Governance
-
Principles of supply chain security
- Understand what needs to be protected and why
- Know who your suppliers are and build an understanding of their security measures
- Understand the security risks posed by your supply chain
- Communicate your view of security needs to your suppliers
- Set and communicate minimum security requirements for your suppliers
- Build security considerations into your contracting process and require your suppliers to do the same
- Meet your own security responsibilities as a supplier and consumer
- Raise awareness of security within your supply chain
- Provide support for security incidents
- Build assurance activities into your supply chain management
- Encourage the continuous improvement of security within your supply chain
- Build trust with suppliers
GOV031
Set and communicate minimum security requirements for your suppliers
You should set minimum security requirements for suppliers which are justified, proportionate, and achievable. Consider your minimum requirements for:
- security governance
- personnel security
- information security
- physical security.
Make sure these requirements reflect your assessment of security risks. But also take account of how well established your suppliers’ security arrangements are. Consider their ability to meet your intended requirements.
Be specific. If you just include a general condition in the contract that the service provider must comply with the PSR, it’s unlikely to be appropriate or enforceable.
Identify circumstances where it might be disproportionate to expect suppliers to meet your minimum security requirements. For example, suppliers who only need ad hoc or occasional access to limited and specific data, or to your premises. Document these considerations.
Give the contractor guidance on the steps you plan to take to manage your security requirements. This guidance could reduce your workload and avoid additional, unnecessary work for contractors.
Confirming people’s suitability with pre-employment checks
Specify the minimum pre-employment checks you expect your suppliers to conduct for their employees. Align your minimum checks with the base pre-employment checks conducted by government organisations:
- confirm their identity
- confirm their nationality
- confirm their right to work in New Zealand
- check references with their former employer(s)
- conduct a criminal record check.
When you identify an increased security risk related to a specific role or the nature of the access your supplier has, additional checks could be necessary. For example, an IT administrator for a managed service provider may have broad access to your organisation’s information. You may require further checks to ensure they are trustworthy and identify factors in their life that may increase the risk of insider threat.
Get security clearance for any contractors who’ll handle protectively-marked information
Your organisation is responsible for sponsoring, arranging, and managing security clearances throughout the life of a contract.
If a contractor’s employees need to access protectively-marked information classified CONFIDENTIAL or above, you must ensure each person has a security clearance to the appropriate level. Check with the New Zealand Security Intelligence Service (NZSIS) to find out if any of the employees already hold a valid security clearance.
Anyone who doesn’t hold the correct security clearance should not have unescorted access to anywhere that protectively-marked information is handled or stored.
Set security requirements case by case
Consider setting different security requirements for different types of contracts, based on their associated risks. Avoid forcing all your suppliers to deliver the same set of security requirements when it may not be proportionate or justified.
When you set security requirements, explain the rationale for them to your suppliers. And require your suppliers to pass these requirements down to any sub-contractors.
Include your minimum security requirements in your procurement documents and the contracts you have with suppliers.
If your organisation conducts character checks for your own people, consider whether to conduct the same checks for service providers’ employees.
If a contractor needs access to official information, they should sign a non-disclosure agreement.
Page last modified: 4/05/2022
Supporting documents