| Page Properties | ||||
|---|---|---|---|---|
| ||||
|
Introduction
Patients Know Best is committed to providing the best service to our customers, as part of this commitment we must be able to provide assurance to our customers that any information we, or our suppliers' process, either for ourselves or on our customers' behalf is protected appropriately. We do this by ensuring that the Information Security and Data Privacy controls and practices of both ourselves and our suppliers are commensurate with the value of the information that is processed.
...
A description and scope of the services being procured.
A description of the physical locations where supplier/subcontractor services will be delivered from.
Known security incidents or security weaknesses of the supplier &/or its services.
The classification of the information sets that they will store, process, and/or transmits.
The classification of the PKB systems they will have access to.
The legal and regulatory requirements of the information sets and/or the systems in the scope of the proposed service.
The impact that can be caused to PKB and its customers for the failure to maintain Confidentiality, Integrity, and Availability of information and or systems in the scope of the proposed service or proposed additions to the currently provide service,
Provision of information security requirements and controls to mitigate/manage the risks identified for the supplier, including but not restricted to:
Legally binding agreement detailing clearly defined information security and data protection requirements approved by the PKB legal and compliance functions.
Appropriate Information Security accreditation for the services provided, such as ISO27001.
Breach notification process.
The right to audit.
Communication and escalation paths.
...
Supplier Risk Categories are as follows:
Supplier Category | Potential Impact | Example |
Tier 1 | Significant Impact to the organisation, its critical functions, workforce, business partners and/or its customers. | Supplier has access to Highly Confidential information and/or systems classified as Highly Confidential that contain large volumes of sensitive or personal Information. |
Tier 2 | High Impact to the organisation, its critical functions, workforce, business partners and/or its customers. | Supplier has access to information and/or systems classified as PKB Confidential potentially including large volumes of personal information. |
Tier 3 | Moderate Impact to the organisation, its critical functions, workforce, business partners and/or its customers. | Supplier has access to information and/or systems classified as Internal which may or may not include small volumes of business personal information. |
Tier 4 | Low or negligible Impact to the organisation, its critical functions, workforce, business partners and/or its customers. | Supplier has access to information and/or systems classified as Public or is Unclassified. |
Security Assurance Controls
...
Tier 4 suppliers represent thPKB’s PKB’s ongoing supplier assurance programme:
Tier | Assurance Requirements | Frequency | Coverage of Suppliers | Failure to meet Assurance Requirements |
1 | Demonstration of current certification to |
the agreed industry recognised standard AND Completion of compliance questionnaire |
(where required onsite due diligence) | Annually | 100% | Terminate contract or |
escalate to PKB senior |
leaders for formal risk |
acceptance | |
2 | Demonstration of current certification to |
the agreed industry recognised standard OR Completion of compliance questionnaire |
(where required onsite due diligence) | Annually | 30% | Formally give the supplier |
opportunity (based on risk |
appetite of PKB) to |
remediate the failings. If they |
cannot commit or cannot |
meet the requirements to |
remediate look for alternative |
supplier | |
3 | Demonstration of current certification to |
the agreed industry recognised standard OR Completion of compliance questionnaire | Annually | Where time permits | Formally give the supplier |
opportunity (based on risk |
appetite of PKB) to |
remediate the failings. If they |
cannot commit or cannot |
meet the requirements to |
remediate look for alternative |
supplier |
Supplier Performance
As appropriate, supplier performance will be regularly reviewed against contracted SLAs and any issues will be formally recorded and communicated to the supplier for investigation and explanation. Suppliers will be given sufficient time to remediate any information Security non-conformance dependent on the potential impact and the likelihood of the non-conformance resulting in a security incident involving PKB or our customer information.
...