DPC/G4.6 Government guideline on cyber security

ISMF Guideline 6Cyber security in procurement activities

BACKGROUNDConsidering potential and accounting for actual security risks during procurement is a vital component of holistic security management. Cyber [ICT] security risk management practices are predominately focused on avoiding potential pitfalls when sourcing products and services. By identifying potential flaws or conceivable business impact(s) during the sourcing phase, often costly remediation methods can be minimised or avoided entirely. The old adage ‘a penny saved is a penny earned’ certainly applies to all sourcing activities. In security terms, a penny saved from considering security requirements at the design and initiation phases of procurements reduces multiple risks including: economic, reputational and legal liabilities. Responsible Parties need to assure themselves that appropriate due diligence has been undertaken against prospective equipment and service providers.

Particular emphasis in this guideline is placed on verifying that prospective and ongoing suppliers have a demonstrated commitment to ongoing improvement using the underlying quality management principles: ‘Plan-Do-Check-Act’. This guideline supports implementation of ISMF Policy Statement 6.

GUIDANCE

Business Owners are responsible for determining relevant cyber security requirements prior to finalising sourcing arrangements or procuring equipment and services. The Government of South Australia defines baseline security requirements for whole of government ICT sourcing arrangements. Individual agencies and suppliers to government have roles to play in determining their own security requirements in alignment with the business risk profile which is an indication of risk tolerance and appetite. These factors will often change on a case by case basis.

For products and services sourced via whole-of-government arrangements, agency-specific measures are implemented at the Customer Agreement [CA] level. Individually sourced products and services will also need to factor in cyber security policy requirements defined in the Protective Security Management Framework [PSMF] and Information Security Management Framework [ISMF].

This guideline highlights the specific policies and standards related to procurement without delving into the entire ‘human factors’ that also need to be catered for when considering a sourcing arrangement. Annex A in the ISMF describes the absolute baseline for cyber security risk management and each facet of security risk management described therein should be considered prior to finalising any ICT procurement.

ISMF

RISK IDENTIFICATIONTable 1 – Manage risks in the context of an overarching Information Security Management System

Applicability Relevant ISMF standards, policies or procedures and controls

ALL

Policy Statement 1

Responsible Parties must develop or have in place an Information Security Management System [ISMS] that conforms to the principles of AS/NZS ISO/IEC 27001. When the Responsible Party is a Supplier, they must obtain and maintain certification that their information security management system conforms to AS/NZS ISO/IEC 27001 if their contractual obligations require this as described in section 2.1 of the ISMF.

Policy Statement 2

Each Responsible Party shall develop and use information security risk management processes as outlined in section 5.1 of the PSMF. The risk assessment process shall include the identification and assessment of security risks for information assets, a summary of the Agency’s response to these risks and provide ongoing monitoring and review of the risks and the potential security exposure(s).

Policy Statement 5

Access to information processing facilities by third parties must be controlled and such controls must be agreed to and defined by way of contractual obligation with the external organisation.

Contracts conferring tertiary access (e.g. A supplier who utilises sub-contractors or outsourced suppliers in the fulfilment of their contractual obligations and/or service agreement) should include allowances for designation of deemed eligible participants and the conditions for their access.

S12.3

Responsible Parties may embed the use of an assessment tool as a component of the selection process for external organisations, such as the Supplier Security Evaluation Tool Tool [SSET] available to Information Security Forum members.

Government guideline on cyber securityCyber security in procurement activities v1.4

Page 2 of 10

ISMF Guideline 6

ISMF

SECURITY IN PROCUREMENT AND SOURCING ACTIVITIES Table 2 – Establish security requirements at the outset, before going to market

Applicability Relevant ISMF standards, policies or procedures and controls

ALL

Policy Statement 6

Access to Agency and Australian Government information provided to prospective Suppliers during tendering and/or procurement processes shall be limited on a need-to-know basis and commensurate with the applicable controls to the information’s classification.

Agencies must stipulate and account for security considerations and controls as defined in the PSMF and ISMF and their subordinate documents during all phases of the procurement process.

Standard 15

Responsible Parties must include and consider the security controls required by the PSMF and ISMF as part of their procurement procedures. Information classification controls must be applied during all phases of the tender and/or procurement process.

S15.1

Agencies must include the requirements of the PSMF and the ISMF in their procurement procedures and should select only those subsets of controls and procedures required according the scope and nature of the project(s) and/or services, products and materials being considered.

S15.2

Particular attention is drawn to part F, paragraph 4.6 of the PSM which addresses issues such as “Conflict of Interest” declarations and security clearance requirements. This constitutes one of the minimum standards for procurement security and is enabled by the PSMF.

S15.3

Suppliers that intend to procure services, products and/or materials via a third party shall obtain written authorisation from the relevant Agency if any classified information needs to be shared with or otherwise released to the third party as part of the Supplier’s procurement process.

S15.4Significant risks identified in the procurement cycle should be reflected in the organisation’s risk register and the treatment and/or mitigation strategy should be identified as part of the organisational risk management procedures.

[C] Confidential S15.7All personnel must be subject to a security vetting process. Refer to Security Clearances and Briefings section of the ISM for further guidance.

[P] Protected[SC] Sensitive: Cabinet

S15.8All personnel (including respondents) should be subject to a security vetting process in accordance with Policy 6.1 of the PSPF. Personnel must be subject to this process

Government guideline on cyber securityCyber security in procurement activities v1.4

Page 3 of 10

ISMF Guideline 6

ISMF

when accessing Commonwealth information.

ESTABLISH CONTRACTUAL ARRANGEMENTSTable 3 – Define a cyber security accord with prospective suppliers

Applicability Relevant ISMF standards, policies or procedures and controls

ALL

Standard 14

Arrangements involving third party access to Agency information processing facilities shall be based on a formal contract containing, or referring to, all of the security requirements to ensure compliance with the Responsible Party’s security policies, standards and obligations.

S14.4

Third parties and their employees, including sub-contracted service providers, who require access to security classified information must be security cleared to the appropriate level. Utilising a Third Party Contract Agreement, the service provider must be required to implement security procedures that ensure that access to Official information assets is restricted to those employees who require access to perform their function.

S14.5

Responsible Parties should establish individual confidentiality agreements with the staff of contractors. Depending on the risk assessment findings and sensitivity of information assets or systems, the Responsible Party may wish to undertake a police records/fingerprint check of an individual or elect to use a vetting process for sensitive Positions of Trust.

Standard 139

Responsible Parties shall ensure that contracts with external service providers specify agency-approved information security policies and procedures and must contain provisions to indemnify the Government of South Australia and its agencies against the outcomes of violations to the aforementioned policies and procedures. While the service provider is entrusted with the management of government data, the government continues to own the data and the agency retains the responsibility of custodianship of the data

Standard 69

Information used in Electronic Commerce shall be protected from fraudulent activity, misuse, breach of privacy and unauthorised access. Responsible Parties should establish contractual agreements with providers and partners to minimise the risk of potential disputes and should give consideration to PCI DSS compliance for large online transaction based systems that rely on credit and/or debit card transactions.

1.1

Government guideline on cyber securityCyber security in procurement activities v1.4

Page 4 of 10

ISMF Guideline 6

ISMF

PERIODIC REVIEW OF THIRD PARTY SERVICE DELIVERYTable 4 – Ongoing supply arrangements should focus on commitment to continual improvement

Applicability Relevant ISMF standards, policies or procedures and controls

ALL

Policy Statement 16

Responsible Parties shall implement a program of compliance monitoring, periodic performance review and change (improvement) management for third party service delivery agreements.

Standard 51

Each Agency shall be responsible for identifying the risks associated with the outsourcing arrangements for their processing facilities and/or service delivery agreements (whether sourced internally or externally to Government), as well as defining the control measures that the contractor or other Third Party is required to implement. At a minimum, controls must include the applicable security controls described in the ISMF, service definitions and delivery expectations such as Service Level Agreements [SLAs] in alignment with Security in an Outsourced Environment (ISMF Standard 139).

S51.2Responsible Parties shall note that external (third party) service delivery agreements may include supply agreements sourced from other Agencies and/or service delivery partners

Standard 11

In addition to periodic self-assessment, each Responsible Party shall be subject to ongoing independent review of Information Security policies, practices and implementation at regular intervals in accordance with the AS/NZS ISO/IEC 27002 standard.

OUTSOURCING SOFTWARE DEVELOPMENTTable 5 – Independent reviews, advice and/or certification provide increased assurance

Applicability Relevant ISMF standards, policies or procedures and controls

ALL

Standard 120

Responsible Parties entering into outsourcing arrangements for software development shall seek legal advice to ensure that the Agency’s rights and interests are protected and shall implement the guidance described in the AS/NZS ISO/IEC 27002 standard pertaining to outsourced software development.

S120.1Responsible Parties shall implement the control(s) and guidance described in clause 12.5.5 of the AS/NZS ISOIEC 27002 standard.

Government guideline on cyber securityCyber security in procurement activities v1.4

Page 5 of 10

ISMF Guideline 6

ISMF

ADDITIONAL CONSIDERATIONS

Agencies should educate their users on the security implications associated with procurement and help them to understand their requirements to ensure the confidentiality, integrity and availability of government information assets. Most importantly, agency personnel should understand the bearing that cyber security in procurement has on continued service availability and the assurance that consistent service levels provide to the community.

Some of the differences between outsourcing and the other forms of third party service provision include: the question of liability, planning the transition period to an outsourced environment and potential disruption of operations during any transition, contingency planning arrangements and due diligence reviews, and collection and management of information on security incidents. Therefore, it is important that the organisation plans and manages the transition to such arrangements and has suitable processes in place to manage changes and the renegotiation/termination of contracts that is driven by business requirements.

Personnel, including contractors, requiring access to security classified information or resources may need security clearances. (see ISMF Policy Statement 5)

Confidentiality and/or non-disclosure agreements must be in place for all staff, contractors and/or sub-contractors that seek or have in place access to South Australian Government information, materials and/or intellectual property that is not intended for public access. (see ISMF Standard 8)

Access provided to third parties (including customers, contractors etc) must be controlled based on the specific business requirements of the responsible party. (see ISMF Standard 13)

This guideline does not aim to provide the reader with all of the cyber security responsibilities, obligations and controls related to procurement. It is merely an overview of the information provided in relevant government cyber security policy and the AS/NZS ISO/IEC 27002 standard. It is highly recommended that agencies review such documents in their entirety. The individual requirements of agencies will have direct bearing on what measures are implemented to mitigate identified risk(s).

SAMPLE CONTRACTUAL CLAUSES

An example schedule containing whole-of-government contractual clauses is available in Appendix 1).

Government guideline on cyber securityCyber security in procurement activities v1.4

Page 6 of 10

ISMF Guideline 6

REFERENCES, LINKS & ADDITIONAL INFORMATION

PC030 Government of South Australia Protective Security Management Framework [PSMF]

DPC/F4.1 Government of South Australia Information Security Management Framework [ISMF] AS/NZS ISO/IEC 27002:2006 Australian Government Protective Security Policy Framework [PSPF]

Document Control

ID DPC/G4.6Version 1.4Classification/DLM PUBLIC-I1-A1Compliance DiscretionaryOriginal authorisation date February 2012Last approval date September 2017Review date September 2018

Licence

With the exception of the Government of South Australia brand, logos and any images, this work is licensed under a Creative Commons Attribution (CC BY) 4.0 Licence . To attribute this material, cite the Department of the Premier and Cabinet, Government of South Australia, 2017.

ISMF Guideline 6

APPENDIX 1.

SCHEDULE XX

SECURITY REQUIREMENTS

2. DEFINITIONS

In this Schedule:

2.1 “Australian Government Protective Security Policy” means the protective security policy established by the Australian Government and updated from time to time, a copy of the current version may be viewed at http://www.protectivesecurity.gov.au/;

2.2 “Information Security Management Framework” means the South Australian Government ISMF which describes information and cyber security policies, subordinate standards and supporting controls that are applied at an agency level. Agencies are required to describe the policies and standards expected of their suppliers in order to achieve or maintain organisational and governmental security objectives. A copy of the current version may be viewed at http://digital.sa.gov.au/resources/topic/security;

2.3 “Certification” means the process by which an organisation’s ISMS is examined against the AS/NZS ISO/IEC 27001 standard by an accredited certification body;

2.4 “ISMS” or “Information Security Management System” means a management system based on a systematic business risk approach to establish, implement, operate, monitor, review, maintain and improve information security. It is an organisational approach to information security; and

2.5 “AS/NZS ISO/IEC 27001” means the standard for information security that focuses on an organisation’s ISMS.

3. SUPPLIER RESPONSIBILITIES

3.1 In supplying the Deliverables, the Supplier must be aware of, comply with and promote the use of:

3.1.1 policies, standards, guidelines and other requirements as set out in this Schedule xx (as amended from time to time); and

3.1.2 any additional policies, standards, guidelines and other requirements as notified by the State from time to time throughout the Term.

3.2 For the avoidance of doubt, an amendment or addition to the policies, standards, guidelines and other requirements pursuant to the preceding sub-clause may arise from any implementation by the State of the Australian Government Protective Security Policy.

3.3 The Supplier must ensure that other suppliers and sub-contractors they engage with (in the provision of Deliverables) are aware of, comply with and promote the use of the policies, standards, guidelines and other requirements as contemplated by the preceding sub-clauses 3.1 and 3.2.

Government guideline on cyber securityCyber security in procurement activities v1.4

Page 8 of 10

3.4 The Supplier must provide each Customer with a quote detailing any additional costs it will incur as a result of the Supplier complying with, and implementing any:

3.4.1 policy, standard, guideline or other requirement additional to that contained in this Schedule on execution of this Agreement; or

3.4.2 amendment to a policy, standard, guideline or other requirement contained in this Schedule.

The quote must be open for acceptance by the Customer for at least twenty (20) Business Days. If accepted by the Customer the quote will take effect as if it had been raised by a Customer Order. Unless the quote is accepted, the Supplier is not obliged to comply with or implement those requirements in clauses 3.4.1 and 3.4.2 in relation to which the quote was provided.

3.5 The Supplier must comply with AS/NZS ISO/IEC 27001 and AS/NZS ISO/IEC 27002.

4. POLICIES, STANDARDS, GUIDELINES AND OTHER REQUIREMENTS

Without limiting the above provisions, the Supplier must be aware of, comply with and promote the use of the following policies, guidelines, standards and other requirements as amended from time to time:

Policies, Standards, Guidelines and Other Requirements

Comply with

Note

3.1 Cabinet Circular #30

Protective Security Management Framework

3.2 DPC/F4.1

Information Security Management Framework

3.3 StateNet Conditions of Connection

3.4 StateNet Information Security Architecture

3.5 State ICT Support Plan

3.6 such other policies, standards, guidelines and other requirements as notified by the State from time to time

Government guideline on cyber securityCyber security in procurement activities v1.4

Page 9 of 10

5. ASSESSMENT FOR COMPLIANCE WITH AS 27001

5.1 The Supplier must:

5.1.1 undertake continuous improvement reviews (at least annually) of its ISMS for facilities, operations, practices and provision of Services, against the parts of AS/NZS ISO/IEC 27001 and AS/NZS ISO/IEC 27002 the State reasonably considers may relate to matters affecting the security of any of the State’s ICT Infrastructure or a Customer’s ICT Infrastructure;

5.1.2 by [insert agreed date], obtain AS/NZS ISO/IEC 27001 Certification for the scope of services defined in this Agreement;

5.1.3 for the scope of services that are currently certified to AS/NZS ISO/IEC 27001, maintain continuous AS/NZS ISO/IEC 27001 Certification for the scope of services defined in this Agreement;

5.1.4 consult with the State in relation to any issues arising from improvement reviews and audits;

5.1.5 agree with the State a plan of action to address and resolve the issues arising from the improvement reviews and audits; and

5.1.6 provide the State with the results and reports from the continuous improvement reviews described in clause 5.1.1 and any audits of the ISMS. These reports will be used by the Supplier to demonstrate to the State the Supplier’s commitment to ongoing ISMS improvement and the broader implementation, deployment and introduction of ISMS information security controls.

5.2 The Supplier must conduct the activities set out in clause 5.1 at no additional charge.

Government guideline on cyber securityCyber security in procurement activities v1.4

Page 10 of 10