Cyber Security Schedule

1.1. Certifications

CE.01

If Maersk Data is in scope of this Service, the Supplier must have a documented ‘Information Security Management System’ (ISMS). The ISMS should cover all the requirements of an international Cyber Security standard (such as ISO27001, NIST etc) and be proven to be operating effectively through periodic internal and/or external audits by independent and qualified practitioners.

CE.02

As part of the Services, Supplier must align and maintain cyber security practices to a recognized cyber security standard (such as ISO27001, NIST, etc.) and maintain and annually submit to Maersk at thirdpartyassurance@maersk.com any cyber security certifications that are applicable to the Services, including the following reports: ISAE 3402, type II and  ISAE 3000 or equivalent reports. Should any certification lapse, fail to be maintained/renewed or degraded during the certification period, Maersk Cyber Security Third Party Assurance team must be notified immediately at “thirdpartyassurance@maersk.com” together with information on when the security levels will be resumed, or an alternative cyber security solution that meets or exceeds the contractual requirements will be established.  Failure to maintain security standards and/or certifications will be considered a material breach of the Agreement. If Supplier is unable to provide relevant certification of its facilities, systems and business units against an established cyber security standard (e.g. ISO27001, etc.) conducted by an independent third party, the Supplier must at its expense without undue delay and no later than 30 days upon its receipt, complete and return a cyber security self-assessment provided by Maersk.

CE.03

To the extent a Supplier and/or Supplier’s representative is acting as a Service Provider or as a Merchant (as defined in the PCI Data Security Standards) on behalf of Maersk and has access to cardholder payment card information, the Supplier and/or Supplier’s representative must be PCI compliant.  The Supplier must ensure that the current PCI certification is made available upon request at least annually.

1.2. Awareness and Training Program (AP)

AP.01

An Awareness and Training program based on acceptable Cyber Security behaviours should be present at the Supplier and must be provided on an annual basis to all employees and contractors, if any involved.

1.3. Supply Chain Security (SC)

If any elements of this agreement between Maersk and the Supplier are delivered by subcontractors, the Supplier must comply with the following requirements:

SC.01

The Supplier must ensure that a risk-based process is used to govern the selection and management of subcontractors that provide Service to Maersk. If the subcontractors are changed during the Term, the Supplier must ensure that this will not result in a degradation of Services.

SC.02

The Supplier must ensure that Cyber Security and data privacy requirements are embedded in third party contracts and these commitments are reasonably monitored throughout the relationship.

1.4. Risk Management (RM)

RM.01

The Supplier shall perform risk assessments, performed or overseen by Suppliers own Cyber Security staff and sponsored by senior management, across the entire Supplier’s business units, business processes, applications, facilities, systems and third parties that are involved in the delivery of Services to Maersk, or are used to store or access Maersk Data.

RM.02

The Supplier must ensure that identified risks are addressed, handled and formally recorded according to severity and contract requirements from Maersk.

1.5. Asset Management (AS)

AS.01

The Supplier must implement and maintain processes around asset identification, classification, and management (from procurement to disposal).

AS.02

The Supplier must maintain an asset inventory that accurately reflects the current state of the information systems and infrastructure (including cloud services where relevant); and ensure that they are maintained on a regular basis or when there is asset component installation, removal and update.

1.6. Data Handling (DH)

DH.01

Supplier must take the necessary technical and organizational measures to prevent Maersk Data from (a) being accidentally or illegally destroyed, lost or manipulated, (b) being shared with any third parties, (c) being subject to unauthorized use or disclosure, or (d) being processed contrary to applicable laws on data protection where applicable.

DH.02

The Supplier must ensure that all Maersk Data is protected in a secure manner including but not limited to:

1. Have audit logging enabled that tracks what an individual user has done and when.
2. Retained in line with legal, regulatory and business requirement.

DH.03

The Supplier must ensure that all information pertaining to, provided by, or owned by Maersk is securely destroyed (once approved in writing by Maersk) as soon as it is no longer required for a valid business purpose. This extends to:

1. Electronically stored information
2. Paper assets
3. Other physical media, such as backup tapes or external drives.

1.7. Encryption (E)

E.01

If Maersk Data is in scope for this Service, the Supplier must ensure that for all information and information systems employed in supplying the Service to Maersk, have access controls and compliant cryptographic mechanisms in place. These shall be in line with internationally recognised industry best practice encryption standards, to protect the confidentiality and integrity of information at rest and in transit to a degree appropriate for the classification of the information and regulatory requirements.

1.8. Hardening (HA)

HA.01

The Supplier must ensure that a secure baseline configuration is established, maintained and reviewed periodically for all information systems used to provide Service to Maersk.

The Supplier should use international recognized standards to implement hardening of systems, applications and networks such as:

• Centre of Information Security (CIS) benchmarks
• National Institute of Standards and Technologies (NIST) standards
• SANS Institute resources
• British Standards Institution (BSI) standards
• Information Security Forum (ISF) Standard of Good Practice

1.9. Threat and Vulnerability Management (TV)

TV.01

The Supplier must:

1. Ensure that required patches and Cyber Security fixes are applied to all approved devices existing in the asset register, unless a shorter or longer period is recommended by the manufacturer or agreed to by the Suppliers designated Cyber Security point of contact
2. Notify all users of their requirements to apply patches when necessary
3. Continuously monitor reports of known Cyber Security vulnerabilities and zero-day exploits in all pieces of software used to provide the Service(s) to Maersk, to ensure that the need to produce patches is determined.

TV.02

Maintain a register of all devices that have applied necessary patches (cross referenced against the asset register) so that any devices that have not applied the patches are identified, and corrective actions are applied.

TV.03

The Supplier must have a process in the case of a deviation from the established threat and vulnerability management process. The process must include the creating of a valid business case, which describes why the deviation is needed. The process must also identify the risk of these deviations at system, application and/or network level.

1.10. Change Management (CM)

CM.01

The Supplier must maintain a documented Change Management Process that ensures that proposed changes applications or systems; are validated, authorised, tested in a non-production environment and approved prior to deployment.

1.11. Access Management (AM)

AM.01

The Supplier must have a documented access management process, which differentiates between regular and privileged account management. Access rights should be provisioned in line with the principle of least privilege. All access is managed, i.e., granted, reviewed, revoked and validated in a role-based access controlled (RBAC) manner, have an audit trail and be time-bound.

1.12. Physical Security (PS)

PS.01

If Supplier access to Maersk premises is required for the completion of Services, then Maersk will provide the Supplier with access to specific Maersk premises. The Supplier must ensure that:

1. Only the specified Supplier employees (to whom access has been granted) may access Maersk premises.
2. The specified Supplier employees do not access or attempt to access any premises or parts of Maersk that they have not been specifically authorised to be provided access to.

PS.02

The Supplier must ensure that premises that store or process Maersk Data are secured with effective physical security controls. Internationally recognized physical security guidelines that are compliant with/aligned to ISO27001 or IEC62443 or equivalent must be in place. Ensure that this responsibility extends to any subcontractors used in the provision of Services to Maersk.

1.13. Network Security (NS)

1.14. Security Monitoring (SM)

SM.01

The Supplier must ensure that all information systems employed in order to provide Service to Maersk are monitored for any activity.

SM.02

The Supplier must ensure that information log captured for use to monitor information systems is in line with regulatory requirements and approved business needs. The information log should be suitably detailed to allow forensic investigation.

SM.03

The Supplier must ensure that internally accepted mechanisms and procedures are employed to manage and subsequently control network performance baselines.

1.15. Incident management and security reporting (IM)

IM.01

In the event of any act, error or omission, negligence, criminal activity, misconduct, or breach that compromises or is suspected to compromise the security, confidentiality, lawful processing or integrity of Maersk Data or Maersk systems or the physical, technical, administrative or organizational safeguards put in place by Supplier that relate to the protection of the security, confidentiality, or integrity of Maersk Data, Supplier shall, as applicable: (a) notify Maersk as soon as practicable but no later than twenty-four (24) hours of becoming aware of such occurrence to soc@maersk.com; (b) promptly cooperate with Maersk in investigating the occurrence, including making available all relevant records, logs, files, data reporting as well as other information and materials required to comply with applicable law or as otherwise required by Maersk; (c) promptly perform or take any other actions required to comply with applicable law as a result of the occurrence; (d) be responsible for promptly recreating lost Maersk Data without charge to Maersk; and (e) provide to Maersk a detailed plan within ten (10) days of the occurrence describing the measures Supplier will undertake to prevent a future occurrence.

IM.02

The Supplier must have a documented incident management process, to be enacted in the event of discovery of a Cyber Security incident. This should include the identification, containment, eradication, recovery and lessons learned of a security incident.

IM.03

The Supplier agrees not to notify any regulatory authority, nor any customer, on behalf of Maersk unless Maersk specifically requests in writing that the Supplier do so. Maersk also reserves the right to review and approve the form and content of any notification before it is provided to any party. The Supplier will cooperate and work together with Maersk to formulate and execute a plan to rectify all confirmed security incidents.

IM.04

Maersk retains the right to collaborate with the Supplier to investigate Cyber Security Incidents, experienced by the Supplier, which compromises, or has the possibility to compromise Maersk data, or increases the likelihood of the compromise of Maersk systems.

1.16. Business Continuity (BC)

BC.01

The Supplier must implement and maintain policies and procedures for business continuity and disaster recovery that are documented, approved, reviewed on an annual basis, based on industry standards such as, but not limited to ISO 22301 (Business Continuity Management) & 27031 (Disaster Recovery).

BC.03

The business continuity plan must be communicated to all of the Supplier’s employees, and provide information and training around business continuity. The business continuity plan must be tested at least on an annual basis.

BC.04

The Supplier must implement and maintain backup processes that are tested periodically to obtain assurance in the ability to recover in the event of system failure or data corruption. Any automated backups must follow a predetermined and approved schedule that includes alerts that are generated in case of backup job errors and are dispositioned in a timely manner.

1.17. OT Products and Services (OTP)

Where the products or services supplied include Industrial Control Systems, such as SCADA or PLCs, the Supplier must comply with the following requirements:

OTP.01

Proposed support timelines for products and services shall be indicated as part of the Supplier offering.

OTP.02

The Supplier must inform Maersk of product security issues within 30 days of discovery, and provide a formal response in a timeframe agreed with the Maersk point of contact, either with a vendor approved patch or a remedial action plan. This includes vulnerabilities that are present in product dependencies.

OTP.03

The products will be supplied and deployed in a hardened state and free from known vulnerabilities, or all known vulnerabilities can be remediated using cost-free Supplier provided patches, or other measures that effectively mitigate the issues in the Maersk environment. This hardening should not include hard coded passwords.

OTP.04

The products or services supplied shall be scanned and documented to be free from known malware.

OTP.05

For any computing products supplied to Maersk, documentation on hardening the devices will be provided, including:

1. How to secure all network connections, for all devices with the capability to send or receive remote transmissions, using any method, such as sending telemetry data to other devices or receive remote control sessions will be notified to Maersk along with the means to disable these or configure them securely.
2. How to disable all unnecessary ports, protocols and services.
3. How to configure them to require the user to provide access credentials to log-in.
4. How to configure accounts and systems in accordance with the principle of least-privilege.

How to change all default passwords and access credentials, e.g. admin credentials, from their factory state.

OTP.06

These clauses cover all embedded firmware, BIOS, and software provided by the Supplier, including those where the Supplier is utilising other vendors’ products or publicly available software.

OTP.07

The Supplier acknowledges that Maersk reserves the right to conduct independent security testing and scanning of their equipment with the expectation that the above clauses will be complied with.

OTP.08

The Supplier must provide backup and recovery procedures, where applicable, for products / equipment being delivered.

OTP.09

Where the Supplier has been contracted to implement products / equipment and services which connect to Maersk systems or devices, architectural diagrams, including network topologies and asset inventories will be provided.

1.18. Suppliers providing Industrial Control Systems including SCADA (IC)

If ‘Industrial Control Systems including SCADA’ is part of the agreement between Maersk and the Supplier, the Supplier must comply with the following requirements:

IC.01

The Supplier must ensure that employees providing services on Industrial Control Systems (ICS) are fully aware of all safety regulations of both the Supplier and Maersk. Awareness of the safety regulations may be demonstrated through documented training conducted at least annually, certifications, and other means acceptable to Maersk.

IC.02

If required by the nature of Services to be provided and authorised by Maersk in writing, the Supplier may gain access to Maersk ICS systems. If so, the Supplier must:

1. Ensure that any machines, systems and connection types used to connect to Maersk ICS systems must be documented and have vendor supported, or currently maintained software, up-to-date OS, anti-malware software, security patches and have appropriate physical security controls applied.
2. Notify Maersk immediately when a connection to an ICS system is no longer required. If the connectivity is not enduring, the Supplier must formally document and notify Maersk of the dates, time frames and scope of work for the connection.
3. Notify Maersk of the named individuals within the Supplier who has access to the connected systems.

IC.03

All legitimate connections to Maersk ICS systems must only use Maersk Remote Access Management solution, as agreed with a technical resource at Maersk. Any deviations must meet strong authentication requirement, technical solution to reduce the risk of malicious process control by an external party and agreed with a technical Maersk resource.

IC.04

Disconnection plans should be prepared by Maersk and the Supplier in the event that a connection to an ICS system needs to be closed for security purposes (which should cover recovery operations and relevant closedown and safety procedures for halting the industrial process being controlled).

IC.05

The Supplier must ensure that systems used for maintenance of ICS systems (e.g. a laptop connected to the ICS system) do not contain any malware which could affect the operation of the ICS system.

IC.06

If any modifications are (to be) made on the vessels by the Supplier, the Supplier agrees to provide a documented change plan prior to commencing work and a final documented record of changes post any work. 

2. Right to Audit

Unless explicitly deviated from in the Agreement or a Statement of Work/Purchase Order/Work Agreement with a specific reference to this Section, the Supplier must adhere to the following