On This Page
Other policies
- Personnel policy
- Risk assessment policy
- Information classification policy
- Incident disclosure and notification policy
- Incident response policy
- Incident response process
- BCP/DR policy
- Access control policy
- Password policy
- Change management policy
- Testing policy
- Patch management policy
- Data retention and deletion policy
Third party vendor review policy
ºÚÁÏÊÓƵ reviews vendor security practices before contracting, and on a regular basis, to ensure vendors properly handle ºÚÁÏÊÓƵ’s customer data, confidential data, and other data.
Scope
This policy only applies to vendors or contractors handling ºÚÁÏÊÓƵ or its customers’ data.
Schedule
Vendors’ security practices should be initially evaluated as part of their contract review, and while still in use, on an annual basis.
Contractors must read and acknowledge ºÚÁÏÊÓƵ’s security policies as part of their onboarding. Contractors must complete ºÚÁÏÊÓƵ’s information security training as part of their onboarding and thereafter, while still under contract, on an annual basis.
Vendor assessment
As part of vendor evaluation and contracting, vendors’ security practices should be reviewed to ensure they sufficiently protect ºÚÁÏÊÓƵ’s and its customers’ data.
The requirements for a vendor may change based on the risk classification of the assets they are handling (see the Information classification policy), such as sensitive data, or access to production resources; and may change during a contract if a vendor’s scope or responsibilities change.
ºÚÁÏÊÓƵ will:
- Ask vendors for their SOC 2 type II or type I report for an overview of their current security practices. If a SOC 2 report does not exist or where insufficient information is provided, ºÚÁÏÊÓƵ will ask the vendor to complete the .
- Review the vendor’s responses and compare these to ºÚÁÏÊÓƵ’s security policies to identify any gaps where the vendor may have weaker policies.
- For each notable gap or where insufficient information is provided, ºÚÁÏÊÓƵ can: ask the vendor to make a change or provide additional information, implement a mitigating control, or accept the risk. These should be documented in the risk register.
ºÚÁÏÊÓƵ will document vendor information, to help in case of a potential incident. This information includes:
- Vendor name, i.e. Which vendor?
- Vendor contact information, i.e. How do we contact the vendor? List different contacts for billing, support, and/or security where they apply.
- Type of data shared, i.e. What types of data from ºÚÁÏÊÓƵ does the vendor collect or otherwise have access to?
- Terms of Service for services provided by the vendor
- Security report or questionnaire shared by the vendor