ISO:Supplier Relationships and Procurement
Hornbill chooses its suppliers carefully to ensure that our service delivery is not impacted\jeopardized and that they, at the very least, care about data security in the same way Hornbill does. Below are details on how we choose and monitor suppliers.
Supplier Relationships and Procurement
A Risk Assessment should be carried out to identify specific controls implemented before granting access to third parties or customers.
Identification of risk related to external party access to take account of the following: level of physical access, logical access to the external parties legal and regulatory requirements and other contractual obligations relevant to the external parties. For confidentiality of the information accessed by third party or customer, Non-Disclosure Agreements (NDAs) are signed.
Access to information and information processing facilities by third parties or customers is not provided unless an NDA is in force.
It should be ensured that the external party is aware of these obligations, and accepts the responsibilities and liabilities involved in accessing, processing, communicating or managing information and information processing facilities.
Hornbill Technologies agrees with the external party those controls that the external party is required to implement and documents them in the contract or agreement, which is a legal agreement, that the third party signs. The obligations on the external party include ensuring that all its personnel are aware of their obligations where necessary.
The agreements between the organisation and external parties (whether suppliers or customers) are intended to be legally binding and must specifically include (or provide documented reasons for excluding any of) the items on the checklist below, and the requirement for which may have been identified through the risk assessment, from any such contract:
- the Information Security Policy
- the controls identified as required through the risk assessment process which may include procedures and technical controls
a clear definition and/or description of the product or service to be provided, and a description of information (including its classification) to be made available
- requirements for user and administrator education, training and awareness
- provisions for personnel transfer
- description of responsibilities regarding software and hardware installation, maintenance and de-commissioning
- clearly defined reporting process, reporting structure, reporting formats, escalation procedures and the requirement for the external party to adequately resource the compliance, monitoring and reporting activities
- a specified change management process
- controls against malware
- access control policy
- information security incident management
- the target level for service and security, unacceptable service and security levels, definition of verifiable performance and security criteria, monitoring and reporting
- the right to monitor and audit performance (including the third party’s processes for change management, vulnerability identification and information security incident management), to revoke activities, and to use external auditors
- continuity requirements
- liabilities on both sides, legal responsibilities and how legal responsibilities (including data protection and privacy) are to be met
- the protection of IPR and copyright
- controls over any allowed sub-contractors
- conditions for termination/re-negotiation of agreements, including contingency plans.
We are also committed to ensuring that there is no modern slavery or human trafficking in our supply chains or in any part of our business. We have zero tolerance to slavery and human trafficking. To ensure all those in our supply chain and contractors comply with our values we have in place a supply chain compliance programme.
All suppliers when reviewed (Either annually\new contract or prospective stage) are engaged to ensure that they to achieve the same ethical standards as ourselves. To ensure a high level of understanding of the risks of modern slavery and human trafficking in our supply chains and our business, we provide training on our Supplier management policy to all to our staff covered under the policy
Monitoring of Service Delivery
- All Incidents relating to a given Supplier will be logged in Hornbill Service manager. Each report is reviewed post incident to ensure actions taken to prevent recurrence, any effected controls are reviewed and where necessary any documentation\policies updated. The incident review also ensure that no contractual SLA\OLA was broken (Note that this is separate to and in addition of the ongoing standard Supplier review process detailed below), that our SLA\Uptime for customer was not jeopardized and that any legal obligations for data protection have been met. Any incident in which SLA\OLA\Uptime was jeopardized will result in review of supplier where appropriate.
- All Incidents will be reviewed during the annual management meeting to ensure they are aware of the incident and establish whether they wish to proceed with the given supplier.
- The external party agreement includes reporting structures, defines acceptable levels of performance and provides monitoring, inspection and audit rights.
- The relationship owner monitors performance against the service and security criteria contained in the agreement, ensures that reports required under the agreement are delivered as required and reviews them, and conducts regular progress meetings as required.
- The relationship owner ensures that information security incidents experienced by the third party are reviewed jointly and that relevant information security incidents experienced internally are communicated to the third party so that appropriate steps can be taken.
- The relationship owner identifies any problems of any sort (including operational problems, failures, faults and tracing faults, and disruptions), on either side of the relationship, and ensures that they are resolved, using the agreed escalation procedure where necessary.