M10.01 | The Supplier shall maintain records of third party suppliers’ details, including their third parties and the major components which are used in the provision of goods/services/facilities for the Supplier. | 7(1) 7(4)(a)(i) |
M10.02 | The Supplier shall clearly express the security needs placed on third party suppliers. These shall be defined and agreed in contracts. | 7(1) 7(4)(a),(b) 9(1) 9(2)(c)(ii),(iv),(vi) |
M10.03 | There shall be a clear and documented shared-responsibility model between the Supplier and third party suppliers. | 7(1) 7(4)(a) 9(1) 9(2)(c)(ii),(iv),(vi) |
M10.04 | The Supplier’s incident management process and that of their third party suppliers shall provide mutual support in the resolution of incidents. | 7(4)(a)(i),(iv) 9(1) 9(2)(c)(ii),(iv),(vi) |
M10.08 | The Supplier shall avoid transferring control of their network and user data to third parties, except where necessary. Any such transfer of control should be limited to the necessary and defined purpose. Where a data transfer is necessary, it shall be through a defined process | 4(1)(a),(b) 4(2)(a),(b) 7(1) 7(4)(a)(i),(ii),(iii) 7(4)(b) 15 |
M10.09 | Where network or user data leaves the Supplier’s control, the Supplier shall contractually require and verify that the data is properly protected as a consequence. This shall include assessing the third party supplier’s controls to ensure Supplier’s data is only visible or accessible to appropriate employees and from appropriate locations | 4(1)(a),(b) 4(2)(a),(b) 7(1) 7(4)(a)(i),(ii),(iii) 7(4)(b) |
M10.10 | When sharing user or network data, the Supplier and its suppliers shall use an encrypted and authenticated channel. | 4(1)(a),(b) 4(2)(a),(b) 7(1) 7(4)(a)(i),(ii),(iii) 7(4)(b) 15 |
M10.11 | The Supplier shall contractually oblige third party suppliers to notify the Supplier within 48 hours of becoming aware of any security incidents that may have caused or contributed to the occurrence of a security compromise, or where they identify an increased risk of such a compromise occurring. This includes, but is not limited to, incidents in the Supplier’s development network or its corporate network | 7(4)(a)(i),(iv) 9(1) 9(2)(c)(i) 15 |
M10.12 | The Supplier shall contractually require third party suppliers to support the Supplier in investigations of incidents that cause or contribute to the occurrence of a security compromise in relation to Gamma, or of an increased risk of such a compromise occurring. | 7(4)(a),(iv) 9(1) 9(2)(c) (i),(ii),(iii),(iv),(v),(vi) 15 |
M10.13 | The Supplier shall require any third party suppliers to find and report on the root cause of any security incident that could result in a security compromise in the UK within 30 days, and rectify any security failings found. | 7(4)(a)(iv) 9(1) 9(2)(c) (i),(ii),(iv),(v),(vi) 9(4) 9(5) 15 |
M10.14 | Where third party suppliers cannot quickly resolve security failings, the Supplier shall work with the third party supplier to ensure the issue is mitigated until resolved. | 7(4)(a)(iv) 9(1) 9(2)(c)(ii),(iv),(v) 15 |
M10.15 | Where third party suppliers do not resolve security failings within a reasonable timeframe, the Supplier shall have a break clause with the third party supplier to allow exit from the contract without penalty. | 7(4)(c) |
M10.16 | The Supplier shall contractually require third party suppliers to support, as far as appropriate, any security audits, assessments or testing required by the Supplier in relation to the security of the Supplier’s own network, including those necessary to evaluate the security requirements in this Schedule. | 7(1) 7(4)(a)(i),(iii),(iv) 14(1) |
M10.17 | The Supplier shall flow down appropriate security measures to any third party administrator. The Supplier shall ensure that any third party administrator applies controls that are at least as rigorous as the Supplier when the third party administrator has access to the Supplier’s network or service or to sensitive data. | 7(3)(a) 7(3)(b) 7(4)(a)(i),(ii) |
M10.18 | The Supplier shall retain the right to determine permissions of the accounts used to access its network by third party administrators. | 7(1) 7(4)(a)(ii),(iii) 7(4)(b) |
M10.21 | The Supplier shall have the contractual right to control the members of third party administrator personnel who are involved in the provision of the third party administrator services, including to require the third party administrator to ensure that any member of personnel no longer has access to the network. | 7(1) 7(4)(a)(i),(iii) 7(4)(b) 8(4) 8(5)(d),(e) 8(6)(a),(b) |
M10.24 | The Supplier shall, when acting as a third party administrator or using the services of a third party administrator, implement and/or ensure the third party administrator implements technical controls to prevent one provider or their network from adversely affecting any other provider or their network. | 4(1) 4(2) 7(1) 7(4)(a)(i),(ii) 7(4)(b) 9(2)(c)(iii),(v) |
M10.25 | The Supplier shall, when acting as a third party administrator or using the services of a third party administrator, implement and/or ensure the third party administrator implements logical separation within the third party administrator network to segregate customer data and networks. | 4(1)(a),(b) 4(2)(a),(b) 7(1) 7(4)(a)(i),(ii) 7(4)(b) |
M10.26 | The Supplier shall, when acting as a third party administrator or using the services of a third party administrator, implement and/or ensure the third party administrator implements separation between third party administrator management environments used for different provider networks. | 4(1)(a),(b) 4(2)(a),(b) 7(1) 7(4)(a)(i),(ii) 7(4)(b) |
M10.27 | The Supplier shall, when acting as a third party administrator or using the services of a third party administrator, implement and enforce and/or ensure the third party administrator implements and enforces security enforcing functions at the boundary between the third party administrator network and the Gamma network or the Supplier network. | 4(1)(a),(b) 4(2)(a),(b) 4(4)(b) 7(1) 7(4)(a)(i),(ii) 7(4)(b) |
M10.28 | The Supplier shall, when acting as a third party administrator or using the services of a third party administrator, implement and/or ensure the third party administrator implements technical controls to limit the potential for users or systems to negatively impact more than one provider. | 4(1)(a),(b) 4(2)(a),(b) 4(4)(b) 7(1) 7(4)(a)(i),(ii) 7(4)(b) |
M10.29 | The Supplier shall, when acting as a third party administrator or using the services of a third party administrator, implement and/or ensure the third party administrator implements logically-independent privileged access workstations per provider. | 4(4)(a) 7(1) 7(4)(a)(i),(ii) 7(4)(b) |
M10.30 | The Supplier shall, when acting as a third party administrator or using the services of a third party administrator, implement and/or ensure the third party administrator implements independent administrative domains and accounts per provider. | 7(1) 7(4)(a)(i),(ii) |
M10.33 | The Supplier shall, when acting as a third party administrator or using the services of a third party administrator, monitor and audit and/or ensure the third party administrator monitors and audits the activities of the third party administrator’s staff when accessing the Gamma network. | 6(1) 6(2)(a),(b) 7(4)(a)(iii),(iv) 8(5)(d)(i),(ii) 9(1) 9(2)(c)(iv),(v) |
M10.34 | The Supplier shall, when acting as a third party administrator or using the services of a third party administrator, provide all logs relating to the security of the its or the third party administrator’s network to the extent that such logs relate to access into the Gamma network. | 6(1) 6(2)(a),(b) 6(3)(a) 7(4)(a)(iii),(iv) 8(5)(d)(i),(ii) 9(1) 9(2)(c)(iv),(v) |
M10.35 | The Supplier shall, when acting as a third party administrator or using the services of a third party administrator, ensure that its networks or the networks of the third party administrator that could impact Gamma undergo the same level of testing as Gamma applies to themselves (as advised by Gamma from time to time). | 7(4)(a)(i),(iii) 14(1) 14(2) |
M10.36 | The Supplier shall contractually require network equipment suppliers to share with them a ‘security declaration’ on how they produce secure equipment and ensure they maintain the equipment’s security throughout its lifetime. Any such declaration should cover all aspects described within the Vendor Security Assessment (VSA) (see Annex B of the TSA CoP), and the Supplier should encourage its suppliers to publish a response to the VSA. | 3(3)(a),(b),(e) 7(4)(a)(i),(iii),(iv) 7(4)(b) |
M10.37 | As part of the security declaration, any differences in process across product lines shall be recorded by the Supplier or the relevant equipment manufacturer. | 3(3)(a),(b) 3(3)(e) 7(4)(a)(i),(iii),(iv) 7(4)(b) |
M10.38 | The Supplier shall ensure that the network equipment supplier’s security declaration is signed-off at an appropriate governance level by the Supplier or the relevant equipment manufacturer. | 3(3)(a),(b),(e) 7(4)(a)(i),(iii),(iv) 7(4)(b) |
M10.39 | Where the Supplier or the relevant equipment manufacturer claims to have obtained any internationally recognised security assessments or certifications of their equipment (such as Common Criteria or NESAS), the Supplier shall share with Gamma the full findings that evidence this assessment or certificate. | 3(3)(a),(b),(e) 7(4)(a)(i),(iii),(iv) 7(4)(b) |
M10.40 | The Supplier shall, and shall ensure that the relevant equipment manufacturer shall, adhere to a standard no lower than the security declaration. | 3(3)(a),(b) 3(4) 7(1) 7(3)(a),(b) 7(4)(a)(i),(iv) 7(4)(c) |
M10.41 | The Supplier shall supply up-to-date guidance on how the equipment should be securely deployed. | 3(3)(a),(b) 3(4) 7(1) 7(3)(a),(b) 7(4)(a)(i),(iv) 7(4)(c) 12(a) 13(2)(d)(i),(ii) |
M10.42 | The Supplier shall support all equipment and all software and hardware subcomponents for the length of the Agreement. The Supplier shall notify Gamma of the date from which the equipment (or its subcomponents) will not be supported (end of support or EOS) at least three (3) years before the EOS date. | 3(3)(a),(b) 3(4) 7(1) 7(3)(a),(b) 7(4)(a)(i),(iv) 7(4)(c) 12(a) 13(2)(d)(i),(ii) |
M10.43 | The Supplier shall provide details (product and version) of major third party components and dependencies in any equipment, including open source components and the period and level of support. | 3(3)(a),(b) 3(4) 7(1) 7(3)(a),(b) 7(4)(a)(i),(iv) 7(4)(c) 12(a) 13(2)(d)(i),(ii) |
M10.44 | Where relevant to the Supplier’s or Gamma’s particular usage of equipment, the Supplier shall require third party suppliers to remediate all security issues that pose a security risk to Gamma’s network or service discovered within their products within a reasonable time of being notified, providing regular updates on progress in the interim. This shall include all products impacted by the vulnerability, not only the product for which the vulnerability was reported. | 3(3)(a),(b) 3(4) 7(1) 7(3)(a),(b) 7(4)(a)(i),(iv) 7(4)(c) 12(a) 12(c)(i),(ii) 15(1) 15(4) |
M10.46 | The Supplier shall ensure that its contracts with third party suppliers allow details of security issues to be shared as appropriate to support the identification and reduction of the risks of security compromises occurring in relation to the public electronic communications network or public electronic communications service as a result of things done or omitted by such third party suppliers. | 7(1) 7(3)(a),(b) 7(4)(a)(i),(iv) 7(4)(c) |
M10.47 | The Supplier shall deliver critical security patches for network equipment separately to feature releases, to maximise the speed at which the patch can be deployed. | 3(3)(a),(b) 3(4) 7(1) 7(4)(a)(i) 7(4)(c) 12(a) 12(c)(i),(ii) |