sub-let. Audits may include accessing the service provider’s premises, records, and equipment. (However, this may not always be possible or desirable, particularly when a service is cloud-based.)
When you assess suppliers that offer services to more than one government organisation, consider sharing the assessment to avoid duplication.
Where justified, build assurance requirements into your security requirements. For example, assurance reporting, penetration tests, external audits, and formal security certifications.
Establish key performance indicators to measure the performance of your supply chain security management.
Review and act on any findings and lessons learnt.
Encourage suppliers to promote good security behaviours.
Encourage the continuous improvement of security within your supply chain
GOV037
Encourage your suppliers to continuously improve their security arrangements. Advise and support your suppliers as they work on improvements.
Emphasise how improving security may help them to compete for and win future contracts with you. Taking this approach will help you grow your supply chain and increase your pool of potential suppliers who meet your security needs.
Avoid creating unnecessary barriers to improvements. Be prepared to recognise any existing security practices or certifications they have that demonstrate how they meet your minimum security requirements.
Allow time for your suppliers to improve security, but require them to give you timescales and plans that show how they intend to achieve the improvements.
Listen to and act on any concerns that suppliers highlight — concerns which suggest current approaches are not working. Suppliers might raise issues during performance monitoring, through reporting, or after responding to security incidents.
Build trust with suppliers
GOV038
Supply chain management is a shared issue, so build strategic partnerships with your key suppliers. They’re more likely to follow your approach to supply chain security when it takes account of their needs as well as your own. Encourage and value their input, and share security issues with them. Maintain regular and effective communication.
It’s ok to let suppliers manage sub-contractors for you, but require them to report on security performance.
Assessing your supply chain security
GOV039
See the table below for examples of good and bad supply chain security to begin the process of understanding your own situation.