Policy Template for Vendor Management

The purpose of this policy is to set forth the guidelines that should be followed to maintain the security of organization's information systems and data when {{organization.name}} enters into any arrangement with a third-party supplier/vendor as well as to identify elements of managing vendors, due diligence, risk assessments as well as contract management. 

The scope of this policy covers {{organization.name}}’s relationship with business partners, suppliers, or third-party vendors (collectively referred to as ‘vendors’ or ‘third-parties’) including any third-party access to information, IT assets, IT infrastructure and facilities of {{organization.name}} and/or its client information.

Prior to outsourcing any {{organization.name}}’s processes or services to a third party/ vendor or allowing third party access to the organization's information or systems, the risks involved must be clearly identified and documented. Review of identified risks along with mitigation strategies or whether the risks are acceptable should be performed by executive management prior to engaging with vendors. 

The risk categories that should be considered during the risk assessment process includes (but not limited to):

• Information Security- Assessment of third party controls related to security, privacy, confidentiality and availability of data shared with them.

• Monitoring Gaps- Periodic assessments, ongoing monitoring, incident notification, off-boarding, adherence and appropriateness of SLAs.

• Business Continuity- Availability considerations are key as third party services and solutions are becoming more critical to your operations, assess facility access and security measures if applicable.

• Data Exposure- Incorrectly classified data and unidentified data

• Regulatory Requirements - Regulators mandate the supervision of third party suppliers for security, privacy and data protection compliance.

• Due Diligence- Distributed IT environments, Legacy/ longstanding suppliers, and use of subcontractor by the third party.

Contracts that include the exchange of confidential data must require confidentiality agreements to be executed by the vendor, and shall identify applicable security policies and procedures to which the vendor is subjected. 

Contracts must clearly identify security reporting requirements that stipulate that the vendor is responsible for maintaining the security of confidential data, regardless of ownership.  In the event of a breach of the security of the {{organization.name}}’s confidential data, the vendor is responsible for immediately notifying {{organization.name}} regarding incident details, recovery and remediation.  

Third party access to {{organization.name}} information shall be granted only after authorization and signing the applicable agreements/contracts. 

Management will designate the staff that is to be responsible for monitoring the performance and compliance of each outsourced program/vendor. Duties will include reviewing each of the third party’s performance to determine compliance with expectations and contracts on a regular basis by using any or all of the method below (as agreed in contractual agreements):

reviewing vendors security compliance reports produced by independent auditors (such as SOC 2 etc.)

scheduling of follow-up assessments based on the risk level of a vendor through a security questionnaire  

performing an audit or assessment on vendor services (right to audit clause)

In addition, all vendors shall be evaluated for security risks to the organization on a periodic basis through a formal risk assessment process. Vendors handling critical data/functions can be evaluated more frequently. Results of such periodic assessments shall be considered during service/contract renewals. 

Staff responsible for third party relationship monitoring shall submit regular reports to management. The reports will include appropriate information in order to provide management with the opportunity to make informed decisions and take timely corrective action.

Upon termination of vendor services, contracts must require the return or destruction of all company data. Procurement and contract managers as designated by {{organization.name}}’s management shall immediately ensure termination of vendor’s access to {{organization.name}} systems and, if applicable, facilities housing these systems.

{{organization.name}} shall agree on appropriate provisions with such vendors to ensure the continued security of information and systems in the event that a contract is terminated or transferred to another supplier.  Exit reviews on vendors to ensure compliance with termination clauses shall be performed.