All data and information systems owned, leased, or used by the company that are business critical and/or process, store, or transmit Confidential data. This policy applies to all employees of the company and to all external parties, including but not limited to Company consultants, contractors, business partners, vendors, suppliers, partners, outsourced service providers, and other third-party entities with access to Company data, systems, networks, or system resources.
Information security requirements between the company and 3rd parties shall be agreed upon and documented.
For all service providers who may access Company Confidential data, systems, or networks, proper due diligence shall be performed prior to provisioning access or engaging in processing activities.
Information shall be maintained regarding which regulatory or certification requirements are managed by or impacted by each service provider, and which are managed by Company as required. Applicable regulatory or certification requirements may include ISO 27001, SOC 2, PCI DSS, CCPA, GDPR, or other frameworks, compliance standards, or regulations.
Relevant information security requirements shall be established and agreed upon with each supplier that may access, process, store, transmit, or impact the security of company Confidential data and systems, or provide physical or virtual IT infrastructure components for the company.
For all service providers who may have access to Company production systems, or who may impact the security of the Company production environment, written agreements shall be maintained that include the service provider's acknowledgment of their responsibilities for the confidentiality of company and customer data, and any commitments regarding the integrity, availability, and/or privacy controls that they manage in order to meet the standards and requirements that Company has established in accordance with Company's information security program or any relevant framework.
The company will consider and assess risks associated with suppliers and the technology supply chain. Where warranted, agreements with suppliers shall include requirements to address the relevant information security risks associated with information and communications technology services and the product supply chain.
The company shall regularly monitor, review, and audit supplier service delivery. Supplier security and service delivery performance shall be reviewed at least annually.
Changes to the provision of services by suppliers, including changes to agreements, services, technology, policies, procedures, or controls, shall be managed, taking into account the criticality of the business information, systems, and processes involved. The company shall assess the risk of any material changes made by suppliers and make appropriate modifications to agreements and services accordingly.