Supplier Cybersecurity Requirements
How our suppliers will manage and protect our systems and information
Version Date: 9 August 2022
1. Introduction & Scope
(a) This document sets out Tuatahi First Fibre Limited’s (Tuatahi, we, us or our) minimum cybersecurity requirements and standards. These apply to a supplier to Tuatahi of software, services, or other deliverables (Services) where that supplier:
i. has access to Tuatahi Data and/or Tuatahi Systems; and/or
ii. will process data for which Tuatahi is legally responsible.
(b) The Supplier Cybersecurity Requirements apply in addition to any agreement (Agreement) between the supplier (you or your) and Tuatahi. If there is any inconsistency between these Supplier Cybersecurity Requirements and the Agreement, the Supplier Cybersecurity Requirements shall prevail to the extent of that inconsistency
(c) This document is issued under Tuatahi’s Technology & Information Policy. For more information, contact Tuatahi’s Head of Cybersecurity and Privacy.
2. Definitions & Interpretation
In this document:
means the skill, diligence, care, foresight, and appropriate professional standard as would be expected from a leading supplier in the relevant industry;
means any virus, bomb, Trojan horse or other malicious software or computer programming code that could impair, deny or otherwise adversely affect the Services, you, us, or any Tuatahi Data or Tuatahi Systems;
has the meaning given to it under the Privacy Act 2020;
means the unauthorised access, use, alteration or destruction of any Tuatahi Data or Tuatahi Systems, or other compromises or breaches of your or our electronic or physical security;
means a weakness at the network, operating system, database or application software level, or within associated functions (such as a physical vulnerability at the location where Tuatahi’s Data is stored), that could allow a Security Incident to occur;
means all data, information, text, drawings and other materials in any form that Tuatahi provides to you, or that you generate, collect, process, hold, store or transmit in connection with the Agreement excluding Your Materials;
means any electronic information system, including (but not limited to) hardware, software and communications networks operated or used by Tuatahi;
means all software, documents and other materials created or owned by you or any third-party, provided to Tuatahi by you or on your behalf in relation to the Agreement; and
means your employees, contractors and consultants who are (or may be) involved in meeting your obligations under the Agreement; and/or have access to Tuatahi Data or Tuatahi Systems.
The words include and including are deemed to be followed by the words “without limitation”.
(a) In delivering the Services to Tuatahi, you agree to use Good Practice to:
i. continually assess your cyber risk;
ii. apply effective security controls and formal cyber risk governance processes to protect you and us from cyber threats;
iii. implement security controls that consider yours and our cyber risk;
iv. ensure that your employees have the right level of cybersecurity awareness required to carry out their roles and responsibilities; and
v. use appropriate technologies, processes and procedures to address current and emerging cyber threats, and maintain a consistent baseline of controls to detect, prevent and respond to those threats.
(b) Unless restricted by law, you must promptly notify us of any attempt made by a third party to access Tuatahi Data or Tuatahi Systems. This includes access by a malicious party or as part of a legal or legislative process, and whether the attempt is granted or denied.
4. Protection of Tuatahi Data
(a) Tuatahi Data is confidential to Tuatahi. You must not access, store or use the Tuatahi Data except as required to perform your obligations under the Agreement.
(b) At the end of the Agreement you will return or securely destroy all Tuatahi Data. You are not required to return or destroy Tuatahi Data that is needed to perform obligations owed to us under another agreement or to meet your regulatory obligations.
(c) Where the Tuatahi Data includes Personal Information, you must comply with the Privacy Act 2020 and Tuatahi’s Privacy Notice, which may be found here.
5. Your Personnel
You must use Good Practice to ensure that Your Personnel:
i. have the right level of cybersecurity awareness required to carry out their roles and responsibilities;
ii. are trained to understand:
- your information security policies, procedures and responsibilities,
- your obligations under the Supplier Cybersecurity Requirements;
- the importance of maintaining the confidentiality of Tuatahi Data; and
iii. have only the access to Tuatahi Data and Tuatahi Systems necessary to enable them to perform their roles.
6. Security Requirements
(a) In delivering the Services to Tuatahi, you agree to use Good Practice to:
i. use and monitor logical access controls that restrict access to the Tuatahi Data and Tuatahi Systems to those individuals who require access to meet your obligations under the Agreement, and ensure that these controls are updated when individuals change roles or leave;
ii. implement authentication processes (including passwords, multi-factor authentication and system logons) that specifically identify an individual user or system service and follow a recognised industry practice (such as NZ Information Security Manual (NZISM), or National Institute of Standards and Technology (NIST) Special Publication 800-63).
iii. Prevent unauthorised use of or access to Tuatahi Data and/or Tuatahi Systems.
iv. Assess all third-party software, hardware and services you use in the delivery of Services to ensure they meet the minimum standards required under the Supplier Cybersecurity Requirements.
v. regularly monitor your systems and audit logs to verify the effectiveness of the technical, administrative and physical controls used to protect Tuatahi Data and/or Tuatahi Systems.
vi. Implement security principles of:
Defence in depth:
Using multiple layers of security controls are placed throughout an information technology system intending to provide redundancy in the event a security control fails, or a vulnerability is exploited that can cover aspects of personnel, procedural, technical, and physical security for the duration of the system's life cycle.
Giving a user account or process only those privileges which are essential to perform its intended function.
Minimise attack surfaces:
The attack surface of a software environment is the sum of the different points where an unauthorised user can try to enter data to or extract data from an environment.
Secure by design:
Systems have been built considering security from the initial design phase, rather than as an afterthought.
(a) You will take all precautions necessary in accordance with Good Practice to prevent the introduction of Malicious Code and Security Vulnerabilities, to, or that could impact the Tuatahi Data and/or Tuatahi Systems.
(b) If you become aware of the introduction of Malicious code or Security Vulnerability, you must promptly apply security measures and patches designed to address the Malicious Code and/or Security Vulnerability. Action under this clause must be carried out in accordance with the recommendation of the supplier of hardware or software where appropriate.
7. Security Incidents
(a) If you become aware of a Security Incident that has or may impact the delivery of any service or has compromised or may compromise the confidentiality, integrity or availability of the Tuatahi Data or Tuatahi Systems, you must:
i. notify us within 24 hours of becoming aware of the Security Incident;
ii. promptly provide all information we reasonably request in relation to the Security Incident, including its manner of introduction and the impact that the incident has or is likely to have;
iii. provide us regular updates on the Security Incident until resolved; and
iv. within 7 days of the resolution of the Security Incident, provide us with a written report detailing:
- a summary of the incident including the date it occurred and the length of the event and/or any outage;
- details such as individuals involved in any aspect of the incident handling, how/when the incident was detected, what was impacted, and any containment strategies;
- the root cause of the incident; and
- what action(s) you have or will take to prevent reoccurrence.
(b) If we determine in our reasonable opinion that additional measures are required to contain, respond to or remediate the Security Incident you will, at your cost, undertake those remedial actions. Such measures may include a customer announcement, credit monitoring services or fraud insurance.
(c) You shall apply any learnings from a Security Incident to improve cyber defences.
(d) You must treat the occurrence of a Security Incident as confidential. If you are required by law to disclose any details of a Security Incident, you must only disclose the minimum required by law.
8. Standards Assessment
(a) We may request that you provide us with a written report summarising the result of an independent security assessment which is relevant to the Services and any risks identified as part of this assessment (Security Report).
(b) The Security Report must include:
i. a detailed description of any identified actual or potential Security Vulnerability;
ii. any applicable compensating controls;
iii. the corrective action proposed for any identified Security Vulnerability; and
iv. the expected timeframe for you to correct the Security Vulnerability;
v. at our request, a full copy of the security assessment report;
(c) If we consider that the report provided in accordance with this clause 8 is unsatisfactory, we may, acting reasonably and at our cost, carry out an independent security assessment of your security processes. Any assessment carried out under this clause shall be subject to appropriate confidentiality obligations and you shall provide any assistance and access that we reasonably request.
(d) If a security assessment and/or the Security Report reveal that your processes do not meet the minimum standards required under the Supplier Cybersecurity Requirements or the existence of deficiencies that result in an unacceptable level of risk to us, you must promptly meet with us to agree appropriate corrective steps and apply those steps.