Versions Compared

Old Version 4

changes.mady.by.user Shriti Raikundalia

Saved on

compared with

New Version 5

changes.mady.by.user Sarah Roberts

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Introduction

Patients Know Best is committed to providing the best service to our customers, as part of this commitment we must be able to provide assurance to our customers that any information we, or our suppliers' process, either for ourselves or on our customers' behalf is protected appropriately. We do this by ensuring that the Information Security and Data Privacy controls and practices of both ourselves and our suppliers are commensurate with the value of the information that is processed.

...

Supplier Risk Categories are as follows:

Supplier Category

Potential Impact

Example

Tier 1

Significant Impact to the organisation, its critical functions, workforce, business partners and/or its customers.

Supplier has access to Highly Confidential information and/or systems classified as Highly Confidential that contain large volumes of sensitive or personal Information.

Tier 2

High Impact to the organisation, its critical functions, workforce, business partners and/or its customers.

Supplier has access to information and/or systems classified as PKB Confidential potentially including large volumes of personal information.

Tier 3

Moderate Impact to the organisation, its critical functions, workforce, business partners and/or its customers.

Supplier has access to information and/or systems classified as Internal which may or may not include small volumes of business personal information.

Tier 4

Low or negligible Impact to the organisation, its critical functions, workforce, business partners and/or its customers.

Supplier has access to information and/or systems classified as Public or is Unclassified.

Security Assurance Controls

...

Tier 4 suppliers represent PKB’s ongoing supplier assurance programme:

Tier

Assurance Requirements

Frequency

Coverage of Suppliers

Failure to meet Assurance Requirements

1

Demonstration of current certification to the agreed industry recognised standard

AND

Completion of compliance questionnaire (where required onsite due diligence)

Annually

100%

Terminate contract or escalate to PKB senior leaders for formal risk acceptance

2

Demonstration of current certification to the agreed industry recognised standard

OR

Completion of compliance questionnaire (where required onsite due diligence)

Annually

30%

Formally give the supplier opportunity (based on risk appetite of PKB) to remediate the failings. If they cannot commit or cannot meet the requirements to remediate look for alternative supplier

3

Demonstration of current certification to the agreed industry recognised standard

OR

Completion of compliance questionnaire

Annually

Where time permits

Formally give the supplier opportunity (based on risk appetite of PKB) to remediate the failings. If they cannot commit or cannot meet the requirements to remediate look for alternative supplier

Supplier Performance

As appropriate, supplier performance will be regularly reviewed against contracted SLAs and any issues will be formally recorded and communicated to the supplier for investigation and explanation. Suppliers will be given sufficient time to remediate any information Security non-conformance dependent on the potential impact and the likelihood of the non-conformance resulting in a security incident involving PKB or our customer information.

...