Policy
Policy Name
Third-Party Security Policy

Overview
Vendors, partners, contractors or other third parties must manage and protect information in accordance with the organization's information security policies and standards.

Statement
The following controls must be implemented, at minimum, to ensure third parties adhere to the organization's information security policies and standards in order to protect data:
  • A supplier risk or security assessment and audit of third party
  • Appropriate contract signed by the third party that includes information protection requirements
  • A logical and physical site review conducted, as needed
  • Closure of security gaps if identified in risk assessment or audit

Certain security industry certifications or audits (e.g. ISO 27001, PCI) may be used in lieu of periodic third party reviews, as appropriate and subject to certain conditions.


Justification

The following benefits will be achieved:

  • Reduce the risk of sensitive information being compromised or misused by third parties

Scope
All employees, contractors, agents and third-parties

Consequeces for Noncompliance
Noncompliance to this policy can result in disciplinary action up to and including termination of employment or contract.

Topics
Third-party Security