Example Suppliers

Below are some examples of suppliers and how they might look once filled in.

Google

Supplier Name

The name of the supplier.

Google

Supplier Description

A brief summary of what the supplier does for your organisation.

Used for Google Workspace suite including email.

Supplier Owner

The person responsible for the supplier.

Bilbo Baggins

Supplier Contact

The main point of contact for the supplier. This could be, for example, a support page on a website, or a name of a person responsible for liaising between your organisations.

Support Team

Supplier Email

The email address associated with the supplier.

support-in@google.com

Supplier Address

The address of the supplier.

Supplier Contact Number

The contact telephone number associated with the supplier.

Last Review Date

When the information for this supplier was last reviewed.

03/08/2023

Next Review Date

The date when this supplier will be next reviewed.

03/08/2024

Does the supplier hold ISO27001, or other externally validated certificate that is in line with or exceeds ISO27001?

Whether the supplier is certified against ISO27001. By Harpe's standards, holding an ISO27001 accreditation is an automatic pass in terms of security.

Yes

Does the supplier encrypt personal data at rest and in transit?

Encryption of data in transit and at rest refers to the process of converting sensitive data into a coded language that cannot be read or understood by unauthorised users while it is being transmitted from one location to another or securely stored.

Yes

Does the supplier adhere to the principle of least privileged and have access control processes in place?

The principle of least privilege is the practice of ensuring employees have the minimum amount of permissions required to do their job to combat permissions creep which could lead to a security risk if the wrong person has access to information that is higher than their rank.

Yes

Does the supplier have processes in place to address risk management?

Whether the supplier has risk management processes in place.

Yes

Does the supplier train and engage their employees to become cyber aware?

Whether the supplier engages in training employees to ensure they have enough knowledge to be resistant against common cybersecurity threats. For example, phishing emails.

Yes

Does the supplier have a process to manage assets throughout their lifecycle, including security and destruction?

Whether the supplier has an adequate process for the management of assets.

Yes

Does the supplier have a process to manage disaster recovery and the backups of critical systems?

Whether the supplier has a process for disaster recovery, including taking backups, to ensure system stability in the event of an incident.

Yes

Does the supplier have a processes in place to identify and remediate vulnerabilities such as penetration testing or vulnerability scanning?

Whether the supplier performs activities such as penetration testing or vulnerability scanning to identify vulnerabilities in their systems.

Yes

Does the supplier have logging and monitoring in place to identify incidents with their assets and data?

Whether the supplier has logging and monitoring enabled for their systems and tools to ensure any changes or breaches are recorded.

Yes

Does the supplier have an incident management process in place?

Whether the supplier has processes implemented to manage any occurred incidents.

Yes

Does the supplier have process in place to protect and manage their supply chain?

Whether the supplier has processes in place to ensure their supply chain is secure.

Yes

Are there contracts that cover security requirements, data protection requirements and confidentiality?

Whether there are legally binding contracts and policies in place with the supplier to ensure cybersecurity requirements are safeguarded.

Yes

Does the Supplier have a quality management system in place?

Whether the supplier has a system in place to ensure continued quality of its processes and deliverables.

Yes

Assessment result

Whether the supplier passes or fails based on the answers to these questions.

Pass

Conducted by

The person responsible for conducting this assurance assessment.

Bilbo Baggins

Disaster Recovery Plan

A step-by-step plan to enable business operations to be recovered or allowed to continue in the event of the supplier becoming unavailable or suffering an incident.

Step 1
* The Asset Owner shall contact Google Technical Support to establish downtime timeframe and assess if the provider will be able to restore services within our required timeframe, the asset owner shall be responsible for regularly requesting updates from the supplier until service is restored.

Step 1a
* The Asset Owner shall communicate with applicable colleagues  and customers to inform them of the downtime of the application and include an estimated timeframe upon resolution.

Step 1b
* Staff shall use alternative methods of communication for internal use such as Slack.

Step 1c
* The applicable teams shall communicate with customers via other methods until service is restored

Step 1d
* Continue to chase supplier until service is restored

ONLY begin Step 2 if service is unable to be fully restored and downtime has reached an unacceptable timeframe and has an unacceptable operational impact on the business;

Step 2
* If service is unable to be restored fully the Asset Owner shall Asses an alternative ensuring Procedure - Supplier Evaluation Policy is followed if equivalent suppliers are not approved.

Step 3
* Upon successful approval of the new supplier the Asset Owner shall liaise with the necessary teams to procure the new service

Step 4
* The Asset Owner shall inform the Team when the new service is expected to go-live.
* The Asset Owner shall inform the Team of their intention if the new supplier is to become permanent or as a temporary measure.
* The Asset Owner the new Supplier within the Asset Register and Security Assurance Tracker.

Step 5
* The Asset Owner shall ensure applicable staff members are trained on the new software by organising training material which can be in the form of a presentation.

Step 6
* The Asset Owner shall liaise with the Information Security team in order to complete a business impact assessment.

Security Considerations during DR

Any security considerations that must be paid attention to in the event of the supplier becoming unavailable or suffering an incident.

Reduced productivity: Businesses that rely on Gmail and Drive for communication and collaboration would be unable to access their emails and documents, which could lead to reduced productivity as employees struggle to communicate and work together. This could also lead to security risks, as businesses would be more likely to share sensitive information via unsecured channels if their email and documents are unavailable.

Increased IT costs: Businesses would need to invest in additional IT resources to manage their email and documents with alternative solutions if Gmail and Drive are unavailable. This could include purchasing new software, hiring additional IT staff, or using cloud-based solutions from other providers.

Data loss: In some cases, a major disaster at Google could lead to data loss. This could happen if Google's data centers were to be damaged or if there was a data breach. Businesses would be liable for any costs associated with data loss, including legal fees, lost business, and customer dissatisfaction.

Customer dissatisfaction: Businesses that rely on Gmail and Drive to communicate with customers would likely experience increased customer dissatisfaction if they are unable to provide their customers with the services they expect. This could lead to lost customers and revenue.

RPO (Recovery Point Objective)

The maximum tolerable loss of data in terms of time. For example, a loss in 2 hours work worth of data.

2 hours

RTO (Recovery Time Objective)

The maximum tolerable time in which a supplier can be unavailable. For example, if the RTO is 2 hours then the supplier should be available again after failure in less than 2 hours.

2 hours

BIA Owner

The person who is responsible for this disaster recovery assessment.

Bilbo Baggins

Last updated