Establish Contract Security Requirements for Third-Party Suppliers

(Back)

Objective

Ensure that contracts with third-party suppliers are established to protect government information and assets from malware.

Description

• Establish contract security requirements for suppliers (or its sub-contractors/sub-processors) to protect government information and assets. This includes ensuring that the supplier work with the government in the event of a security incident or privacy breach affecting government information and assets.
• Confirm and document compliance with security requirements before awarding a contract or entering into an arrangement and before granting access to sensitive information.
• Maintain ongoing vendor relationship with the third-party supplier including regular review of compliance to security requirements and refresh of technologies to support continued assurance of the security of the system and assets managed by the supplier on behalf of the government.

References

TBS

1. DSM Appendix F (F.2.3.1.2b, F.2.3.1.2c, F.2.3.2.3, F.2.4 and F.2.5)
2. DSD, Appendix G - System Management Configuration Requirements (4), and
3. Government of Canada Cyber Security Event Management Plan (GC CSEMP)

Related Security Controls (ITSG-33)

SA-4, PS-7