PDS, as part of policing has a requirement to assure itself with respect of the third parties we use in the course of our business. Partners that are not police forces or police organisations, but use policing services, need to understand the restrictions, data handling and vetting expected of them.
For third party assessment PDS serves suppliers with a number of questions that are analysed to produce a compliance picture. Evidence can be provided to support the answers prior or during audit to enable PDS (on behalf of policing) to assess the sufficiency of answers.
The responses are reviewed with regard to the criticality to policing, level of access to systems and the sensitivity of the data you as a supplier will have access to.
In some instances, additionally a physical security check or PASF (Police Assured Secure Facility) audit of your premises may also be required.
Responses will be analysed with the system service manager or programme team. If full compliance has not been achieved by the supplier, a decision will be made on whether the non-compliance is within risk appetite and whether a risk needs to be raised with the risk owner for the service. In extreme cases and after consultation with a supplier it may be the non-compliance and risk it poses is so serious that a supplier cannot be used.
How do I work with PDS on this?
You will usually be notified of the need to go through TPAP by a PDS Cyber Compliance Officer (CCS) and asked to provide a contact point and email address to start the process. The TPAP team can be involved with the initial engagement if necessary to explain the process.
Your nominated contact will then be sent the question set with an introductory email explaining what is needed. There is an assumption that the process will take approximately two to three weeks to complete and send back an initial response for analysis, but a reasonable timescale can be negotiated as part of the initial process of onboarding.
The TPAP team will prompt you to finish the assessment, arrange the audit if needed and provide support during the process.
What does TPAP consists of?
You will be provided, with a series of questions on the following topics:
- Security Governance
- Security Certifications
- HR Security
- IT Operations
- Software Development
- Network & Cloud Security
- Physical Security
- Business Resilience
- Supply Chain Management
- Data Protection
- Artificial Intelligence
- Financial Risk
- Environmental, Social and Governance
You will need to answer all questions Yes, No (or N/A), and often be asked to provide commentary and evidence. It is accepted that some of the questions may not be applicable to you as an organisation. Documentary proof of certification can be uploaded onto the system to support answers.
We use the Risk Ledger Supply Chain Security Platform for our third party assurance. The platform allows our suppliers to create a profile and fill out an assessment across a Supplier Assessment Framework, which is shared with the programme and enables us to maintain all of our supplier information in one place.
A list of the questions can be found on the Risk Ledger website.
Analysis & results
On completion of the question set, the response is analysed by PDS. It is understood that some questions may be irrelevant for the service to be provided or for you as an organisation, and this is also accounted for in the analysis.
The TPAP team will not issue a blanket approval of your assessment without consulting the originating PDS CCS or service manager. The analysis of the results is done with their involvement, as they will need to satisfy themselves that any 3rd party is fully or sufficiently compliant, and all required evidence is present.
Risk reporting and maintenance
Following your assessment, where risks are identified and need to be raised to enable the engagement, the risks will be entered onto and managed on the relevant programme/system risk register.