Supplier Risk Assessment

As part of Drummond’s Information Security Management Framework, Suppliers shall agree to a set of requirements and principles which govern the use, handling, and disclosure of data or information on Drummond’s behalf.

Please complete the form below on behalf of your organization. Please contact [email protected] with any questions or issues completing this form.

This Security Requirements to the Agreement sets forth the security requirements to be fulfilled by Supplier in relation to services provided under the Agreement, including the Supplied Services.

Your Information

Your Name(Required)

General Requirements

  • The Supplier shall ensure that any service provided by the Supplier under this Agreement, including the Supplied Services, has adequate security protection measures in order to manage threats. In the provision of such services, security protection shall be included which, at a minimum, meets the requirements of the Agreement.
  • The Supplier shall abide and adhere to the International Standard ISO/IEC 27001 and shall have an information security policy that demonstrates Supplier’s adherence to it.
  • The Supplier’s undertakings regarding security protection measures include, but are not limited to, the following:
  • Supplier shall ensure that security systems and administrative tools are not used for any other purposes than intended;
  • Supplier shall ensure that security awareness training and information has been given to all concerned personnel of Supplier; and
  • Supplier shall not and will not introduce/remove/change security measures that have been implemented or ordered by Drummond, without obtaining Drummond’s prior written approval.
  • The Supplier shall appoint a named person who shall be responsible for security. This person shall be responsible for liaising with Drummond regarding all matters relating to security.
  • The Supplier shall, upon Drummond’s request, provide Drummond with a written report demonstrating that the security requirements stipulated in this Appendix are being met.
Does Supplier agree to the security requirements above?(Required)

Security Contact Person

The Supplier shall appoint a named person who shall be responsible for security. This person shall be responsible for liaising with Drummond regarding all matters relating to security.
Name(Required)

Organization of Information Security

Does the Supplier have a management framework established to initiate and control the implementation of security?(Required)
Does the Supplier have an operational and documented process regarding internal personnel changes?(Required)
All staff changes that affect or may affect personnel with access to Drummond’s systems shall be reported to Drummond within 30 days. Staff changes shall be documented and stored for review and the Supplier shall be able to show documented staff changes upon Drummond’s request.

Security Operations

Backup and Physical Media

Will the Supplier ensure that Drummond proprietary information and operational system state can be recovered following a Disaster or media failure?(Required)
Will the Supplier maintain backup copies for a minimum period of one (1) year, or for such other period of time as agreed with Drummond in writing?(Required)
Will the Supplier have documented routines and processes in place to meet its obligations regarding availability and security of Confidential Information and Drummond Data?(Required)
If physical media containing Confidential Information and/or Drummond Data is to be decommissioned, will the Supplier treat such Confidential Information and Drummond Data in accordance with the provisions of section Confidentiality of the Agreement?(Required)
Any return to Drummond of Confidential Information or Drummond Data shall be made in a secure manner and any destruction shall be made in a way so that the information cannot be recreated or accessed. The Supplier shall have documented routines in place regarding destruction of physical media and shall be able to show proof of such destruction upon request. Access to backup copies shall be controlled, logged, and handled according to stated routines in accordance with ISO/IEC 27001.

Security Logs and Monitoring

Will the Supplier monitor the Supplied Services to detect deviation from its access control policy and to provide evidence in case of information security incidents?(Required)
Will the Supplier have a documented routine in place for log review and analysis in order to identify intrusion attempts and security related incidents?(Required)
Such documented routine shall be shown to Drummond upon request.

Security Incident Management

Will the Supplier at all times ensure that adequate and up to date malware protection exists and is implemented?(Required)
Malware includes computer viruses, worms, Trojan horses, spyware, adware, and other malicious objects.
Will the Supplier ensure that malware protection be updated and implemented no later than thirty (30) days after patch release date?(Required)

Security Patches

Will the Supplier ensure that all critical security patches that are relevant for all software in operational use shall be implemented no later than sixty (60) days after patch release date?(Required)

Intrusion Prevention System or Equivalent Solution

Will the Supplier at all times ensure that an adequate and up to date intrusion prevention system, or equivalent solution, is installed?(Required)
Will the Supplier ensure the intrusion prevention system, or equivalent solution, be updated according to a documented routine that aligns with the product manufacturer’s recommendation?(Required)

Communication Over Internal Networks

Will the Supplier ensure that any non-public network utilized by the Supplier is constructed and protected in such a manner that only authorized access is possible?(Required)

Communication Over Public Networks

Will the Supplier ensure that when public networks (Internet) are utilized by the Supplier, appropriate security mechanisms are in place so that no unauthorized access is possible?(Required)
Will the Supplier ensure that when Confidential Information or Drummond Data is communicated over a public network, it shall be encrypted either with SSL/TLS with encryption keys of AES-128 bits strength or equivalent for symmetric encryption and RSA-2048 bits strength or equivalent for asymmetric encryption, or by another solution that has been approved in writing by Drummond beforehand?(Required)

Communication Over Wireless Networks

Will the Supplier undertake to only utilize internal electronic communication over wireless networks when WPA2 or higher encryption is in use according to the product manufacturer’s recommendation?(Required)

Software Development

Does the Supplier adhere to a robust security software development lifecycle and align with the ISO/IEC 27001 regarding correct processing in application to prevent errors, loss, unauthorized modification, or misuse of information in application?(Required)
Does the Supplier test provided software or solutions for security vulnerabilities on a regular basis?(Required)
Such tests shall be performed at least once every year for systems not exposed to Internet, and at least once every quarter for systems exposed to Internet. Vulnerability findings shall be resolved within sixty (60) days.

Physical Security

Does the Supplier ensure that adequate burglary protection is installed and in use at all premises utilized by the Supplier or any subcontractor for activities related to Drummond?(Required)
Does the Supplier ensure that servers, including peripheral equipment, communication equipment and data media associated with Drummond are placed in locked rooms (minimum requirement) and are only accessible to authorized personnel?(Required)
Does the Supplier ensure that adequate procedures are in place for protection of Supplied Services utilized for activities related to Drummond against damage from fire, flood, earthquake, explosion, civil unrest, and other forms of natural or man-made disasters or accidents?(Required)

Business Continuity Plan

Does the Supplier have an adequate and well documented business continuity plan in place in order to fulfill its undertakings towards Drummond?(Required)
The business continuity plan shall be shown to Drummond upon request.

PCI DSS

All entities that process, store, or transmit cardholder data must adhere to the PCI DSS requirements. The adherence to the PCI DSS requirements, which serve to protect the cardholder data of Drummond’s customers, is the utmost goal of Drummond.

Any change necessary due to changes in any of the PCI standards is the responsibility of the Supplier. Any change necessary due to Drummond requirements deviating from the PCI standards shall be handled as a Change Request. This meaning, Drummond is accountable for the overall PCI DSS compliance towards the Payment Card Industry and the Supplier is accountable towards Drummond for PCI DSS compliance of supplied services part of Drummond’s PCI DSS compliance scope, including hardware and software components, processes and possible possessions of Drummond cardholder data as well as for applicable certifications as proof of such compliance.

Drummond is further responsible for keeping Supplier informed about Drummond’s PCI DSS strategy and any relevant changes within Drummond’s PCI DSS compliance scope impacting Supplier’s delivery of the service from a PCI DSS perspective.

Does the Supplier at all times and where applicable, comply with the Payment Card Industry (Visa, MasterCard, American Express, Discover, JCB) requirements as described in the latest released versions of PCI DSS, PCI PTS and PCI PA DSS?(Required)
Does the Supplier at all times maintain all applicable PCI certifications?(Required)
Upon request from Drummond, the Supplier shall provide Drummond with sufficient documentation evidencing such PCI certifications.
Please upload any evidence such as policies, procedures, or ISMS overview documents to support your risk assessment responses.
Drop files here or
Max. file size: 500 MB.