Principle 3 - Secure the Supply Chain

Detail

The procurement process should ensure that its supply chain satisfactorily supports all of the security principles that the service claims to implement.

Understand the role suppliers play in securing the service. Define where risk ownership resides and/or if there are any shared risks.

Third party services, such as hosting services or the management of environments of system integrators must be under contractual obligation to protect data and services that they provide to the system.

Service operations and management processes should ensure that procedures exist to securely dispose of or retrieve all critical system information assets during decommissioning as part of transition or end-of-life activity.

Decision Evaluation Criteria:

• Has the project undertaken references for all organisations with the supply chain ?
• Has a risk assessment been undertaken for the use of all organisations with the deliver of the project ?
• Does service process documentation exist that specifically identifies and categorises all information assets and their location both logically and physically within the service in question ?
• Do procedures exist to ensure the secure disposal or secure retrieval and storage of all critical information assets within the service, including (but not limited to) the purging of hard disk drives, volatile memory and all other media ?
• Have appropriate standards for secure disposal been identified ?
• Are appropriate checks and balance in place to verify and certify that secure destruction has occurred ?
• Are all functional and non-functional system requirements related to secure decommissioning and information asset disposal been identified and addressed in the system design ?

Basis

• CCSLP - Secure the supply chain
• GDS CSP 8 - Supply chain security
• NIST 28 - Ensure proper security in the shutdown or disposal of a system