0

Best practice

Doug needs to engage a new third party to make bank cards for CBA. However, there are some aspects of the Information Security Policy and Standards that he does not know how to ensure a vendor can comply with.

What should his next steps be?

Doug’s pretty sure that he’s doing the right thing following the Sourcing Process, so takes his RFP to market. Through that process, a vendor is selected. However, as the onboarding process progresses and Doug starts to complete his risk assessments, a number of Information Security Policy and Standards non-compliance issues are discovered.

If Doug had engaged DPG for additional clarity on the Information Security Policy and Standards before issuing the RFP, he could have improved coverage of security considerations, which would have led to better and safer business outcomes.

Doug’s glad he contacted Jamie when he did. Even though he was adhering to CBA’s supplier governance policies and frameworks and was aware of some security considerations to include in the RFP, Jamie gave him some additional suggestions. This helped him assess the suppliers’ ability to comply with the Information Security Policy and Standards before a vendor was selected, and collect the right information to complete his risk assessments.

Best practice

Doug hears from a colleague at CBA that one of his suppliers are moving the location of their data centres, from one country to another. What should he do?

What should he do?

In the meantime, there is an issue of compliance with this supplier. Doug learns the importance of actioning this information immediately. Jamie explains to him the importance of maintaining situational awareness to ensure good supplier governance at all times.

Yes, that is correct. Once you have confirmed this information with your supplier, engage DPG, Line 1 Risk and Enterprise Procurement and Partnerships (EPP) to ascertain if a risk assessment needs to be revised or updated. Jamie explains to Doug the importance of maintaining situational awareness to ensure good supplier governance at all times.