INSPIRING BUSINESS INNOVATION
SUPPLIER RELATIONSHIPS POLICY
Version 1.1
Policy Number:
SUPPLIER RELATIONSHIPS POLICY
Page 2/11
1. Table of Contents
1. Table of Contents ........................................................................................................................ 2
2. Property Information .................................................................................................................. 3
3. Document Control ...................................................................................................................... 4
3.1. Information ............................................................................................................ 4
3.2. Revision History ................................................................................................... 4
3.3. Review, Verification and Approval ...................................................................... 4
3.4. Distribution List .................................................................................................... 4
4. Policy Overview ........................................................................................................................... 5
4.1. Purpose ................................................................................................................. 5
4.2. Scope ..................................................................................................................... 5
4.3. Terms and Definitions .......................................................................................... 5
4.4. Change, Review and Update ............................................................................... 7
4.5. Enforcement / Compliance .................................................................................. 7
4.6. Waiver .................................................................................................................... 7
4.7. Roles and Responsibilities (RACI Matrix) .......................................................... 8
4.8. Relevant Documents ............................................................................................ 8
4.9. Ownership ............................................................................................................. 9
5. Policy Statements ...................................................................................................................... 10
5.1. Information Security Policy for Supplier Relationships .................................. 10
5.2. Addressing Security within Supplier Agreements .......................................... 11
5.3. Information and Communication Technology Supply Chain ......................... 11
5.4. Monitoring and Review of Supplier Services ................................................... 12
5.5. Managing Changes to Supplier Services ......................................................... 12
SUPPLIER RELATIONSHIPS POLICY
Page 3/11
2. Property Information
This document is the property information of Imam Abdulrahman bin Faisal University - ICT Deanship. The
content of this document is Confidential and intended only for the valid recipients. This document is not
to be distributed, disclosed, published or copied without ICT Deanship written permission.
SUPPLIER RELATIONSHIPS POLICY
Page 4/11
3. Document Control
3.1. Information
Title Classification Version Status
SUPPLIER RELATIONSHIPS POLICY Confidential 1.1 validated
3.2. Revision History
Version Author(s) Issue Date Changes
0.1 Alaa Alaiwah - Devoteam November 18, 2014 Creation
0.2 Nabeel Albahbooh - Devoteam December 1, 2014 Update
0.3 Osama Al Omari – Devoteam December 23, 2014 Update
1.0 Nabeel Albahbooh - Devoteam December 31, 2014 Update
1.1 Muneeb Ahmad – ICT, IAU 09 May 2017 Update
3.3. Review, Verification and Approval
Name Title Date
Lamia Abdullah Aljafari Quality Director
Dr. Saad Al-Amri Dean of ICT
3.4. Distribution List
Copy # Recipients Location
SUPPLIER RELATIONSHIPS POLICY
Page 5/11
4. Policy Overview
This section describes and details the purpose, scope, terms and definitions, change, review and update,
enforcement / compliance, wavier, roles and responsibilities, relevant documents and ownership.
4.1. Purpose
The main purpose of Supplier Relationships Policy is to:
Ensure protection of IAU’s assets that is accessible by suppliers; and maintain an agreed level of information
security and service delivery in line with supplier agreements.
4.2. Scope
The policy statements written in this document are applicable to all IAU’s resources at all levels of sensitivity;
including:
All full-time, part-time and temporary staff employed by, or working for or on behalf of IAU.
Students studying at IAU.
Contractors and consultants working for or on behalf of IAU.
All other individuals and groups who have been granted access to IAU’s ICT systems and
information.
This policy covers all information assets defined in Risk Assessment Scope Document and will be used as
foundation for information security management.
4.3. Terms and Definitions
Table 11 provides definitions of the common terms used in this document.
Term Definition
Accountability A security principle indicating that individuals shall be able to be
identified and to be held responsible for their actions.
Asset Information that has value to the organization such as forms,
SUPPLIER RELATIONSHIPS POLICY
Page 6/11
media, networks, hardware, software and information system.
Availability The state of an asset or a service of being accessible and usable
upon demand by an authorized entity.
Confidentiality An asset or a service is not made available or disclosed to
unauthorized individuals, entities or processes.
Control
A means of managing risk, including policies, procedures, and
guidelines which can be of administrative, technical, management
or legal nature.
Guideline A description that clarifies what shall be done and how, to achieve
the objectives set out in policies.
Information Security
The preservation of confidentiality, integrity, and availability of
information. Additionally, other properties such as authenticity,
accountability, non-repudiation and reliability can also be involved.
Integrity Maintaining and assuring the accuracy and consistency of asset
over its entire life-cycle.
Owner
A person or group of people who have been identified by
Management as having responsibility for the maintenance of the
confidentiality, availability and integrity of an asset. The Owner
may change during the lifecycle of the asset.
Policy
A plan of action to guide decisions and actions. The policy process
includes the identification of different alternatives such as
programs or spending priorities, and choosing among them on the
basis of the impact they will have.
Risk A combination of the consequences of an event (including changes
in circumstances) and the associated likelihood of occurrence.
Supplier A party that provides equipment or services.
System
An equipment or interconnected system or subsystems of
equipment that is used in the acquisition, storage, manipulation,
management, control, display, switching, interchange, transmission
or reception of data and that includes computer software,
firmware and hardware. Table 1: Terms and Definitions
SUPPLIER RELATIONSHIPS POLICY
Page 7/11
4.4. Change, Review and Update
This policy shall be reviewed once every year unless the owner considers an earlier review necessary to
ensure that the policy remains current. Changes of this policy shall be exclusively performed by the
Information Security Officer and approved by Management. A change log shall be kept current and be updated
as soon as any change has been made.
4.5. Enforcement / Compliance
Compliance with this policy is mandatory and it is to be reviewed periodically by the Information Security
Officer. All IAU units (Deanship, Department, College, Section and Center) shall ensure continuous
compliance monitoring within their area.
In case of ignoring or infringing the information security directives, IAU’s environment could be harmed (e.g.,
loss of trust and reputation, operational disruptions or legal violations), and the fallible persons will be made
responsible resulting in disciplinary or corrective actions (e.g., dismissal) and could face legal investigations.
A correct and fair treatment of employees who are under suspicion of violating security directives (e.g.,
disciplinary action) has to be ensured. For the treatment of policy violations, Management and Human
Resources Department have to be informed and deal with the handling of policy violations.
4.6. Waiver
Information security shall consider exceptions on an individual basis. For an exception to be approved, a
business case outlining the logic behind the request shall accompany the request. Exceptions to the policy
compliance requirement shall be authorized by the Information Security Officer and approved by the ICT
Deanship. Each waiver request shall include justification and benefits attributed to the waiver.
The policy waiver period has maximum period of 4 months, and shall be reassessed and re-approved, if
necessary for maximum three consecutive terms. No policy shall be provided waiver for more than three
consecutive terms.
SUPPLIER RELATIONSHIPS POLICY
Page 8/11
4.7. Roles and Responsibilities (RACI Matrix)
Table 2 shows the RACI matrix1 that identifies who is responsible, accountable, consulted or informed for
every task that needs to be performed. There are a couple of roles involved in this policy respectively: ICT
Deanship, Information Security Officer (ISO), Project Management Office (PMO), Supplier, Human Resources
Department / Administrative Unit (HR/A), Legal Department, Owner and User (Employee and Contract).
Roles
Responsibilities
ICT ISO PMO Supplier HR/A Legal Owner
Establishing and defining proper procedures for
handling, processing, storing and communicating
information.
R,A C R C C C I
Defining security roles and responsibilities for
each Service Level Agreement (SLA). R,A C R C I
Auditing and monitoring suppliers’ access for
security violations, improper use and assessment
of need.
R,A C C I
Managing a relationship with suppliers. R,I C R,A C C
Implementing appropriate controls to protect the
security of assets when a supplier accesses IAU’s
environment.
R,A R,C
Table 2: Assigned Roles and Responsibilities based on RACI Matrix
4.8. Relevant Documents
The followings are all relevant policies and procedures to this policy:
Information Security Policy
Organization of Information Security policy
Operations Security Policy
Communications Security Policy
Compliance Policy
1 The responsibility assignment RACI matrix describes the participation by various roles in completing tasks for a business process. It is
especially useful in clarifying roles and responsibilities in cross-functional/departmental processes. R stands for Responsible who performs
a task, A stands for Accountable (or Approver) who sings off (approves) on a task that a responsible performs, C stands for Consulted (or
Consul) who provide opinions, and I stands for Informed who is kept up-to-date on task progress.
SUPPLIER RELATIONSHIPS POLICY
Page 9/11
Risk Management Policy
Physical and Logical Access Control Procedure
4.9. Ownership
This document is owned and maintained by the ICT Deanship of University of Imam Abdulrahman bin Faisal.
SUPPLIER RELATIONSHIPS POLICY
Page 10/11
5. Policy Statements
The following subsections present the policy statements in 5 main aspects:
Information Security Policy for Supplier Relationships
Addressing Security within Supplier Agreements
Information and Communication Technology Supply Chain
Monitoring and Review of Supplier Services
Managing Changes to Supplier Services
5.1. Information Security Policy for Supplier
Relationships
1. At the time of entering into a contract and establishing the Service Level Agreement (SLA) under the
contract, ICT Deanship and Information Security Officer shall coordinate with Project Management
Officer to:
a. Define specific roles and responsibilities of each party.
b. Identify all required security controls (e.g., processes and procedures) to be implemented by
each party.
2. ICT Deanship in cooperation with Information Security Officer shall only provide a supplier access
(e.g., VPN access) after the supplier has signed confidentiality agreement. Confidentiality agreement
executed between IAU and the supplier shall be in accordance with IAU’s legal compliance policy and
business requirements.
3. Reports and records provided by a supplier shall be reviewed by ICT Deanship in a regular basis.
4. ICT Deanship in cooperation with Project Management Office shall update their list of contracts,
outsourced services as well as SLA targets and their corresponding contact details. A similar detail
of ICT Deanship contact shall be provided to the supplier.
[ISO/IEC 27001: A.15.1.1]
SUPPLIER RELATIONSHIPS POLICY
Page 11/11
5.2. Addressing Security within Supplier Agreements
1. ICT Deanship shall validate the security measures to be applied and have them defined within the
contract with the supplier; any contract shall include the set of identified risks. When such instances
of the supplier access require the involvement of other participants:
a. Shall include a clause in the access contract with the supplier specifying all other authorized
participants as well as the conditions governing their access.
b. In the case of sub-contracting or outsourcing, clauses on how to address and manage security
risks, measures and procedures for systems, networks, technological infrastructures and
sensitive information shall be included in the contract between the parties.
c. For personnel with access to sensitive information, a stipulation that they shall obtain security
clearance and ensure their commitment to the strictest confidentiality by signing an
agreement (e.g., non-disclosure agreement “NDA” or confidentiality agreement) shall also to
be included in the contract.
[ISO/IEC 27001: A.15.1.2]
5.3. Information and Communication Technology Supply
Chain
2. Access by suppliers to IAU’s information shall not be provided until the followings are fulfilled:
a. The proper justifications have been provided.
b. Management has been approved it.
c. The appropriate security controls have been implemented.
d. Where applicable, a contract has been signed defining the terms and conditions.
3. ICT Deanship shall ensure that all security control measures are properly implemented in order to
maintain the security of IAU’s information and ICT facilities that are accessed, processed, or managed
by suppliers.
4. Where there is a need to allow a supplier accesses to ICT facilities, a risk assessment shall be carried
out to identify all security controls requirements.
[ISO/IEC 27001: A.12.1.3]
SUPPLIER RELATIONSHIPS POLICY
Page 12/11
5.4. Monitoring and Review of Supplier Services
1. ICT Deanship in cooperation with Information Security Officer shall randomly audit supplier access
(e.g., VPN access) for security violations, improper use and assessment of need.
2. ICT Deanship in cooperation with Project Management Officer shall develop a procedure that
identifies the roles and responsibility for efficiently and effectively monitoring and reviewing of
supplier services.
3. IAU’s shall retain sufficient overall control and visibility into:
a. All security aspects for sensitive information or ICT facilities that are accessed, processed,
or managed by a supplier.
b. All security activities such as change management, identification of vulnerabilities and incident
reporting and response through a defined process.
4. Responsibility for managing the relationship with a supplier shall be assigned to a designated individual
or team from ICT Deanship and Project Management Office.
[ISO/IEC 27001: A.12.2.1]
5.5. Managing Changes to Supplier Services
1. Changes to the provision of supplier services shall be managed based on the criticality of IAU’s
systems and related processes.
-------------------------------------------------------- End of Document -------------------------------------------------------