The organization must consider specific vulnerabilities associated with each direct supplier and service provider, as well as the overall quality of cybersecurity products and practices of its suppliers and service providers, including their secure development procedures.
Additionally, the organization must take into account the results of coordinated evaluations of security risks to critical supply chains conducted by the NIS Cooperation Group.
The organization should ensure that the data centers used by the organization have controls in place to protect ICT and information assets from unauthorized access, attacks, and accidents.
The data center should also have controls and plans in place to protect the assets from environmental threats and hazards. The protection from environmental threats and hazards should commensurate with the importance of the data centers and the criticality of the operations or ICT systems located there.
The organization establishes criteria for classifying service providers based on factors such as data sensitivity, volume, availability, regulatory compliance, and risk levels, regularly updating these classifications to manage potential impacts on the organization effectively.
All potential suppliers, providers of critical resources and other relevant third-parties are assessed before acquisition with means such as:
The organization should have defined and documented processes for terminating critical relationships with suppliers in both normal and adverse circumstances. Adverse circumstances could include:
The processes should at least define:
Organization has put in place exit strategies for any ICT services supporting critical or important functions to prepare for possible failures, deteriorations of quality or other business disruptions related service.
Exit strategies ensure that the organization can exit related contractual arrangements without:
Exit plans are comprehensive, documented and sufficiently tested and reviewed periodically.
As part of exit strategies, organisation has also identified alternative solutions and developed transition plans enabling them to switch services and transfer relevant data securely.
The security arrangements required for critical online services, such as security features, service levels, and management requirements, are carefully defined in advance. Online services include e.g. connections, networks and network security solutions (e.g. firewalls).
The security features of online services can be e.g. the following:
Minimum security requirements have been set for partner companies handling our confidential information and these have been included in supplier agreements. Requirements vary depending on how critical information the partner handles.
It makes sense for requirements to consist of rules and practices that are followed in your own organization. You can divide the requirement levels into low, medium and high risk suppliers.
The organization has defined the certifications or standards required of key partners. Commonly recognized standards related to cyber security include:
Certifications required from partners can make organization's own partner management more efficient and provide good evidence of a particular level of security or privacy of the partner.
We define in advance the types of suppliers with whom cooperation requires access to confidential information or their processing areas, and through this e.g. demands data processing contracts. Such supplier types can be, for example, IT services, logistics, financial management and IT infrastructure components.
The organization agrees upon and implements a common information security risk management procedure and processes with stakeholders.
The organization should seek to integrate third-party risk management into its overall information security risk management. This should involve:
Organization should prioritize their partners based on:
In telecommunication services and contracts, the availability of services that are important for operations in the event of disruptions has been taken into account.
The network environments and telecommunication services of important services are verified, for example, by duplication. Communication can be physically duplicated along two different routes by two different operators.
In important environments, it is ensured that the failure of a single communication component does not interrupt the operation of the service.
For example, a separate communication connection can be installed on selected workstations, which you can access the public information network through.
The fault tolerance of connections outside of Finland should also be taken into account during the contract phase.
The organization regularly discusses information security with critical suppliers and other partners in supplier management meetings.
The organization must identify critical IT partners. A critical partner (internal or external) refers to a partner without whom the operation is interrupted.
For example, when the fault tolerance of a telecommunication network is critical, it can be further improved by procuring basic network services through several routes and through several service providers.
When an organisation is using a cloud-based data system, the organisation should understand and confirm the related information security roles and responsibilities as stated in the service agreement.
These can include responsibilities related e.g. to:
When the organisation chooses to use another cloud service provider’s services for the provision of its own offered cloud services, the organisation must make sure that the information security level of its customers is maintained or exceeded.
To ensure this the organisation must specify required security objectives to the subcontractors included in the supply chain. These objectives should require performing risk management to accomplish the objectives.
Tietoteknisissä ympäristöissä ja niihin liittyvissä sopimuksissa on huomioitu toiminnan kannalta tärkeiden palveluiden saatavuus häiriötilanteissa.
Tärkeiden palvelujen tietotekniset ympäristöt varmennetaan esimerkiksi kahdentamalla siten, että yksittäisten komponenttien vikaantumiset eivät aiheuta toiminnan edellyttämää palvelutasoa pidempiä käyttökatkoja.
Tietotekniset ympäristöt voidaan varmentaa varavoimalla tai varavoimaliitännöillä siten, että sähkönjakelu voidaan käynnistää riittävän nopeasti ja ylläpitää sitä riittävän ajan suhteessa toiminnan vaatimuksiin.
.png)
