version 1.1 policy number · 1.1 muneeb ahmad – ict, iau 09 may 2017 update 3.3. review,...

INSPIRING BUSINESS INNOVATION

SUPPLIER RELATIONSHIPS POLICY

Version 1.1

Policy Number:


/11

1. Table of Contents

1. Table of Contents ........................................................................................................................ 2

2. Property Information .................................................................................................................. 3

3. Document Control ...................................................................................................................... 4

3.1. Information ............................................................................................................ 4

3.2. Revision History ................................................................................................... 4

3.3. Review, Verification and Approval ...................................................................... 4

3.4. Distribution List .................................................................................................... 4

4. Policy Overview ........................................................................................................................... 5

4.1. Purpose ................................................................................................................. 5

4.2. Scope ..................................................................................................................... 5

4.3. Terms and Definitions .......................................................................................... 5

4.4. Change, Review and Update ............................................................................... 7

4.5. Enforcement / Compliance .................................................................................. 7

4.6. Waiver .................................................................................................................... 7

4.7. Roles and Responsibilities (RACI Matrix) .......................................................... 8

4.8. Relevant Documents ............................................................................................ 8

4.9. Ownership ............................................................................................................. 9

5. Policy Statements ...................................................................................................................... 10

5.1. Information Security Policy for Supplier Relationships .................................. 10

5.2. Addressing Security within Supplier Agreements .......................................... 11

5.3. Information and Communication Technology Supply Chain ......................... 11

5.4. Monitoring and Review of Supplier Services ................................................... 12

5.5. Managing Changes to Supplier Services ......................................................... 12


/11

2. Property Information

This document is the property information of Imam Abdulrahman bin Faisal University - ICT Deanship. The

content of this document is Confidential and intended only for the valid recipients. This document is not

to be distributed, disclosed, published or copied without ICT Deanship written permission.


/11

3. Document Control

3.1. Information

Title Classification Version Status

SUPPLIER RELATIONSHIPS POLICY Confidential 1.1 validated

3.2. Revision History

Version Author(s) Issue Date Changes

0.1 Alaa Alaiwah - Devoteam November 18, 2014 Creation

0.2 Nabeel Albahbooh - Devoteam December 1, 2014 Update

0.3 Osama Al Omari – Devoteam December 23, 2014 Update

1.0 Nabeel Albahbooh - Devoteam December 31, 2014 Update

1.1 Muneeb Ahmad – ICT, IAU 09 May 2017 Update

3.3. Review, Verification and Approval

Name Title Date

Lamia Abdullah Aljafari Quality Director

Dr. Saad Al-Amri Dean of ICT

3.4. Distribution List

Copy # Recipients Location


/11

4. Policy Overview

This section describes and details the purpose, scope, terms and definitions, change, review and update,

enforcement / compliance, wavier, roles and responsibilities, relevant documents and ownership.

4.1. Purpose

The main purpose of Supplier Relationships Policy is to:

Ensure protection of IAU’s assets that is accessible by suppliers; and maintain an agreed level of information

security and service delivery in line with supplier agreements.

4.2. Scope

The policy statements written in this document are applicable to all IAU’s resources at all levels of sensitivity;

including:

All full-time, part-time and temporary staff employed by, or working for or on behalf of IAU.

Students studying at IAU.

Contractors and consultants working for or on behalf of IAU.

All other individuals and groups who have been granted access to IAU’s ICT systems and

information.

This policy covers all information assets defined in Risk Assessment Scope Document and will be used as

foundation for information security management.

4.3. Terms and Definitions

Table 11 provides definitions of the common terms used in this document.

Term Definition

Accountability A security principle indicating that individuals shall be able to be

identified and to be held responsible for their actions.

Asset Information that has value to the organization such as forms,


/11

media, networks, hardware, software and information system.

Availability The state of an asset or a service of being accessible and usable

upon demand by an authorized entity.

Confidentiality An asset or a service is not made available or disclosed to

unauthorized individuals, entities or processes.

Control

A means of managing risk, including policies, procedures, and

guidelines which can be of administrative, technical, management

or legal nature.

Guideline A description that clarifies what shall be done and how, to achieve

the objectives set out in policies.

Information Security

The preservation of confidentiality, integrity, and availability of

information. Additionally, other properties such as authenticity,

accountability, non-repudiation and reliability can also be involved.

Integrity Maintaining and assuring the accuracy and consistency of asset

over its entire life-cycle.

Owner

A person or group of people who have been identified by

Management as having responsibility for the maintenance of the

confidentiality, availability and integrity of an asset. The Owner

may change during the lifecycle of the asset.

Policy

A plan of action to guide decisions and actions. The policy process

includes the identification of different alternatives such as

programs or spending priorities, and choosing among them on the

basis of the impact they will have.

Risk A combination of the consequences of an event (including changes

in circumstances) and the associated likelihood of occurrence.

Supplier A party that provides equipment or services.

System

An equipment or interconnected system or subsystems of

equipment that is used in the acquisition, storage, manipulation,

management, control, display, switching, interchange, transmission

or reception of data and that includes computer software,

firmware and hardware. Table 1: Terms and Definitions


/11

4.4. Change, Review and Update

This policy shall be reviewed once every year unless the owner considers an earlier review necessary to

ensure that the policy remains current. Changes of this policy shall be exclusively performed by the

Information Security Officer and approved by Management. A change log shall be kept current and be updated

as soon as any change has been made.

4.5. Enforcement / Compliance

Compliance with this policy is mandatory and it is to be reviewed periodically by the Information Security

Officer. All IAU units (Deanship, Department, College, Section and Center) shall ensure continuous

compliance monitoring within their area.

In case of ignoring or infringing the information security directives, IAU’s environment could be harmed (e.g.,

loss of trust and reputation, operational disruptions or legal violations), and the fallible persons will be made

responsible resulting in disciplinary or corrective actions (e.g., dismissal) and could face legal investigations.

A correct and fair treatment of employees who are under suspicion of violating security directives (e.g.,

disciplinary action) has to be ensured. For the treatment of policy violations, Management and Human

Resources Department have to be informed and deal with the handling of policy violations.

4.6. Waiver

Information security shall consider exceptions on an individual basis. For an exception to be approved, a

business case outlining the logic behind the request shall accompany the request. Exceptions to the policy

compliance requirement shall be authorized by the Information Security Officer and approved by the ICT

Deanship. Each waiver request shall include justification and benefits attributed to the waiver.

The policy waiver period has maximum period of 4 months, and shall be reassessed and re-approved, if

necessary for maximum three consecutive terms. No policy shall be provided waiver for more than three

consecutive terms.


/11

4.7. Roles and Responsibilities (RACI Matrix)

Table 2 shows the RACI matrix1 that identifies who is responsible, accountable, consulted or informed for

every task that needs to be performed. There are a couple of roles involved in this policy respectively: ICT

Deanship, Information Security Officer (ISO), Project Management Office (PMO), Supplier, Human Resources

Department / Administrative Unit (HR/A), Legal Department, Owner and User (Employee and Contract).

Roles

Responsibilities

ICT ISO PMO Supplier HR/A Legal Owner

Establishing and defining proper procedures for

handling, processing, storing and communicating

information.

R,A C R C C C I

Defining security roles and responsibilities for

each Service Level Agreement (SLA). R,A C R C I

Auditing and monitoring suppliers’ access for

security violations, improper use and assessment

of need.

R,A C C I

Managing a relationship with suppliers. R,I C R,A C C

Implementing appropriate controls to protect the

security of assets when a supplier accesses IAU’s

environment.

R,A R,C

Table 2: Assigned Roles and Responsibilities based on RACI Matrix

4.8. Relevant Documents

The followings are all relevant policies and procedures to this policy:

Information Security Policy

Organization of Information Security policy

Operations Security Policy

Communications Security Policy

Compliance Policy

1 The responsibility assignment RACI matrix describes the participation by various roles in completing tasks for a business process. It is

especially useful in clarifying roles and responsibilities in cross-functional/departmental processes. R stands for Responsible who performs

a task, A stands for Accountable (or Approver) who sings off (approves) on a task that a responsible performs, C stands for Consulted (or

Consul) who provide opinions, and I stands for Informed who is kept up-to-date on task progress.


/11

Risk Management Policy

Physical and Logical Access Control Procedure

4.9. Ownership

This document is owned and maintained by the ICT Deanship of University of Imam Abdulrahman bin Faisal.


/11

5. Policy Statements

The following subsections present the policy statements in 5 main aspects:

Information Security Policy for Supplier Relationships

Addressing Security within Supplier Agreements

Information and Communication Technology Supply Chain

Monitoring and Review of Supplier Services

Managing Changes to Supplier Services

5.1. Information Security Policy for Supplier

Relationships

1. At the time of entering into a contract and establishing the Service Level Agreement (SLA) under the

contract, ICT Deanship and Information Security Officer shall coordinate with Project Management

Officer to:

a. Define specific roles and responsibilities of each party.

b. Identify all required security controls (e.g., processes and procedures) to be implemented by

each party.

2. ICT Deanship in cooperation with Information Security Officer shall only provide a supplier access

(e.g., VPN access) after the supplier has signed confidentiality agreement. Confidentiality agreement

executed between IAU and the supplier shall be in accordance with IAU’s legal compliance policy and

business requirements.

3. Reports and records provided by a supplier shall be reviewed by ICT Deanship in a regular basis.

4. ICT Deanship in cooperation with Project Management Office shall update their list of contracts,

outsourced services as well as SLA targets and their corresponding contact details. A similar detail

of ICT Deanship contact shall be provided to the supplier.

[ISO/IEC 27001: A.15.1.1]


/11

5.2. Addressing Security within Supplier Agreements

1. ICT Deanship shall validate the security measures to be applied and have them defined within the

contract with the supplier; any contract shall include the set of identified risks. When such instances

of the supplier access require the involvement of other participants:

a. Shall include a clause in the access contract with the supplier specifying all other authorized

participants as well as the conditions governing their access.

b. In the case of sub-contracting or outsourcing, clauses on how to address and manage security

risks, measures and procedures for systems, networks, technological infrastructures and

sensitive information shall be included in the contract between the parties.

c. For personnel with access to sensitive information, a stipulation that they shall obtain security

clearance and ensure their commitment to the strictest confidentiality by signing an

agreement (e.g., non-disclosure agreement “NDA” or confidentiality agreement) shall also to

be included in the contract.

[ISO/IEC 27001: A.15.1.2]

5.3. Information and Communication Technology Supply

Chain

2. Access by suppliers to IAU’s information shall not be provided until the followings are fulfilled:

a. The proper justifications have been provided.

b. Management has been approved it.

c. The appropriate security controls have been implemented.

d. Where applicable, a contract has been signed defining the terms and conditions.

3. ICT Deanship shall ensure that all security control measures are properly implemented in order to

maintain the security of IAU’s information and ICT facilities that are accessed, processed, or managed

by suppliers.

4. Where there is a need to allow a supplier accesses to ICT facilities, a risk assessment shall be carried

out to identify all security controls requirements.

[ISO/IEC 27001: A.12.1.3]


/11

5.4. Monitoring and Review of Supplier Services

1. ICT Deanship in cooperation with Information Security Officer shall randomly audit supplier access

(e.g., VPN access) for security violations, improper use and assessment of need.

2. ICT Deanship in cooperation with Project Management Officer shall develop a procedure that

identifies the roles and responsibility for efficiently and effectively monitoring and reviewing of

supplier services.

3. IAU’s shall retain sufficient overall control and visibility into:

a. All security aspects for sensitive information or ICT facilities that are accessed, processed,

or managed by a supplier.

b. All security activities such as change management, identification of vulnerabilities and incident

reporting and response through a defined process.

4. Responsibility for managing the relationship with a supplier shall be assigned to a designated individual

or team from ICT Deanship and Project Management Office.

[ISO/IEC 27001: A.12.2.1]

5.5. Managing Changes to Supplier Services

1. Changes to the provision of supplier services shall be managed based on the criticality of IAU’s

systems and related processes.

-------------------------------------------------------- End of Document -------------------------------------------------------