Outlining approach to supplier relationships

Contents

Policy statement

This control procedure defines the university’s approach to supplier relationships and directly supports the following policy statement from the  information security policy:

“The University’s information security requirements will be considered when establishing relationships with suppliers, to ensure that assets accessible to suppliers are protected. Supplier activity will be monitored and audited according to the value of the assets and the associated risks.”

Audience

This procedure should be read and understood by any university staff involved in supplier and contract management, especially those involved in establishing and maintaining relationships with external suppliers

Control statements

Access to university systems and information is provided to supplier/interested organisations to promote partnership working, information sharing, service provisions and support arrangements. We rely on the confidentiality, integrity and accuracy of our information therefore it is essential that when working with these parties (e.g. Suppliers, software providers, data controllers), information is secured in line with university requirements and professional best practice.

In order to achieve this, all contracts and relationships with suppliers should ensure that acceptable levels of information security are in place to protect university information. Expectations will differ depending on the nature of information being shared and any known risks to that information.  Consideration should be given to any associated risks in line with the Information Risk Management Policy and our agreed risk appetite position.

Security requirements for suppliers

In order to ensure that partners and suppliers meet the standards of information security required by the university, consideration should be given to the following information security components:

  • A clear description of services and service level agreement
  • Reference to relevant university policies and procedures
  • If personal data is being processed, the need to complete a Privacy Impact Assessment 
  • Requirements for asset protection and access control
  • Responsibilities and liabilities
  • Monitoring rights and reporting processes
  • Conditions of termination

All parties who are given access to university systems, whether supplier, customers or otherwise, must agree to follow MMU information security policies or demonstrate that their own are functionally equivalent. Elements of information security requirements are documented within all budget and procurement requirements.

Significant assurance can be taken from the presence of current and suitably scoped certifications, including ISO 27001 for information security management, ISO 22301 for business continuity management, ISO 27017 or Cyber Essentials (mainly for HMG departments or providers of services to HMG) for cloud security.

Further assurance can be taken from the presence of policies and procedures related to:

  • Staff vetting – BPSS checks or right to work checks as a minimum in place for all employees. Enhanced personnel checks for those staff with higher access rights, where applicable.
  • Incident management – clear processes and policies in place including notifying the university of any security incident affecting our data.
  • Access control – ensuring segregation of duties and multi-factor authentication where possible.
  • Encryption – depending on the sensitivity of data consideration should be given to encryption at rest and in transit. Further advice can be obtained from the Information Security Team.

Responsibilities

When new supplier relationships are being established, or existing relationships are being renegotiated, data privacy and information security implications may be raised and the project owner or system/service owner must follow existing university project management processes. These processes incorporate a number of key information security requirements and completion of a privacy impact assessment. For assistance please contact the Information Security team.

If formal project processes are not being followed then it is the responsibility of the renewing contract manager to ensure information security requirements and privacy implications are being addressed. The contract manager should contact the information Security team for further assistance.

External party access to University systems

Where appropriate, access to university systems may be granted to suppliers or other interested parties in support of collaborative working. The degree to which access will be granted may vary based on specific needs but where possible access will be provided via VPN. Access controls will be suitably restricted meaning suppliers only have access to the information they need to fulfil their role.

Contracts with contractors and sub-contractors will contain appropriate non-disclosure clauses, and incident management considerations should be addressed.

Asset Management

At the point that a relationship with a supplier is being or has been terminated, consideration needs to be given to the return of physical assets and the management of any data held by that party. This should be managed by the contract manager and the Information Asset Manager responsible for the information assets.

Compliance

Failure to comply with this procedure could result in action in line with the university’s disciplinary procedure or performance improvement procedure. 

Compliance checks will be undertaken by the university’s Information Governance functions. The results of compliance checks, their risk assessment and their remediation will be managed by the Information Governance Board.

Related documents

This control procedure needs to be understood in the context of the other policies and procedures constituting the university’s Information Security Management System.

Browse Information Security policies and control procedures

Review

A review of this policy will be undertaken by the Information Security team annually or more frequently as required, and will be approved by the Information Governance Board.

Version: 2.2
Release date: 19/09/2023
Review date: 19/08/2024