Supplier Assurance Standard
- Shriti Raikundalia
- Sarah Roberts
Introduction
Patients Know Best is committed to providing the best service to our customers, as part of this commitment we must be able to provide assurance to our customers that any information we, or our suppliers' process, either for ourselves or on our customers' behalf is protected appropriately. We do this by ensuring that the Information Security and Data Privacy controls and practices of both ourselves and our suppliers are commensurate with the value of the information that is processed.
Scope
Supplier relationships and partnerships have become an integral and increasingly complicated component of the services we deliver to our customers. As prime contractors and service delivery providers, we are expected to manage the delivery of services, through our supply chain and partnerships, whilst maintaining confidentiality, integrity, and availability of services and information; in accordance with contracts and associated SLAs.
This standard applies to all PKB personnel charged with the onboarding and management of PKB suppliers.
Responsibilities
Access to PKB systems and information imposes certain responsibilities and obligations on the individual and is granted subject to PKB policies, as well as UK and international law. All employees, within the scope of this standard, are responsible for understanding and adhering to the requirements of it and the details defined in the various other PKB security policies, and where applicable, the policies of PKB’s customers.
Employees are reminded that this policy comprises part of the standard terms and conditions of employment and any breach of the rules in this policy may result in disciplinary action up to and including dismissal.
Line Managers are responsible for the day to day management of staff and advice on the implementation of security procedures within their business areas and for ensuring compliance by their staff.
Personnel with supplier management responsibilities shall understand and implement the requirements of this standard. It is a requirement of this standard that the Information Governance team is informed of all new suppliers to enable information assurance evaluation where needed.
The Information Governance team shall conduct internal assessments to validate the effectiveness of the supplier management functions within PKB and are responsible for the creation and maintenance of this standard.
Supplier On-Boarding
In order to effectively manage the cost and delivery of services to our customers, PKB will ensure that all supplier and subcontractor relationships are managed, in alignment with formal contracts, service schedules, and Service Level Agreements (SLA); including penalty clauses and charges.
Suppliers will be subject to initial and ad-hoc information risk assessment and credit checks in order to manage risk and support the continuity and availability of services to customers.
Supplier onboarding will ensure the information risk profile of the supplier is ascertained and recorded, based on the following:
A description and scope of the services being procured.
A description of the physical locations where supplier/subcontractor services will be delivered from.
Known security incidents or security weaknesses of the supplier &/or its services.
The classification of the information sets that they will store, process, and/or transmits.
The classification of the PKB systems they will have access to.
The legal and regulatory requirements of the information sets and/or the systems in the scope of the proposed service.
The impact that can be caused to PKB and its customers for the failure to maintain Confidentiality, Integrity, and Availability of information and or systems in the scope of the proposed service or proposed additions to the currently provide service,
Provision of information security requirements and controls to mitigate/manage the risks identified for the supplier, including but not restricted to:
Legally binding agreement detailing clearly defined information security and data protection requirements approved by the PKB legal and compliance functions.
Appropriate Information Security accreditation for the services provided, such as ISO27001.
Breach notification process.
The right to audit.
Communication and escalation paths.
Information Security and Data Privacy Risk and Impact Category
Suppliers shall be categorised by risk to allow PKB to manage the high-risk suppliers appropriately. PKB’s supplier impact rating aligns with the potential impact that suppliers could have on PKB’s business and reputation based on the information they will have or could have access to. The table below shows the tier of supplier based upon the potential impact that a supplier would have on PKB if it suffered a significant information breach that was made public, i.e. a supplier who lost a significant amount of Highly Confidential information or a high volume of personal information would have a critical impact and hence be tier 1. However, if the supplier lost only unclassified or public information then they could only have a small impact.
It should be understood that if a supplier is listed for a specific service, however, provides an additional different service then they must be re-categorised into the correct tier.
Supplier Risk Categories are as follows:
Supplier Category | Potential Impact | Example |
Tier 1 | Significant Impact to the organisation, its critical functions, workforce, business partners and/or its customers. | Supplier has access to Highly Confidential information and/or systems classified as Highly Confidential that contain large volumes of sensitive or personal Information. |
Tier 2 | High Impact to the organisation, its critical functions, workforce, business partners and/or its customers. | Supplier has access to information and/or systems classified as PKB Confidential potentially including large volumes of personal information. |
Tier 3 | Moderate Impact to the organisation, its critical functions, workforce, business partners and/or its customers. | Supplier has access to information and/or systems classified as Internal which may or may not include small volumes of business personal information. |
Tier 4 | Low or negligible Impact to the organisation, its critical functions, workforce, business partners and/or its customers. | Supplier has access to information and/or systems classified as Public or is Unclassified. |
Security Assurance Controls
Once the impact category is defined, controls need to be specified for that supplier to ensure the risk level is acceptable to PKB and our customers of the proposed service.
The minimum control requirements apply for each impact level the following applies:
Tier 1 Suppliers
Tier 1 suppliers represent those suppliers that hold information that will have a significant impact on PKB and our customers if the information is compromised. All suppliers within this category must demonstrate adherence to industry good practices in relation to Information Security and Data Privacy controls for the services proposed.
Â
The following pre-onboarding activities must take place:
A review of the suppliers' ISO 27001 certification (or an agreed similar industry-leading security standard such as ISAE 3402) and documentation covering all the services proposed. This shall include a demonstration of the scope of certification and the applicable security controls in scope for that certification AND;Â
The compliance questionnaire is completed, and appropriate evidence is supplied and reviewed. Where areas of concern are raised the supplier will be required to carry out a further assessment which may take the form of an on-site audit performed by the appropriate assurance teams within PKB.
These activities must be conducted before awarding the contract to the supplier.
The assessment shall dictate the contractual stipulations in place between PKB and its suppliers and at a minimum shall include:
The requirement to retain certification (as assessed by an external certification body) to the agreed security assurance standard (such as ISO 27001) for the term of the engagement and to cover all aspects of the services provided by the supplier.
The right for PKB to terminate the contract without penalisation where a significant security breach has occurred of PKB or customer information or if there is a failure to retain the agreed security assurance standard.
PKBs right to evidence the compliance of the supplier to the agreed security schedules.
PKBs right to audit the supplier (either in person or through an approved 3rd party) against the agreed security schedules.
The requirement for the supplier to notify PKB of any actual or suspected security breach involving PKB information or systems within agreed timescales.
Clear information security roles, responsibilities, and accountability for the services provided.
Requirements for information retention and disposal procedures to be in place.
Formal notification and the requirement for PKB to approve any subcontractors used by the supplier, where personal information is being shared or processed as part of the service.
Formal notification and the requirement for PKB approval prior to the information being transferred outside the EEA.
The requirement for supplier staff to be vetted against PKB-agreed standards.
The requirement to comply with all applicable legislation and regulations such as the General Data Protection Regulation (GDPR).
Further information security controls shall be identified through the risk assessment process and shall be built into the contract dependent on the service provided.
Where a Tier 1 supplier cannot evidence compliance to an agreed industry-recognised security standard, PKB will not procure related services from them.
Tier 2 Suppliers
Tier 2 suppliers represent those suppliers that process information that will have a high impact on PKB and our customers if the information is compromised. All suppliers within this category must demonstrate adherence to industry good-practice in relation to Information Security and Data Privacy controls for the services proposed.
The following pre-onboarding activities must take place:
A review of the suppliers' ISO 27001 certification (or an agreed similar industry-leading security standard such as ISAE 3402) and documentation covering all the services proposed. This shall include demonstration of the scope of certification and the applicable security controls in scope for that certification OR;
An on-site information security focussed due-diligence assessment. The due diligence will incorporate a risk assessment of the supplier and must be performed by the appropriate assurance teams within PKB.
The activities above must be conducted before awarding the contract to the supplier.
The risk assessment and the output from the due diligence assessment shall dictate the contractual stipulations in place between PKB and its suppliers and at a minimum shall include:
The requirement to retain certification (as assessed by an external certification body) to the agreed security assurance standard (such as ISO 27001) for the term of the engagement and to cover all aspects of the services provided by the supplier
The right for PKB to terminate the contract without penalisation where a security breach has occurred of PKB or customer information or if there is a failure to retain the agreed security assurance standard.
PKBs right to evidence the compliance of the supplier to the agreed security schedules, PKBs right to audit the supplier at the intervals described in section 5 (either in person or through an approved 3rd party) against the agreed security schedules.
The requirement for the supplier to notify PKB of any actual or suspected security breach involving PKB information or systems within agreed timescales.
Clear information security roles, responsibilities, and accountability for the services provided.
Requirements for information retention and disposal procedures to be in place.
Formal notification and the requirement for PKB to approve any subcontractors used by the supplier, where personal or sensitive information is being shared/processed as part of the service.
Formal notification and the requirement for PKB approval prior to the information being transferred outside the EEA.
The requirement for supplier staff to be vetted against PKB agreed standards.
The requirement to comply with all applicable legislation and regulations such as GDPR.
Tier 3 Suppliers
Tier 3 suppliers represent those suppliers that process information that will have only a moderate impact on PKB and our customers if the information is compromised.
The following pre-onboarding activities must take place:
A review of the suppliers' ISO 27001 certification (or an agreed similar industry-leading security standard such as ISAE 3402) and documentation covering all the services proposed. This shall include demonstration of the scope of certification and the applicable security controls in scope for that certification OR
Completion of the due diligence questionnaire, which shall incorporate a risk assessment of the supplier.
The security stipulations within the PKB standard terms and conditions shall suffice unless the risk assessment / due diligence process highlights the need for non-standard terms and conditions. PKB will also reserve the right to increase due diligence activities should the supplier suffer a significant security breach or if there is a significant change in risk profile.
Tier 4 Suppliers
Tier 4 suppliers represent PKB’s ongoing supplier assurance programme:
Â
Tier | Assurance Requirements | Frequency | Coverage of Suppliers | Failure to meet Assurance Requirements |
1 | Demonstration of current certification to the agreed industry recognised standard AND Completion of compliance questionnaire (where required onsite due diligence)  | Annually | 100% | Terminate contract or escalate to PKB senior leaders for formal risk acceptance  |
2 | Demonstration of current certification to the agreed industry recognised standard OR Completion of compliance questionnaire (where required onsite due diligence) | Annually | 30% | Formally give the supplier opportunity (based on risk appetite of PKB) to remediate the failings. If they cannot commit or cannot meet the requirements to remediate look for alternative supplier  |
3 | Demonstration of current certification to the agreed industry recognised standard OR Completion of compliance questionnaire  | Annually | Where time permits | Formally give the supplier opportunity (based on risk appetite of PKB) to remediate the failings. If they cannot commit or cannot meet the requirements to remediate look for alternative supplier  |
Supplier Performance
As appropriate, supplier performance will be regularly reviewed against contracted SLAs and any issues will be formally recorded and communicated to the supplier for investigation and explanation. Suppliers will be given sufficient time to remediate any information Security non-conformance dependent on the potential impact and the likelihood of the non-conformance resulting in a security incident involving PKB or our customer information.
Monitoring and Enforcement
PKB systems and information remain the property of PKB at all times and PKB reserves the right to monitor compliance to policies in line with all applicable laws and with due regard and respect for the fair treatment of all employees and to protect its network from systems and events that threaten or degrade operations.
PKB reserves the right to copy and examine any PKB-owned files or information resident on systems or devices if the device or its use is in contradiction to PKB Policy or allegedly related to unacceptable use. Those responsible may be subject to disciplinary action up to and including dismissal and where applicable may be referred to the police for prosecution.
Â