|Corda Network Foundation||Document history|
Supplier Management Policy
Use of external suppliers or outsourcing arrangements can deliver commercial benefits in the form of reduced costs, greater focus on core business and access to superior external skills or resources. This policy mandates the assessment and management of information security risks associated with that process.
2 Risks Addressed
This policy addresses risks resulting from the use of external suppliers to handle sensitive Corda Network Foundation information or to provide services or products critical to the Foundation’s mission. These risks may include (but are not limited to):
- Inappropriate access to or inadvertent or deliberate disclosure of Foundation or network participant sensitive information.
- Risks to the availability of Foundation services through the inability of the supplier to deliver agreed service levels.
3 Control Objectives
This policy specifies controls to manage the information security risks associated with the use of external suppliers.
4 Who Does the Policy Apply To?
This policy must be observed by anyone involved in the selection of suppliers of services or products critical to the Foundation’s mission, or that handle information or other assets of high value or sensitivity. More detailed roles and responsibilities are described in the Mandatory Controls section of this policy.
The terms “product” and “service” are used frequently, and interchangeably within this document. They both refer to a capability that the Foundation intends to acquire from an external supplier rather than develop or otherwise construct from scratch.
Services or suppliers that might fall under the remit of this policy might include (but are not limited to):
- Computer hardware, software and associated support services.
- Building maintenance or physical security services.
- External consultants and contractors.
- Data centre or cloud service providers.
- Document storage or data backup service providers.
- IT auditors or IT or business process outsourcing firms.
- Processors of PII or Personal Information, such as payroll or benefits service providers.
When in doubt as to whether this policy applies to the selection of a supplier for a particular service, the individual intending to engage with a supplier must consult with the Head of Compliance or Information Security Manager for clarification.
6 Mandatory Controls
6.1 Roles and Responsibilities
The Foundation Board of Directors is responsible for designating suitable service owners for external suppliers. The service owner will be responsible for oversight of services delivered by the supplier and for ensuring that this policy is followed.
The the Foundation Board of Directors is responsible for mandating commercial or security controls to manage the risks arising from the use of external suppliers.
The Service owner is responsible for assessing and managing the commercial and security risks associated with engaging with their suppliers, working in conjunction with Information Security, Legal, Compliance and other functions as necessary.
The service owner is responsible for presenting the supplier risk assessment to the Board of Directors, and enacting such additional controls as the team might specify.
The service owner is responsible for ensuring appropriate contractual and other commercial controls are in place between the Foundation and the supplier.
The Information Security Manager, in conjunction with functions such as Compliance, is responsible for assisting service owners to analyse the associated risks and develop appropriate process, technical, physical and legal controls.
This policy will be jointly maintained by the Information Security Manager and the Head of Compliance.
6.2 Choosing a supplier
The criteria for selecting a particular supplier shall be defined and documented, taking into account:
- Market research to establish a list of possible suppliers for the service or product.
- The supplier’s reputation and history.
- The supplier’s status as a legal entity in its relevant jurisdiction.
- The quality of services provided to other customers.
- The number, competence and qualification and competence of staff and managers.
- Retention rates of the company’s employees.
- The financial stability of the supplier and its commercial record.
- Quality assurance and security management certifications held by the supplier.
Where multiple suppliers exist offering competing, but distinct, services or products, the supplier evaluation process will provide:
- A qualitative and/or quantitative comparison of each vendor and its offerings.
- A recommendation of a single supplier on the basis of analysis performed.
Where the risk to the Foundation associated with the product, service or supplier is considered to be significant, further information security criteria may be applied. These criteria will be defined as the result of detailed risk assessment of both the product or service to be provided and the supplier.
Where a preferred supplier already exists, the expected total purchase price is below $20,000 USD and the assessed risk associated with the purchase is not considered to be significant, purchase may (at the discretion of the service owner) proceed without conducting a more detailed vendor selection process. Where no preferred vendor exists, or the purchase is expected to exceed $20,000 USD, or the assessed risk associated with the purchase is anticipated to be significant, a complete vendor selection exercise (including a formal risk assessment, as documented below) must be carried out in advance of contracting with the supplier.
6.3 Assessing risks
The Board of Directors shall nominate a suitable Foundation service owner for each significant supplier or service provider. The Service Owner, with help from the Information Security Manager, shall assess the risks before agreeing contracts with any given supplier. The risk assessment shall take due account of the following:
- The nature of logical and physical access to Foundation information assets and other facilities required by the supplier to fulfil the contract.
- The sensitivity, volume and value of any information assets involved.
- Any commercial risks such as the possibility of the supplier’s business failing completely, or of them failing to meet agreed service levels or providing services to the Foundation’s competitors where this might create conflicts of interest.
- The Security and commercial controls employed by the Foundation and/or by the supplier in the delivery of services to the Foundation.
The result of the risk assessment shall be presented to the Foundation management team (or other appropriate review group, designated by the Board of Directors) for approval prior to agreeing contract terms with the supplier. If outsourcing an existing business process, the review group shall assess whether the Foundation will benefit overall by engaging with the supplier, taking into account both the commercial and information security aspects of the engagement. The review group may require that more information to be gathered if they are unable to make and approval based in the risk assessment presented. When the review group believe that the assessment is complete, them will make a recommendation to proceed or otherwise based on their analysis of the completed assessment. The review group may also make recommendations for additional controls to be put in place as part of any contractual agreements with the supplier.
The risk assessment report and the recommendations of the review group must be recorded for future reference.
6.4 Contracts and Confidentiality agreements
A formal contract between the Foundation and the supplier must exist to protect both parties. The contract shall clearly define the types of information exchanged and the purpose for so doing.
Information exchanged with the supplier must be classified and controlled in according with Foundation policy.
Unless the information being exchanged between the Foundation and the supplier is classified as public, a binding confidentiality agreement must be established between the Foundation and the supplier. This may be part of the contract itself or a separate non-disclosure agreement (which may, in any case, be required before the main contract is negotiated).
Upon termination of the contract, the confidentiality arrangements shall be revisited to determine whether confidentiality has to be extended beyond the tenure of the contract.
All contracts shall be submitted to the Foundation compliance team for accurate content, language and presentation.
The contract shall clearly define each party’s responsibilities toward the other by defining the parties to the contract, effective date, functions or services being provided (e.g. defined service levels), liabilities, limitations on use of sub-contractors and other commercial/legal matters normal to any contract. Depending on the results of the risk assessment, various additional controls should be embedded or referenced within the contract, such as:
- Legal, regulatory and other third-party obligations such as data protection/privacy laws, money laundering etc.
- Compliance with appropriate Foundation information security policies and controls.
- The Foundation’s right to monitor all use of Foundation facilities, networks, systems etc.
- The Foundation’s right to audit the supplier’s control environment and compliance with the contract, or to employ a mutually agreed independent third-party auditor for this purpose.
- Business continuity arrangements including crisis and incident management, resilience, backups and IT Disaster Recovery.
6.5 Hiring and Training of Employees
Supplier employees, contractors and consultants working on behalf of the Foundation shall be subjected to background checks equivalent to those performed on Foundation employees. Such screening shall take into consideration the level of trust and responsibility associated with the position.
6.6 Access Controls
In order to prevent unauthorized access to the Foundation’s information assets by the supplier or sub-contractors, suitable security controls are required. The details depend on the nature of the information assets and the associated risks. Particularly complicated processes may result in a further risks assessment and design of a suitable controls architecture.
Access Controls and user access management employed by suppliers must comply with the relevant Foundation policies.
If parts of the Foundation’s IT infrastructure are to be hosted at a third-party data centre, the data centre operator shall ensure that the Foundation’s assets are logically isolated from other systems.
The Foundation shall ensure that all information assets handed over to the supplier during the course of the contract (plus any copies made thereafter, including backups and archives) are duly retrieved or destroyed at the appropriate point on or before termination of the contract. In the case of highly classified information assets, this normally requires the use of a schedule or register and a process whereby the supplier formally accepts accountability for the assets at the point of handover.
6.7 Security Audits
Where a supplier handles Foundation or client sensitive information, or provides mission critical services, the Foundation may choose to audit the outsourcer’s physical premises periodically for compliance to the Foundation’s security policies, ensuring that it meets the requirements defined in the contract.
Such an audit shall also take into consideration the service levels agreed in the contract, determining whether they have been met consistently and reviewing the controls necessary to correct any discrepancies.
The necessity and frequency of audit shall be determined by the service owner on advice from functions such the Information Security Manager and Legal.
Any material produced as part of the audit process (findings, reports etc.) must be preserved for future reference.
Regular assessments are carried out for compliance against this policy. Any violation of this policy will be investigated and if the cause is found to be due to wilful disregard or negligence, it will be treated as a disciplinary offence. All disciplinary proceedings are coordinated through the Human Resources Department. The Foundation reserves the right to amend this policy at any time and will publish updated versions to all staff.