How to assign a cyber risk profile to new procurement requests

The first set of questions to ask in order to assign a cyber risk profile helps to determine the important assets, including data, networks and systems, which need to be protected within the scope of the procurement. This can include assets that are controlled by a third party. You will want to understand if, and what kind of, data will be accessed or processed during the contract and the associated volume of this information. The quantity of information is an important factor as it can influence the impact if that data or information is impacted.

Networks can include both cloud and physical on-premise networks. You may need to speak with your IT team to understand the level of intended access and the existing controls in place to protect your network. If a third party has access to your network, then cyber threats could potentially exploit vulnerabilities along the supply chain and gain access to your networks through this third party.

Systems can include council systems, but also other third party systems, for example a housing or financial management system. Providing access to other council systems can potentially expose those systems to attack. This is an important aspect of evaluating cyber risk, because depending on the access and integration, it could bring other systems and data into the scope of the assessment. If a new product is granted full permissions on an existing service, you will need to assess that existing service to understand the aggregated cyber risk and potential impact.

The length of the contract is important from a cyber security perspective as the supply chain cyber security landscape is constantly changing and evolving. A long-term term contract could have significant security vulnerabilities introduced over time, so appropriate controls would need to be put in place to mitigate against these over the full length of the contract.

The value of the contract can also be closely linked with the impact on the council and connected stakeholders in the event of a cyber incident.

It is also important to understand that the contract scale is just one of many influencing factors. The supply chain includes all acquired services and products, even if those are open source or free to use. Free digital services and products could cause a cyber incident, causing catastrophic damage to your organisation. 

It may be worth noting that questions are important to consider, but are mostly applicable to existing contracts, and would not necessarily apply to new procurements where the supplier is not yet known. The purpose of this section is to help evaluate the potential cyber risk and subsequently apply controls, not to exclude suppliers based on these criteria.

With that said, the length of the contract is important from a cyber security perspective, because with the supply chain cyber security landscape constantly changing, a long-term term contract could have significant security vulnerabilities introduced over time. As such, appropriate controls would need to be put in place to mitigate against this.

The value of the contract may be closely linked with the impact on the council and connected stakeholders in the event of a successful cyber incident.

Another set of potential questions to ask in order to assign a risk profile would be questions that determine the level of impact a cyber incident could have on your local council organisation, including related stakeholders, such as council residents. Note that how you would categorise the impact in each area would be based upon your council’s cyber risk appetite.

The impact of a cyber incident is normally directly correlated with the assets that are affected by the incident. When evaluating the impact, you need to consider what would be the affected assets, and how would they be impacted? Could an incident impact the confidentiality, integrity or availability of those assets? If yes, then what would be the business impact that results from that?

Questions to consider here include: 

Depending upon the type of service or product request, you may not have all of the information readily available to assess the full questionnaire. Additionally, the level of risk may vary based on council type, size, budget, and overall procurement strategy. You will need to work closely with the internal product, service, IT and security teams in order to fully assess the request. Consult the NCSC Principles for more guidance on risk assessments.