Security Policy for Contractors / Consultants / Suppliers

Information Risk Assessment and Management

• DFID uses HMG-mandated risk assessment methodologies (as detailed in HMG Information Assurance Standard 1 Parts 1 and 2).
• Residual information risks can only be accepted by the DFID Senior Information Risk Owner or the DFID Accreditor to agreed levels.
• DFID does not accept information risks assessed at ‘medium-high’ or above.
• DFID’s information risk appetite is ‘cautious’.

Legislative, Regulatory and Contractual Requirements

• The management of DFID and other official information may engage obligations under the following legislation (note that this list is not exhaustive):
• Official Secrets Act 1989
• Public Records Acts 1958 and 1967
• Data Protection Act 1998
• Freedom of Information Act 2000
• Environmental Information Regulations 2004
• Human Rights Act 1998
• Computer Misuse Act 1990
• Copyright (Computer Programs) Regulations
• Civil Evidence Act 1968
• Police and Criminal Evidence Act 1985
• Wireless Telegraphy Act 1949
• Communications Act 2003
• Regulation of Investigatory Powers Act 2000
• Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000
• Civil Contingencies Act 2004
• DFID is required to comply with HM Government policy on information security and assurance including:
  • The Security Policy Framework
  • The Government Protective Marking System
  • HMG Information Assurance Standards
• Any organisation accessing, processing, communicating or managing DFID’s information must do so such that DFID’s legal, policy and regulatory obligations are met.
• Any processing of personal data outside the United Kingdom may only take place with the express permission of DFID’s Senior Information Risk Owner and prior to the commencement of any such processing.   Arrangements for data processing will form part of a contract between DFID and data processors.
• Anyone accessing official information through provision of goods or services to DFID will be bound by the terms of the Official Secrets Act 1989.

Access to DFID Information, Information Assets and Information Systems

• Anyone required to access DFID information and/or work in a DFID building must either hold or be prepared to apply for a Baseline Personnel Security Standard (BPSS) clearance. This entails identity, nationality and criminal record checks. BPSS clearances obtained through other government departments may be accepted by DFID.  If access is required to information at higher levels of security classification, additional national security vetting checks may be required.
• Access to information assets and systems will be the minimum necessary to achieve business purposes.
• When the need to access DFID information, assets and systems ends, all DFID equipment (e.g. laptops, security passes, etc) must be returned to DFID prior to the termination of a contract.
• DFID may monitor the use of its information, information assets and information systems for lawful business purposes.
• Anyone granted access to DFID information, information assets and systems must comply with the requirements of DFID’s Security Manual including its Acceptable Use Policy.  Failure to comply with these policies and other relevant instructions may constitute a breach of contract and lead to termination or legal action.
• Removable media (including laptops) may only be used to manage DFID information with the explicit consent of DFID.  Any removable media must be encrypted to a degree commensurate with the protective marking of the information held within the removable media as required by HMG standards.
• Supplier personnel may only enter DFID premises with an appropriate security pass issued by DFID and may only enter areas of DFID premises commensurate with their function and, where appropriate (for example, in security areas), escorted by DFID staff.

Information Security Management System Controls

• Where a supplier is contracted to manage DFID information, information assets or information systems, the supplier must ensure that an information security management system employed to secure DFID information, information assets or information systems is in place and complies with ISO/IEC 27001.   Evidence must be provided to DFID of compliance with the standard, either through formal certification or otherwise to DFID’s satisfaction before any DFID information, information assets or information systems are accessed by the supplier.
• Suppliers must agree to permit and facilitate audits of all aspects of their information security management system by DFID and to address any findings of such audits in order to preserve the security of information to DFID’s standards and requirements.
• The transmission of information between DFID and a supplier must be encrypted to a level commensurate with the protective marking of the information and to HMG standards.
• Live DFID data and information may not be used for test purposes.  Data and information to be used for test purposes must be anonymised, scrambled or otherwise rendered in such a way that no live DFID data or information can be reconstructed from that used for test purposes.
• DFID information may not be copied by any supplier other than as far as is necessary for providing an agreed service to DFID.
• Suppliers must have a security incident reporting process in place to a standard and design acceptable to DFID to ensure that any incidents involving DFID information are immediately reported to DFID.  Suppliers must agree to undertake any remedial action required by DFID and ensure that this is implemented in an auditable way.
• A supplier holding DFID data on DFID's behalf must have in place processes to ensure that critical DFID information held by them can be promptly and efficiently recovered following an emergency.

• del.icio.usopens in a new window
• Diggopens in a new window
• facebookopens in a new window
• redditopens in a new window
• StumbleUponopens in a new window