Information Security in supplier relationships
We inform our suppliers of the existence of Information Security Guidelines established in our organization to show the commitment of nettaro in protecting and guaranteeing the principles of: confidentiality, integrity and availability of the information handled in the organization.
We work under an Information Security Management System, whose scope not only affects the use of assets, but extends to all persons and third parties in the knowledge and compliance with these Guidelines structured according to ISO/IEC 27001. Both the Information Security Policy and Guidelines are in line with the General Data Protection Regulation (GDPR).
Confidentiality of Information
In cases where it is required to deliver information to suppliers, or that as a result of the provision of a service must access information of the Institution, confidentiality and non-disclosure agreements must be applied between nettaro and suppliers, reflected in the NDA – Confidentiality Agreement.
Information Exchange
In accordance with our philosophy of continuous improvement of our environmental performance, we periodically define objectives in this area. In addition, nettaro has environmental indicators with periodic monitoring that provide information regarding our environmental performance, serving as a basis for decision making and the establishment of lines of work. Any type of information exchange that takes place between nettaro and service providers shall be understood to have been carried out within the framework established by the corresponding service provision contract, so that said information may not be used outside this framework or for other purposes.
Appropriate Use of Information
Any file introduced in the nettaro network or in any equipment connected to it through automated media, Internet, e-mail or any other means, must comply with the provisions of the POL-01 Security Policy of nettaro, available on the website https://www.nettaro.com
Corporate Network Access
Corporate resources are protected with the necessary technical security means to ensure the protection of information, either from the company’s own facilities or externally.
Security Incident Communication
nettaro suppliers undertake to immediately communicate any incident, weakness or threat (observed or suspected) detected in nettaro information systems or that may have affected information belonging to nettaro or its clients to the Systems Department by e-mail at info@nettaro.com or through the person in charge of the service.
Review
This policy should be reviewed by the Systems Manager and the Management System Manager at least once a year, to align it with the needs of the organization.
Management is aware of the importance of this Policy and actively participates in its review.
Key Points
The key points of this policy are:
- Security requirements for products and services. nettaro will define the cybersecurity requirements that must be met by the products or services it acquires from suppliers. These requirements will be consistent with the organization’s information security policies and we will extend them to suppliers, providers, collaborators, partners, sales and distribution channels, etc.
- Define contractual clauses on information security. In order to establish rigorous contracts and agreements on cybersecurity. nettaro will detail the most relevant issues that should be reflected in the contracts with our suppliers. All these aspects can be reflected in contracts and confidentiality and data access agreements.
- Determine what information is accessed, how it can be accessed and its classification and protection:
- Ensure that, once the contract is terminated, the supplier will no longer be able to access or maintain the sensitive information;
- Reflect the appropriate legal requirements:
- GDPR compliance,
- Compliance with the LSSI,
- Compliance with intellectual property rights, reflecting the right of audit and control over relevant aspects of the agreement; include situations leading to termination of the contract; define specific guarantees:
- Financial penalties in case of non-compliance,
- Economic losses due to inactivity,
- Additional certifications and warranties.
- Define specific responsibilities for both parties. We will establish by contract, and with possible penalties, whether it is the supplier or we are responsible for every aspect related to security:
- Controlling who accesses or transforms sensitive information and why
- Performing the backup and when it controls the logs, etc..;
- Activate, maintain and control security systems: anti-malware, firewall, communications encryption, etc.
- Define the SLAs (Service Level Agreements). In order to establish the quality characteristics and guarantees of the acquired service, we must define and sign the corresponding SLAs with the suppliers. The most relevant aspects to define an SLA are:
- Responsibilities of each party;
- Duration of the agreement;
- Detail of the level of service offered. Including:
- Allowable error rates,
- Time availability,
- Response and resolution times,
- Contact channels,
- Incident escalation and notification process,
- Procedures for the resolution of problems and incidents,
- Personnel assigned to the service.
- Procedures for monitoring and control of the service;
- Penalties in case of non-compliance;
- Measurement of satisfaction with the service received.
- Mandatory security controls. In order to ensure the contracting of a secure outsourcing service, the security controls that we consider mandatory will be identified. These controls must take into account the following aspects:
- IT services and components to which the organization allows access;
- What information relevant to the organization can be accessed and by what method of access;
- How to manage any incident related to suppliers’ access to our systems;
- Review of compliance with the agreed SLAs.
- Be part of forums and organizations of users of the software products/services used. It can be of great interest to participate in forums and associations about products that we have acquired. In this way we will have the possibility of consulting the main functionalities, news and vulnerabilities about them. In addition, we will review the reputation of our suppliers, as well as the certifications and quality seals they have.
- Certification of contracted services. For particularly critical services, we can require companies to guarantee that they have some of the certifications related to quality in information security management. Among these, the following should be highlighted:
- ISO 27001 Certification of Information Security Management Systems;
- ISO 22301 Business Continuity Management Certification;
- Audit and control of the contracted services. To ensure the quality of the contracted service at all times, nettaro will establish the way to monitor, review and audit the service of your suppliers in aspects related to cybersecurity. We will establish the way to manage any problems arising with products or services of our suppliers. We will extend these practices to the entire supply chain.
- Termination of the contractual relationship. It is important to guarantee the security of the information upon termination of the contracted services. For this purpose, we will formalize the actions to be taken once the service is finished:
- To indicate the assets to be returned;
- Elimination of access permissions;
- Deletion of sensitive organizational information stored in the supplier’s systems.
In Madrid, 08Th february 2024
Managing Director de nettaro.