Principle
The organisation understands and manages security risks to networks and information systems supporting the delivery of essential services that arise as a result of dependencies on external suppliers. This includes ensuring that appropriate measures are employed where third party services are used.
Description
If an organisation relies on third parties (such as outsourced or cloud based technology services) it remains accountable for the protection of any essential service. This means that there should be confidence that all relevant security requirements are met regardless of whether the organisation or a third party delivers the service.
For many organisations, it will make good sense to use third party technology services. Where these are used, it is important that contractual agreements provide provisions for the protection of things upon which the essential service depends.
Guidance
Operators of essential services need to ensure that when third party suppliers are used, all relevant security requirements are met. This means that a number of specific supply chain related security considerations should be addressed where relevant to the provision of the essential service. This might include:
- Ensuring the protection of data shared with a third party. This includes protecting data from actions such as unauthorised access, modification, or deletion that may cause disruption to the essential services (see Principle B3).
- Effective specification of the security properties of products or services procured from a third party that are important for the protection of the essential service. This should include the security requirements derived from the rest of these Principles.
- Ensure that any network connections or data sharing with third parties do not introduce unmanaged vulnerabilities that have the potential to affect the security of the essential service.
- Confidence that third party suppliers are trustworthy such that malicious attempts to subvert the security of products or systems that could affect the essential service are managed.
NCSC Supply Chain Security
Our guidance on supply chain security gives an overview of supply chain risks and indicators of good practice. It also provides references to further reading and guidance.
Cloud service security
Where your organisation relies upon a cloud service, you should have confidence in the cyber security measures in place. Consider cloud-specific supply chain assurance guidance in NCSC cloud security principle 8: supply chain together with many cloud security assurance resources, including industry schemes such as the Cloud Security Alliance (CSA) Security, Trust & Assurance Registry (STAR) academic research and cloud provider information.
References
NCSC cloud security principle 8: supply chain
Security, Trust & Assurance Registry (STAR)
< Back to Principle A3 Forward to Principle B1 >
Source: NCSC
