Supplier Information Security Requirements Policy

Galioja nuo 2020.06.17
Owner: Tarmo Randel, Information Security Manager

Scope

These requirements apply to any third parties who have access to Bolt data. Some requirements are grouped based on the data classification of data processed by the third party. Please refer to the Data Classification Policy for a detailed explanation of the classification categories. Please note that before any service or product is trialed, a proper check must be made to ensure that the third party can satisfy these requirements.

General requirements

A signed NDA is required whenever any data that will be processed by a third party is classified as internal, restricted or confidential. If personal data is exchanged with a third party then a Data Processing Agreement MUST be signed before any data exchange can occur.

Any supplier must implement all agreed, as well as general, information security best practices across all supplied components and materials, including software, hardware and information in order to safeguard the confidentiality, availability and integrity of Bolt data. Where applicable, the Supplier shall provide Bolt full documentation in relation to the implementation of their security controls.

The following items must be implemented and verified:

  • in cases where personal data is being exchanged, a GDPR compliant Data processing agreement is required.
  • adequate technical and organisational level measures to be implemented on the connected systems. For purposes of clarity, the absolute minimum required is as follows:
    • in cases where personal data is being exchanged, a GDPR compliant Data processing agreement is required.
    • adequate technical and organisational level measures to be implemented on the connected systems. For purposes of clarity, the absolute minimum required is as follows:
    • access control rules and mechanisms.
    • securing exposed endpoints.
    • securing development and test environments.
    • demonstrating how data is secured at rest and in-transit.
    • demonstrating existence of vulnerability management capabilities.
    • demonstrating existence of incident management and software update process.
    • PI secrets and password management.
    • log collection and monitoring.
    • clearly defined service level agreement with contact data.

Any Supplier having proven HIPAA, PCI DSS, GDPR, ISO27001 certification/validation demonstrates usually that they have implemented these requirements, nevertheless this must be verified. Reference to the relevant security controls should also be included in the supplier contract.

For all information-processing equipment providers and communication providers, a proper risk assessment must be carried out to assess possible risks and take the necessary remedial steps as may be required.

Detailed requirements

Detailed information security requirements are to be checked after any agreement has been signed and before real data processing happens by the member of Internal IT or Information Security team. In addition to the requirements presented here, the third party must have access to and agree in writing to comply with the Bolt Information Security Policy. Detailed requirements are presented in checklist format in Appendix A.

Audit

On reasonable notice or information, and during normal working hours, Bolt shall have the right, but not the obligation, to review periodically the Supplier's operations, processes and systems insofar as they relate to the Services, for the purpose of monitoring the Supplier's compliance with the terms and conditions of this Policy.

Review and update

These requirements must be reviewed at least once a year by the document owner.

Appendix A

Checklist for common requirements of processing confidential,restricted and internal information

  • Access control
    • are user accounts centrally managed
    • are user accesses regularly reviewed
    • are there enforced requirements for password length and complexity
    • are access failures being registered, alerted and investigated
    • is there multi-factor authentication
    • is the PKI being used in access control
    • are systems being accessed over public Internet directly
    • is there work-from-home policy or practice in place
  • Incident prevention and vulnerability management
    • is the software in workstations regularly, centrally managed and updated
    • is there centrally managed and monitored endpoint security software
    • is there requirement or practice to apply encryption to data at rest
    • is there requirement or practice to apply encryption to data in transit
    • are the workstations centrally manageable
    • is there “acceptable use” type of policy which addresses common cyber hygiene topics
    • are there any data backup policy or procedures
    • is the external and internal network perimeter regularly scanned
  • Incident handling policy and procedures
    • is there incident classification and prioritisation matrix
    • is there incident resolution escalation process
    • in case data breach type classification exists for incidents -how many data breaches have been registered in past 6 months

Checklist for processing confidential information

  • Incident handling policy and procedures
    • what data extra prevention mechanisms are implemented

Checklist for processing public information

  • Data integrity
    • are there any procedures in place to assure integrity of the data