2CLIX knows that your security and privacy are important and cares deeply about them.
INFORMATION SECURITY IN THE SUPPLY CHAIN
It is important for the organization to ensure that the pillars of Information Security maintained internally are also respected in its external relationships. Therefore, the hiring of external services must be carried out carefully, with the understanding that every external party brought into the business is a potential risk to Information Security.
Basic Information Security Requirements in the Supply Chain
Supplier Lifecycle
Every supplier must operate in accordance with the restrictions and scope defined in the contract, and the duration of their access will be defined by the contractual term.
During the first contact with a supplier, the services to be contracted must be presented, along with the security requirements that the supplier must follow when performing the services. At this stage, only supporting documents and a high-level overview of the environment in which the supplier will work may be shared.
Once the requirements have been defined and agreed upon, an NDA and the Contract must be signed to finalize and formalize the engagement. Only after these signatures have been obtained should access be created. For this purpose, the supplier must provide a list of the access it will require, together with the names of the employees who will perform the contracted activities.
During the term of the Contract, extensions may be formalized, as well as changes, if necessary — whether to expand the contracted services or to adapt to changes in the organization’s security policies, which must be updated and subsequently followed by the supplier.
At the end of the contract, if there is no extension, all access will be removed as soon as the necessary transitions are completed, with a deadline for revoking all access by the final date defined in the contract.
Types of Access
Suppliers must be assessed according to the actual and potential level of access to data that they will have in order to perform the contracted services.
- High: a high level of access means that the supplier will have access to the database or servers in some way. This generally involves VPN access by the supplier and, in particular, access with permissions that allow maintenance, editing or updating tasks on these assets.
- Moderate: a moderate level of access means that the supplier will not have direct access to the server or database, but their tasks allow access to information or assets of the organization and its employees, as well as access to internal documents.
- Low: a low level of access means that the data to which suppliers have access is primarily public or anonymized, focusing on more superficial or temporary services.
Minimum Security Requirements
All suppliers must follow the security requirements defined in the contract. Although different services will require different levels of information security risk, it is reasonable to assume that risks increase with the level of access. Therefore, the basic information security requirements for each level will increase gradually.
- Low: the supplier must sign a confidentiality agreement, provide a list of personnel authorized to perform the contracted service and be in compliance with the General Data Protection Law (LGPD);
- Moderate: includes the requirements of the low level, plus the need to have an Information Security Policy and internal audit trails capable of generating reports upon request;
- High: includes the previous requirements, plus the need for mature access control policies, an implemented Information Security Management System, use of the VPN only when necessary for the performance of the contracted functions, performance of internal audits, compliance with the 2clix Information Security Policy, and a Business Continuity Plan and Risk and Incident Management processes.
Monitoring
Monitoring of compliance with the requirements can be carried out based on internal audit trails of both the organization and the supplier. The Security team may be called upon to perform an audit of the supplier, with the scope defined by the requirements agreed in the contracts.
Reports may also be produced by the Security team based on the assessment of services provided and their results for the organization.
Training
The organization must provide training to its employees regarding the use of the supplier’s services, as well as explaining what types of information and access supplier personnel must be aware of and what types of data and access are outside the scope of the supplier’s services. This is intended to ensure that the scope of roles and access is respected by all employees and that access to information is restricted only to what has been agreed in the contract.
Change of Supplier
In cases where there is a change of supplier, an adaptation period must be adopted to avoid data loss or unavailability of the Quality Portal during the transition. If necessary, a contract extension with the previous supplier may be used to ensure that data and processes have been fully transferred to the new supplier’s platform.
Documentation and Contracts
Supplier contracts must contain basic information security requirements based on the level of access the supplier will have, as well as specific requirements related to the contracted service.
These requirements must clearly state which services are contracted, what level of access the supplier will have, which information the supplier may access and, most importantly, which information must not be accessed by the supplier.
Acceptance of the Information Security Policy may be included in the contractual process, as well as compliance with local laws regarding information security and data protection.
INFORMATION SECURITY MANAGEMENT DURING THE SUPPLIER CONTRACT
Monitoring of Deliveries
Supplier deliverables must be evaluated by the Security and Administration teams, which must regularly assess the effectiveness of the services provided, the risks presented during the provision of services and the impact on the availability, integrity and reliability of the Quality Portal.
The supplier’s compliance with the agreed security requirements must also be evaluated, as well as a general review of the use of the access granted to the supplier. Thus, together with the continuous improvement process of the organization’s other security processes, the security requirements applied to the supplier are expected to evolve accordingly.
In the case of subcontractors, it must be ensured that information security requirements are followed throughout the entire chain, so that every subcontractor involved in services provided to 2CLIX TECNOLOGIA EIRELLI meets at least the security requirements agreed in the contract with the primary supplier.
Reports on audit trails and security controls must be requested from suppliers, and audits may be carried out by the Security team if the organization deems it necessary.
Finally, the expectation is that there will be transparency regarding security incidents that occur at the supplier so that a proper risk analysis can be carried out and changes can be made to the contract to minimize observed risks.
Change Management
In addition to planning for supplier replacement, there is also the possibility of changes to the scope of supplier services according to the organization’s needs.
Thus, agreement reviews must be carried out not only when there is a need to adjust security processes and controls, but also regarding the services provided. The organization may request improvements to current services, changes or improvements to infrastructure, changes in technology to newer technologies, frameworks or versions, changes in physical location of either the supplier or the organization, and changes in the chain of subcontractors.
Change requests may be initiated by the supplier or by the organization, and changes must be agreed upon by both parties and formalized in an addendum or amendment to the contract signed by both parties.
DOCUMENT MANAGEMENT
This document is valid from the date of its most recent approval and is the responsibility of the Administration team of 2CLIX TECNOLOGIA EIRELI. The update cycle for this document is annual and must always be based on an assessment of the effectiveness and suitability of this document in relation to the company’s other policies and processes.
To ensure a concise and clear assessment, the following evaluation criteria will be used:
- Feedback from interested parties regarding the effectiveness and impact of the ISMS;
- Trend in the number of security incidents caused by failures in suppliers’ security controls;
- Trend in the number of security incidents caused by unauthorized access by suppliers;
- Feedback from employees and teams based on training and interaction with suppliers;
- Trend in the number of incidents caused by lack of clear definition of security parameters in contracts;
