Supplier Security Requirements

List of security requirements all suppliers (including vendors and partners) are required to meet.

Overview

The security requirements set forth below align with the NIST Cybersecurity Framework v1.1. As such, they are meant to be viewed as minimum requirements and guidelines. For applicable Sections, suppliers should be prepared to provide documentation and proof (e.g., SSAE18, SOC2 Type 2 report) of their ability to meet the requirements.

Scope

The requirements define the information security controls MercuryGate’s suppliers, their staff, and subcontractors, must adhere to when (a) accessing MercuryGate networks and/or systems, (b) handling MercuryGate data, and/or (c) interfacing with MercuryGate software, applications, and/or services.

Security Governance and Compliance

  • A Non-Disclosure Agreement (“NDA”) must be in place and supplier must comply with all requirements of the NDA.
  • Required to complete any questionnaires provided by MercuryGate in a timely and accurate manner.
    • Any critical and/or high-level risks require a remediation plan
  • Must maintain a security program that is based upon a recognized security framework (i.e., NIST, ISO27001, etc.) that includes the following:
    • Written information security policies and procedures
    • Annual (minimum) security assessments and audits to measure control effectiveness
    • Annual controls audit by an independent third party
      • Full report to be provided to MercuryGate upon completion
  • When implementing, supplier must consider compliance to industry standards, laws, and regulations.

Worker Security

  • Required to implement and maintain appropriate employee/subcontractor onboarding, offboarding, and transfer process including:
    • Appropriate background checks and investigations
    • Company, position, and security training
  • Must have a defined disciplinary policy and process that covers:
    • Violations of supplier security and/or privacy policy
    • Unauthorized access to MercuryGate systems and/or data

Change Management

  • Must have a formal change management process that documents and manages operation processes and procedures.
  • Appropriate background checks and investigations
  • Implement written policies and procedures that ensure all systems, applications, and/or services are reviewed, tested, and approved prior to accessing MercuryGate data.
  • Implement defined processes for validation of any new systems, applications, and/or services to ensure vulnerabilities are not introduced prior to release.
  • Required to notify MercuryGate in advance of any change that could impact the way MercuryGate and/or its customers uses a product and/or service provided.

Authentication and Access Management

  • Required to provide industry accepted authentication and access controls to protect MercuryGate systems, applications, and/or services.
  • Ensure stringent and complex password policies and standards exist on IT systems that access and/or house MercuryGate data and/or assets.
  • Ensure systems that access confidential, personal, or regulated information adhere to a complex password policy and are updated on an ongoing basis.
  • Must have a formal, documented process for granting and revoking access to all systems that access, process, or store MercuryGate data.
    • User access rights shall be strictly limited to a need-to-know basis that permits access only to the systems and resources required for users to perform their duties.
    • All users with authorized access to MercuryGate data must be assigned a unique User ID which must not be shared with any other individual.
  • Ensure a separation of duties process is in place and followed.
  • Access rights will be revoked immediately upon termination of any user with access to MercuryGate systems or resources, or if a change in job role eliminates the requirement for continued access.
  • All access rights must be reviewed no less frequently than quarterly.
  • All user access to systems storing MercuryGate data must be audited and those audit records be maintained and made available to MercuryGate upon request.

Data Transmission Confidentiality and Integrity

  • Implement controls to ensure all MercuryGate data is cryptographically protected at-rest and in-transit using strong, industry recognized, non-deprecated algorithms.
    • Encryption must meet a minimal standard of AES-256-bit encryption
  • Use strong encryption key management practices to ensure the availability of encrypted authoritative information

Physical Security

  • Must store MercuryGate’s data and/or systems in locations that are protected from:
    • Natural disasters
    • Theft, physical intrusion, unlawful, and unauthorized physical access
    • Ventilation, heat or cooling problems, power failures or outages

Media Protection, Sanitization and Destruction

  • Must implement a written policy and procedure for the secure destruction and/or deletion of all MercuryGate data as directed.
  • Disposal of electronic media must adhere to industry recognized practices per the Guidelines for Media Sanitization in NIST 800-88.
    • Upon request a certificate showing adherence to the above must be provided.

Auditing

  • Ensure all systems that process or store MercuryGate data must maintain an automated audit trail that documents system security events, as well as any event that results in the access, modification, and/or deletion of MercuryGate Data.
  • Ensure audit logs must be read-only and protected from unauthorized access.
  • Must retain all audit logs for a minimum of one (1) year.
  • Ensure audit records documenting events resulting in the access, modification, and/or deletion of MercuryGate Data must be made available to MercuryGate upon request.
  • Must employ a regular audit log review process (either manually or automated) for detection of unauthorized access to MercuryGate data.

Operation Security

  • Regular audit networks and systems for security configuration compliance.
  • Regularly scan the entire network, systems, and applications for vulnerabilities.
  • Will have a documented process for hardening all network devices, systems, and hosts prior to implementation based on industry best practices.
  • Ensure any changes to IT systems that are performing work on or for MercuryGate do not have any negative security implications.
  • Not move or transfer MercuryGate data to any non-production environment or insecure location.

Vulnerability Management

  • Have a defined process for applying and managing security updates, patches, fixes upgrades, (collectively referred to as “Patches”) on all IT systems.
    • Must ensure patches provide security fixes or security updates are deployed within 30-days from the date of release.
  • Must ensure Malware, Virus, Trojan, and Spyware protection is deployed on all IT systems that house and/or access MercuryGate’s data.
    • Must ensure Malware, Virus, Trojan, and Spyware protection technology have the latest and up-to-date manufacturer’s signatures, definition files, software, and patches.
  • Must deploy methods to identify malicious activity, log information such activity, attempt to block/stop the activity, and to report such activity.
    • Security methods must have the latest and up-to-date manufacturer’s signatures, definition files, and software patches.
    • If requested by MercuryGate, provider must supply logging information of all unauthorized activity going back a minimum of one (1) year.
  • Must ensure all unused or unnecessary software, applications, services, sample/default files, and folders are disabled on all IT systems that house and/or access MercuryGate’s data.

System Development Life Cycle

  • Ensure infrastructure, network, and application vulnerability assessments are periodically conducted and follow industry acceptable vulnerability management practices.
  • Ensure industry acceptable application development security standards are followed so IT systems and applications are tested and secured in every step of the application and system development life cycle.
  • Ensure firmware, software, and application source code are validated and tested against vulnerabilities and weaknesses before deploying to production.

Security Incident Management

  • Ensure access and activity audit and logging procedures, including access attempts and privileged access, exist.
  • Ensure security incident response planning and notification procedures exist to monitor, react, notify, and investigate any incident related to MercuryGate’s data and/or systems.
  • Within forty-eight (48) hours notify MercuryGate if supplier identifies a breach in any controls impacting MercuryGate’s data and/or a system related to MercuryGate.
NOTE: Once supplier discovers, or is notified of, a security breach, supplier must investigate, fix, restore, and conduct a root cause analysis.
  • Supplier must provide MercuryGate with results and frequent status updates of any investigation related to MercuryGate’s data and/or a system related to MercuryGate.

Business Continuity/Disaster Recovery

  • Must have a written business continuity and disaster recovery plan.
    • Required to be reviewed, tested, and updated annually (at minimum)
  • Required to implement an industry standard backup and restore capability.

Additional Security Capabilities

  • Any security capability that becomes an industry-accepted norm, and/or common practice that exceeds any of the above defined requirements, will be implemented.