Operational Phase
Typically the vendor will be required to provide support for the deployed solution during in-service operation which will include maintenance, deployment of bug fixes and patches, system updates and functional upgrades as well as providing support on incidents that may affect normal operation or compromise security. This may be due to a bug or flaw in the design or to a newly discovered vulnerability. Any changes to the system must follow approved procedures to ensure that integrity and security are maintained. In particular this will require security testing at a component level and end to end.
- The vendor’s processes, people, tools and access to operator systems must not compromise security
- This will also apply to any sub-contractors
- Suppliers lacking the appropriate processes to provide the required level of security assurance could present an opportunity for attackers to compromise overall security controls.
- The vendor must be able to provide notification of newly discovered vulnerabilities, data breaches or other security breaches and provide a clear and timely process for resolving issues and providing patches.
- Data breaches may also be subject to local regulations which require the data owner (typically the operator) to notify the regulator of such breaches within a defined period – the vendor will typically need to support this requirement. Failure to report the breach within a timely manner may increase the fines and penalties faced by the operator.
- Where patches for vulnerabilities within software components have been issued, these should be deployed as quickly as possible to minimise the risk of exploitation
- This should also include any people or process errors (e.g. incorrect configuration) that lead to any system compromise, security vulnerability or breach.
- Any changes to components within the solution whether hardware, software (applications, functions, operating system, container, hypervisor, etc.) or configuration changes should be tested before being deployed in the live environment
- The vendor (or an approved third party) should perform regular testing of the operational solution (in a staging /test environment) to identify any weaknesses in the solution as a result of the latest security / threat insights and to isolate any other issues (e.g. relating to non-optimal configuration)
- The vendor or third party must be able to support the operator’s incident management process and be able to provide solutions and / or remedial action in a timely manner
- From a supply chain perspective this might be managed through a series of Service Level Agreements (SLAs) which might be reflected in a maintenance contract.