Supplier security

The organization must consider specific vulnerabilities associated with each direct supplier and service provider, as well as the overall quality of cybersecurity products and practices of its suppliers and service providers, including their secure development procedures.

Additionally, the organization must take into account the results of coordinated evaluations of security risks to critical supply chains conducted by the NIS Cooperation Group.

The organization should ensure that the data centers used by the organization have controls in place to protect ICT and information assets from unauthorized access, attacks, and accidents.

The data center should also have controls and plans in place to protect the assets from environmental threats and hazards. The protection from environmental threats and hazards should commensurate with the importance of the data centers and the criticality of the operations or ICT systems located there.

The organization establishes criteria for classifying service providers based on factors such as data sensitivity, volume, availability, regulatory compliance, and risk levels, regularly updating these classifications to manage potential impacts on the organization effectively.

All potential suppliers, providers of critical resources and other relevant third-parties are assessed before acquisition with means such as:

• Performing thorough due diligence that is proper to level of risk, criticality, and complexity of each supplier relationship and procurement planning
• Assessing the suitability of the technology and the risk management and cybersecurity practices
• Conducting supplier risk assessments against business and applicable cybersecurity requirements
• Assessing the authenticity, integrity, and security of critical products prior to acquisition and use

The organization should have defined and documented processes for terminating critical relationships with suppliers in both normal and adverse circumstances. Adverse circumstances could include:

• Data breach or security incident
• Legal, ethical or regulatory violations
• Contract breach or service failure

The processes should at least define:

• How assets containing organization's data are returned or disposed safely and supplier access to organizational resources is removed
• System continuity and resilience e.g. how dependent operations are kept functional when removing or changing supplier
• Component end-of-life maintenance support and obsolescence
• Means to prevent and mitigate data leakage or risks related to data and systems with supplier termination

Organization has put in place exit strategies for any ICT services supporting critical or important functions to prepare for possible failures, deteriorations of quality or other business disruptions related service.

Exit strategies ensure that the organization can exit related contractual arrangements without:

• disruption to their business activities
• non-compliance with regulatory requirements
• detriment to continuity and quality of services provided

Exit plans are comprehensive, documented and sufficiently tested and reviewed periodically.

As part of exit strategies, organisation has also identified alternative solutions and developed transition plans enabling them to switch services and transfer relevant data securely.

The security arrangements required for critical online services, such as security features, service levels, and management requirements, are carefully defined in advance. Online services include e.g. connections, networks and network security solutions (e.g. firewalls).

The security features of online services can be e.g. the following:

• required security-related technologies such as authentication, encryption technology, and network connection management tools
• the technical parameters required for a secure connection to network services
• online service usage criteria that restrict access to the online service or applications as needed

Minimum security requirements have been set for partner companies handling our confidential information and these have been included in supplier agreements. Requirements vary depending on how critical information the partner handles.

It makes sense for requirements to consist of rules and practices that are followed in your own organization. You can divide the requirement levels into low, medium and high risk suppliers.

The organization has defined the certifications or standards required of key partners. Commonly recognized standards related to cyber security include:

• ISO 27001 (information security management system)
• SOC2 (general security, also called SSAE 16)
• ISO 27701 (data protection management system)
• ISO 27017 (cyber security in cloud services) or ISO 27018 (data protection in cloud services)
• other popular e.g. NIST (general), CSA (cloud software), PCI DSS (card payments and data)

Certifications required from partners can make organization's own partner management more efficient and provide good evidence of a particular level of security or privacy of the partner.

We define in advance the types of suppliers with whom cooperation requires access to confidential information or their processing areas, and through this e.g. demands data processing contracts. Such supplier types can be, for example, IT services, logistics, financial management and IT infrastructure components.

The organization agrees upon and implements a common information security risk management procedure and processes with stakeholders.

The organization should seek to integrate third-party risk management into its overall information security risk management. This should involve:

• Evaluating interdependencies
• Assessing risks related to contracts provided by third parties
• Addressing the scalability of risk management based on the organization's size and needs

Organization should prioritize their partners based on:

• Sensitivity and confidentiality of data processed or possessed by suppliers
• The degree of access to the organization’s systems
• The importance of the products or services to the organization’s mission

In telecommunication services and contracts, the availability of services that are important for operations in the event of disruptions has been taken into account.

The network environments and telecommunication services of important services are verified, for example, by duplication. Communication can be physically duplicated along two different routes by two different operators.

In important environments, it is ensured that the failure of a single communication component does not interrupt the operation of the service.

For example, a separate communication connection can be installed on selected workstations, which you can access the public information network through.

The fault tolerance of connections outside of Finland should also be taken into account during the contract phase.

The organization regularly discusses information security with critical suppliers and other partners in supplier management meetings.

The organization must identify critical IT partners. A critical partner (internal or external) refers to a partner without whom the operation is interrupted.

For example, when the fault tolerance of a telecommunication network is critical, it can be further improved by procuring basic network services through several routes and through several service providers.

When an organisation is using a cloud-based data system, the organisation should understand and confirm the related information security roles and responsibilities as stated in the service agreement.

These can include responsibilities related e.g. to:

• Malware protection
• Cryptographic controls
• Backup
• Vulnerability and incident management
• Compliance and security testing
• Authentication, identity and access management

When the organisation chooses to use another cloud service provider’s services for the provision of its own offered cloud services, the organisation must make sure that the information security level of its customers is maintained or exceeded.

To ensure this the organisation must specify required security objectives to the subcontractors included in the supply chain. These objectives should require performing risk management to accomplish the objectives.

Tietoteknisissä ympäristöissä ja niihin liittyvissä sopimuksissa on huomioitu toiminnan kannalta tärkeiden palveluiden saatavuus häiriötilanteissa.

Tärkeiden palvelujen tietotekniset ympäristöt varmennetaan esimerkiksi kahdentamalla siten, että yksittäisten komponenttien vikaantumiset eivät aiheuta toiminnan edellyttämää palvelutasoa pidempiä käyttökatkoja.

Tietotekniset ympäristöt voidaan varmentaa varavoimalla tai varavoimaliitännöillä siten, että sähkönjakelu voidaan käynnistää riittävän nopeasti ja ylläpitää sitä riittävän ajan suhteessa toiminnan vaatimuksiin.