Our business relies on IT solutions and applications to share project information which may be accessed by suppliers. CFMS relies on the integrity and accuracy of project information in order to carry out its business and obligations to our clients. It is therefore essential that information is secured in line with professional best practice as well as statutory, regulatory and contractual requirements that maintain the confidentiality, integrity and availability of all information assets.
CFMS has established an Integrated Business Management System (BMS) in accordance with the requirements of ISO27001 and ISO27002 code of practice for information security controls.
The BMS enables CFMS to meet ISO, General Data Protection Regulation (GDPR) and the Information Commissioner’s Office (ICO) standards.
The purpose of this policy is to ensure that all contracts and dealings between CFMS and suppliers have acceptable levels of information security in place to protect personal data as defined by the GDPR. These requirements are in line with our BMS, data protection legislation and information security best practice. This policy sets out CFMS’s expectations in respect of information security when engaging with suppliers.
The scope of this policy applies to any works undertaken on behalf of CFMS that involve the sharing of information, either regarding our own businesses or that of our clients including project specific drawings and specifications. The term ‘Data’ within this policy refers to the storing, handling, processing or retention of data including personal data related to CFMS, suppliers or clients e.g. employee certificates, company health and safety documentation and client project information. Specific information covered under this policy includes the following:
Project documentation being issued in all formats, must be assessed and only issued if compliant, relevant and necessary to the works being implemented.
Paper copies must be kept to a minimum and consideration given to its disposal through confidential waste arrangements if appropriate.
Should project information in paper media be deemed sensitive it must not be disposed of through normal waste channels. It must be shredded at source, disposed of through confidential waste systems (if approved) or safely returned to premises and disposed of appropriately. Sensitive information can include, but is not limited to:
- Commercial information
- Personal Data
CFMS’s Approved Suppliers Policy (PY504) and Software and Hardware procurement policy (PY502) which are designed to ensure solutions and services procured are cost effective, maintain the availability and integrity of information and are fit for purpose. It is therefore important that throughout the procurement and subsequent contractual period, CFMS is clear on its expectations in terms of information security and supplier responsibilities.
Information Security Risks and Requirements for Third Parties
The security of information is the key focus in CFMS’s ISO27001 risk assessment, procurement and management strategy. Using a risk based and proportionate approach to how information assets should be protected we thereby ensure the security of all data held on our systems in relation to our own business, our customers and our suppliers. Having procurement processes which align with identified information asset risks helps to ensure that systems are in place to provide the level and quality of information security required by CFMS and the GDPR.
Change performance is assured through verification and validation audits.
The performance of strategic suppliers will be monitored on an annual basis in line Approved Suppliers policy (PY504).
Supplier Access to CFMS Information
CFMS will allow Suppliers to access its information and data where formal contracts and data sharing agreements exist in accordance with the GDPR, CFMS’s ISMS and where accessing the information is a necessary part of delivering the service requested, for example financial and HR platforms and software.
Suppliers wishing to gain access to CFMS internal systems should request this through ECS or the main point of contact who will arrange access subject to contractual requirements and once confirmation has been provided that sufficient anti-virus software is installed on the relevant machines.
Suppliers will only be granted access to project information related to works they are undertaking.
Once access is no longer required, the supplier will be blocked from our systems by ECS.
Security Incident Management
Suppliers of goods and services to CFMS will be assumed as part of contract of supply, to have appropriate security incident management procedures in place. CFMS will expect as part of conditions of supply that CFMS will be notified of any significant security incidents.
Such incidents should be notified as soon as reasonably practical to CFMS who will ensure appropriate action is taken.
Breaches of Policy
Breaches of this policy and/or security incidents can be defined as events which could have, or have resulted in, loss or damage to CFMS or our clients information, or an event which is in breach of CFMS’s security procedures and policies. All suppliers contracted to provide services, which enable CFMS to carry out its business functions and deliver its services to the end customer, have a responsibility to adhere to this policy.
All suppliers have a responsibility to report security incidents and breaches of this policy as quickly as possible through CFMS’s Incident Reporting Procedure.
In the case of vendors, consultants or contractors, non-compliance could result in the immediate removal of access to CFMS internal systems or suspension of contractual arrangements.
If damage or compromise of CFMS’s IT solutions or loss of information results from the non-compliance, CFMS will remove the supplier from the Approved Supplier List and consider potential legal action depending on the severity of the breach.