This policy provides details of cybersecurity obligations and controls, as well as cybersecurity best practices which the supplier or their sub-contractor is required to comply with while providing the services to CPA Global, as deemed fit per the scope of engagement and access to CPA Global data.
It is applicable to all suppliers and their subcontractors that are providing services to CPA Global and its subsidiaries globally.
- Supplier must have a formal Internal Audit process to ensure that the Cybersecurity Policies/ Processes defined are effectively implemented and maintained.
- The supplier must comply with industry and regulatory security standard requirements such as SSAE 16 – SOC 2 attestation, ISO 27001:2013, Information Security Management System (ISMS) standard requirements.
- Supplier must be prepared to provide necessary confirming documentation in support of CPA Global external audits and review purposes (such as Sarbanes-Oxley, PCI:DSS) upon CPA Global request. The supplier upon request must provide copies of relevant security policy, process, and procedure documents to CPA Global for review and audit purposes and any recommended changes must be amended in Supplier policies or respond with mitigating controls and responses.
- CPA Global reserves the right to “Audit” the suppliers and their subcontractors if they fail to provide assurances to comply with ISO27001 certification or AICPA SOC2 audit attestation requirements on annual basis. To do so, CPA Global shall provide a written notice, except if CPA Global has reasonable grounds to suspect fraud or severe data breach by supplier, in which case an audit may take place at any time with prior written notice of not less than three (3) days.
- Supplier must permit CPA Global to request and/or perform, at the expense of CPA Global, up to a maximum of two security assessment or audits per year, including but not limited to, review of policies, processes, and procedures, on-site assessment of physical security arrangements, network, system, and application vulnerability scanning, data privacy processes and penetration testing.
- The scope of the audit shall include supplier compliance with the controls and clauses defined in ISO 27001:2013 and SSA 16 SOC 2 (as applicable) and this policy.
Supplier shall implement, maintain, comply with and enforce at least the following basic cyber security controls and best practices:
- The supplier shall conduct adequate background verification checks for their personnel from external agency prior to providing any access to the information or CPA Global systems to ensure the authenticity of the person and to reduce the possibility of threat to critical information assets.
- All personnel’s who are having physical or logical access to CPA Global systems are required to sign an employee undertaking at the time of their appointment, which contains clauses related to non-disclosure of confidential information, information security, compliance to applicable laws, copyright, code of ethics and non-compete requirements.
- Prior to providing access to information, network and data and or physical access; supplier shall train personnel concerning the implementation of, compliance with and enforcement of, supplier’s information security controls and information security policies, which shall at a minimum meet security best practices and personnel receive training on Acceptable use of CPA Global information assets; and Third party security policy.
Inventory of Assets
- Supplier must maintain an inventory of Information Assets (i.e. Physical, Software, Information, Services and People) to ensure that the assets are effectively protected and periodical reviews of information assets inventory are carried out to ensure its accuracy. Security classification of information assets are subject to CPA Global “Data Classification Policy” suggesting security practices for labelling, handling, storage and disposal of information assets.
Information Security policy
- Supplier shall maintain an information security policy that meets security best practices and applies across its organization. The information security policy must address the following, without limitation: information security controls,
- Organization of information security
- Human resource security
- Asset management
- Access control
- Physical and environmental security
- Operations security
- Communications security
- System acquisition, development and maintenance
- Supplier relationships
- Information security incident management
- Information security aspects of business continuity management
- Compliance; with internal requirements, such as policies, and with external requirements, such as GDPR and other applicable laws, regulations
- Any material changes to any information security policy or information security controls shall be formally approved by supplier’s Chief Security Officer, Chief Information Officer, or equivalent officer like CISO.
- Each supplier personnel shall fully review supplier’s information security policy and confirm in writing that they have read, understood, and will comply with supplier’s information security policy.
- Supplier shall at least annually review and update, if necessary, its training materials with respect to its information security policy and information security controls and send written statements to supplier personnel informing them of material changes and reminding them of their obligations there under. Supplier shall establish a formal disciplinary process with respect to compliance with information security policies and information security controls and shall fully enforce any violation of thereof.
Data classification & segregation
- Supplier shall maintain and implement data classification guidelines to assign levels of classification to information resources and the corresponding levels of access controls to ensure confidentiality, integrity and availability and to minimize the risks to the information. Supplier shall handle, process, transmit or store CPA Global data as per agreement.
- Supplier shall segregate, logically or physically, CPA Global data and systems from Non-CPA data and systems, including those of supplier unless otherwise directed by CPA Global.
Protection against malware
- Supplier shall implement and maintain software that detects, prevents, removes and remedies malware which includes viruses, trojans, worms, etc. and is at least consistent with commonly accepted industry standards.
- Supplier shall implement anti-malware measures on key system components including but not limited to entry points, CPA Global systems, server systems or similar components.
- Supplier must report all occurrences of viruses and malicious code, not handled by deployed detection and protection measures, on any endpoint or server used to provide services under the work agreement, to CPA Global without unreasonable delay.
Information removal, destruction & retention
- Supplier shall physically destroy or securely delete to the point that it cannot be read, deciphered or reconstructed, all information on the supplier systems, storage media and paper documents, including the destruction or deletion of electronically saved copies on copy-machines, printers and other technical equipment which make use of internal hard disks for buffering, storage or caching prior to disposing, selling or relinquishing control of such information (unless specifically authorized by this Agreement), or upon instructions of CPA Global and in accordance with guidance from CPA Global Cyber Security team.
- Supplier shall inventory all information prior to such destruction or deletion and shall certify in writing to CPA Global that all information has been destroyed or securely deleted.
- Notwithstanding the foregoing, no storage media under a legal hold will be destroyed or otherwise disposed of unless directed by CPA Global and all such media will be securely maintained.
- Supplier shall not remove or send any confidential or sensitive Information (such as logs etc.) from supplier systems, supplier facilities, or any other location or system unless they have received CPA Global prior written consent or such removal is specifically required under the Agreement.
- Change Management: Supplier must have a documented change management procedure for applications and networks that support CPA Global processes or for housing CPA Global data. Segregation of duties should be in place.
- Capacity Management: Supplier must have capacity planning and management process in place to regularly monitor continued availability of capacity to meet future requirements. Capacity planning and management process considers factors viz., new business requirements, expansion plans of organization, storage capacity and contingency plans for information systems to determine future requirements of information processing resources.
- Data Backup: Supplier shall ensure backup copies of CPA Global information and software are maintained and tested regularly for the purpose of data recovery in case of events such as system crash or accidental deletion of information. Backup procedures are required to be maintained for data backup frequency, storage of backup media, labelling convention for backup media, retention of, and restoration from, backup media and movement of tapes to offsite location for backup management.
- Media Handing: Supplier shall have a documented “Media handling Policy”, which requires removable computer media such as CDs, floppy diskettes, backup tapes, USB Drives to be physically protected against unauthorized access, that confidential and sensitive information on such media is available to authorized users only and requires removable computer media to be disposed of in a secure manner.
Exchanges of Information
- Supplier shall not transport any storage media containing any confidential or sensitive Information via courier or mail without the prior written consent of CPA Global. Supplier shall perform verification/ checks on proposed courier companies prior to use, and shall not utilize any courier or mail if such use would result in an information security risk increase.
- Supplier shall utilize at least 256-bit AES (symmetric) or 2048-bit (asymmetric) RSA encryption or state of the art cryptographic techniques approved by CPA Global with respect to any storage media containing confidential or sensitive information prior to its transfer or transmittal, including electronic transfer or physical transfer in storage media.
- Supplier shall maintain an up to date list of users who have access to CPA Global systems or information. Supplier shall limit access to only those parts of the Information which is necessary for business.
- Supplier shall segregate duties between supplier personnel with respect to Information to reduce the risk of fraud or the accidental unauthorized use of CPA Global systems or information. Supplier shall monitor and log any access to the Information and take any necessary measures when unauthorized access is detected and shall enforce controls over access rights.
- Authentication of users to CPA Global systems or data must be by methods or techniques commensurate with the classification of the system or data. Such methods and techniques may include, but may not be limited to quality passwords, 2 factor authentication or similar techniques.
- Supplier shall comply with following best practices about passwords within their information systems; in particular:
- Password must have a minimum length of eight characters and be a non-trivial combination of letters, number and special characters, shall not to be found in a dictionary, or be names or surnames, or could be easily related to a user, e.g. date of birth, phone number.
- Passwords must be changed at least every 60 days.
- When new equipment and software are used for the first time, default passwords must be replaced at the first sign on with a quality password immediately.
- Different passwords should be used for accessing each system and for encrypting information.
- Passwords must not be stored as clear text on a PC or in an application.
- Account login failure lockout (example: 5 failures).
- No shared or group passwords.
Physical and environmental security
- Supplier’s operation centres, server rooms, wiring closets and other critical infrastructure areas shall have restricted access with logged authentication processes. Visitors to supplier facilities shall be clearly identified and their access limited only to areas they need access to in order to fulfil their functions. Visitor logbooks must be maintained which includes clear description of the visitor, arrival and leaving time, and CPA Global-relevant business purpose. A Supplier personnel/ employee must always escort visitors within the supplier area.
System planning and acceptance
- Supplier shall implement, maintain, comply with and enforce information security policies and information security controls that meet security best practices for accepting new information systems or applications and alterations or upgrades to supplier systems, including policies requiring the identification of significant changes, assessment of the potential impact of such changes (including with respect to information security controls and the integrity of information), and formal managerial approval for changes.
- Supplier shall implement, maintain, comply with and enforce network information security policies and information security controls with respect to supplier systems that meet or exceed security best practices and that includes:
- demilitarized zones;
- intrusion detection and prevention;
- network and system segmentation, including the utilization of packet and/or content inspecting firewalls/gateways to maintain zones segregating the following system components from each other: Internet connection, web servers, application servers, database servers, directory servers, core network, external networks;
- enforced path controls that prevent users from accessing portions of the network
- authentication controls for external network connections and automatic network connections;
- controls to prevent unauthorized access and use of remote network diagnostic ports;
- network access controls that restrict unauthorized access with respect to electronic mail; and
- routing controls across interconnected networks.
- Supplier to adopt various modes of encryption standards and technologies for each networked resource or services. These include Policies and technologies for disk encryptions on end user computing devices using Bitlocker, File and Folder encryptions, Network encryptions using IPsec AES256, Data transmission over SSHv2 and Backup tape encryptions using RSA Cipher standards. In addition to implementing native encryption standards within each application systems.
- Supplier shall implement, maintain, comply with and enforce Information Security Policies and Information Security Controls with respect to the use of application utility programs, including: (a) authentication and authorization procedures, including defining and documenting authorization levels for system utilities;
- segregation of system utilities from application software;
- limiting the access and use of system utilities to the minimum practical number of trusted authorized users;
- logging of all use of system utilities; and
- removal of all unnecessary software-based utilities and system software.
Mobile computing devices
- Supplier shall implement, maintain, comply with and enforce Information Security Policies and Information Security Controls that meet or exceed security best practices with respect to notebooks, palmtops, laptops, PDAs, mobile phones and any other device that provides access to supplier systems, CPA Global systems or information, including requirements for physical protection, access controls, encryption of personal information stored thereon and anti-malware.
- Supplier shall implement, maintain, comply with and enforce Information Security Policies and information security controls with respect to security or data security breach response, including information security policies and information security controls that: (a) ensure a prompt, effective and orderly response to any Data Security Breach within 24 Hrs; (b) limits data security breach management to only authorized supplier personnel; and (c) require documentation of data security breach response actions taken in detail which shall meet reasonable expectations of forensic admissibility.
- All workstations shall be hardened as per latest guidelines / industry best practices and a standard operating system image is utilized to build the workstations. Access to system utilities and controllers shall be restricted for users. E.g. users do not have administrative rights on systems (desktops), to attach secondary storage (USB drives).
- Password policy is enforced across the board on all systems and servers, which ensures a minimum length, complexity and changing of password after a specified duration. All CPA Global systems or desktops and servers (as applicable) are periodically updated with latest OS patches / updates and antivirus updates.
Handling of shared systems and data isolation
- Where supplier systems serve multiple customers supplier must ensure logical separation of CPA Global Systems and data to prevent unauthorized disclosure or access. Supplier must report to CPA Global where CPA Global owned data is processed across shared systems.
- CPA Global data must be stored in a separate system or database instance from data belonging to or accessed by other companies. If this is not possible, adequate controls must be documented and approved by the CPA Global Information Security Head to ensure that a compromised database must not yield any CPA Global data.
- At no time may CPA Global data be housed on a server shared by companies other than the contracting supplier. Internet facing web servers must be dedicated to this task, and must not host internal (intranet) applications for the Third Party
- Production environment CPA Global data must not be used in supplier’s development or staging environment without approval from the CPA Global Cyber Security Head.
- CPA Global data must be backed up on separate tapes/drives than data belonging to or accessed by other companies. If this is not possible, adequate controls must be documented and approved by the CPA Global Information Security Head to ensure that a compromised database must not yield any CPA Global data.
Data Leakage Controls
- Supplier must have controls to ensure that photographic, video and all other forms of recording equipment (including mobile phones, camera phones, tape recorders, USB / Pen drives, IPODs, PDAs, equipment etc.) be brought into the secure areas, unless specifically approved by the CPA Global.
- Access to USB ports for data transfer shall be blocked in order to protect confidential and sensitive information of CPA Global. All the paper documents are disposed of using cross-cut paper shredders. All important documents should be kept in drawers/locked cabinets.
- Supplier provides Internet access to all its employees as per business requirements and personal mail websites, social networking websites, data share/ upload websites and other non-official websites are blocked for all employees who are having access to CPA Global systems or information. All inbound and outbound Internet traffic is strictly monitored and controlled through content filtering solution.
Identification of Security Risks
- Supplier must identify information security risks within their environment or infrastructure. in the event of an information security risk increase, supplier shall: (a) immediately undertake remedial action; (b) provide immediate notice to CPA Global information security contact if supplier cannot undertake such action or if such action was unsuccessful or inadequate after implementation, and coordinate a response with CPA Global; and (c) after undertaking remedial action, provide a report to CPA Global indicating the results of the remedial action, any adverse impact or violation of information security law that occurred or could occur because of the information security risk increase and any future remedial action to be taken.
Monitoring and reporting
- Supplier shall collect and record information and maintain logs, planning documents, audit trails, records and reports, with respect to data security breaches, information security risk increases, information security controls, the storage, processing and transmission of information and the accessing and use of CPA Global systems.
- Supplier shall perform periodic security tests on regular basis which include, but which shall not be limited to, network and application vulnerability and penetration tests or similar techniques. These tests may be performed directly by supplier or by external parties specifically requested and authorized by supplier to conduct such tests. These assessments will be communicated at least one-quarter in advanced and conducted at a time mutually agreed upon between the supplier and CPA Global.
Business continuity and Disaster recovery
- Supplier shall maintain adequate Business Continuity and Disaster Recovery controls and test such controls to ensure effectiveness. Supplier shall segregate Business Continuity and Disaster Recovery Controls from those parts of the supplier system used during the normal course of business and shall comply with backup, restore and off-site storage requirements.
- The appropriate provisions must be placed in formal agreements to ensure supplier has a tested and sufficient Business Continuity plan (BCP)/ Disaster Recovery (DR) plan and reporting process, so that the business processes may be quickly re-established following a disaster or outage, the supplier must maintain an updated inventory of all critical production systems and supporting hardware, applications and software, projects, data communications links, and critical staff at both the primary and secondary sites.
- Any emergency event-related disruption of business activities must be reported to the CPA Global - Head of Cyber Security.
- Supplier shall, at all times, comply with its respective obligations under all data privacy legislation in relation to the CPA Global related personal data (as such term is defined in the data privacy legislation) that is held or processed by it in the course of performing its obligations or exercising its rights under existing contracts and agreements.
- Supplier shall obtain and maintain all necessary notifications or registrations in respect of such processing or holding and do and execute, or arrange to be done and executed each act, document and thing that the other party may reasonably consider necessary to comply with mandatory data privacy legislation applicable to it or any of the other service recipients.