Skip to content

Third-Party Supplier Security Policy

Document Information
Version {{version}}
Effective Date {{effective_date}}
Document Owner {{document_owner}}
Next Review {{next_review_date}}
Approved By {{approved_by}}

Purpose

The purpose of this policy is to establish guidelines for ensuring the secure operation of {{company_name}}, hereafter referred to as "the company"', information systems and networks, protecting the confidentiality, integrity, and availability of our data.

The Third-Party Supplier Security Policy outlines the company\'s expectations for third-party suppliers in terms of cybersecurity. This is essential to managing cybersecurity risks associated with third-party suppliers and ensuring the security of the company\'s data and systems.

The intent of this policy is to establish the direction and principles for the protection of the {{company_name}}'s IT assets against cyber threats and enable continuous improvement of security capability and resilience to emerging and evolving security threats.

Scope

This policy applies to all employees, interns, contractors, and third parties who have access to the company\'s information systems and networks.

Supplier Selection

The purpose of supplier selection is to ensure that all third-party suppliers are carefully selected based on their ability to meet the company\'s cybersecurity requirements and the data they expect to receive from the company. This is essential to managing cybersecurity risks associated with third-party suppliers and ensuring the security of the company\'s data and systems.

  • Information and Cyber security Assessment: As part of the supplier selection process, the company should conduct an assessment of the supplier\'s information and cyber security policies and practices.

  • Compliance Check: The company should verify the supplier\'s compliance with relevant cybersecurity standards and regulations. This includes standards such as ISO 27001, NIST 800-53, or other industry-specific standards, as well as data protection regulations. The compliance check should also confirm if the organisation is a regulated body under a financial services licence.

  • Incident History Review: The company should review the supplier\'s history of information and cyber security reportable breaches or incident. This includes any breaches, attacks, or other incidents that could indicate potential vulnerabilities or weaknesses in the supplier\'s cybersecurity.

  • Contractual Obligations: Where possible the company should ensure that all cybersecurity requirements are clearly defined in the supplier agreement. This includes the supplier\'s obligations to protect the company\'s data, report security incidents, and comply with the company\'s security policies and procedures.

All employees, contractors, and third parties involved in the supplier selection process are required to comply with this policy. Non-compliance may result in disciplinary action, up to and including termination of employment or contract.

Security Requirements

All third-party suppliers should comply with the company\'s security requirements depending on the nature of the data they handle on behalf of the company. This is essential to managing cybersecurity risks associated with third-party suppliers and ensuring the security of the company\'s data and systems.

  • Data Protection: All third-party suppliers should implement appropriate measures to protect the company\'s data. This includes using data encryption for data at rest and in transit, implementing access controls to restrict who can access the data, and using secure methods for data disposal.

  • Access Controls: Third-party suppliers should implement robust access controls to ensure that only authorized individuals have access to the company\'s data and systems. This includes using multi-factor authentication, implementing least privilege principles, and regularly reviewing and updating access permissions.

  • Incident Response: Third-party suppliers should have a documented incident response plan that outlines how they will respond to an information and cyber security incident. This includes identifying and reporting the incident, containing, and eradicating the threat, recovering from the incident, and conducting a post-incident review.

All employees, contractors, and third parties involved in the supplier management process are required to comply with this policy. Non-compliance may result in disciplinary action, up to and including termination of employment or contract.

Monitoring and Auditing

The company should regularly monitor and where necessary audit third-party suppliers {{supplier_audit_frequency}} to ensure compliance with security requirements. This is essential to managing information and cyber security risks associated with third-party suppliers and ensuring the security of the company\'s data and systems.

  • Regular Audits: Where deemed necessary the company should conduct {{supplier_audit_frequency}} security audits of third-party suppliers if the third-party is not independently audited. The audits should assess the supplier\'s compliance with the company\'s security requirements and identify any potential vulnerabilities or weaknesses in the supplier\'s security controls.

  • Security Reports: The company should {{security_review_frequency}} review security reports provided by third-party suppliers. These reports should provide information about the supplier\'s security posture, independent audits, any security incidents that have occurred, and any actions taken by the supplier to address security issues.

  • Incident Response: The company should respond promptly to any security incidents involving third-party suppliers. This includes investigating the incident, coordinating with the supplier to address the issue, and implementing measures to prevent similar incidents in the future.

  • Continuous Monitoring: The company should continuously monitor the security performance of third-party suppliers. This includes tracking the supplier\'s compliance with security requirements, monitoring for any changes in the supplier\'s security posture, and updating the company\'s risk assessment based on the supplier\'s performance.

All employees, contractors, and third parties involved in the supplier management process are required to comply with this policy. Non-compliance may result in disciplinary action, up to and including termination of employment or contract.

Staff Responsibilities

Staff (including interns and contractors) are expected to uphold the expected standards of professional conduct and comply with this policy in its entirety.

All staff must read, understand, and comply with all components of this policy, and all laws, and regulations that apply to their role.

  • Staff should speak up when seeing possible violations of the policies, and legal and regulatory requirements.

  • Be truthful, and cooperate fully in any internal investigations, and not conceal or destroy information.

  • Staff should ensure they complete training on the policies, and attest that they are understand and commit to comply with them.

  • Failing to read or attest to the policies does not excuse staff from these responsibilities.

Review

This policy will be reviewed {{default_policy_review}} or as needed based on changes to our business, technology, or regulatory environment.

Enforcement & Waivers

These policies are important to us. Violation may result in disciplinary action, up to and including termination of employment. Only by consent of the {{company_name}}'s board of directors a provision of the policies for a staff member may be waivered.

Essential Eight Alignment

This policy ensures third parties maintain appropriate:

  • Patch Management - For vendor-provided systems
  • Application Control - For vendor access
  • Multi-factor Authentication - For vendor remote access

Target Maturity: {{e8_target_maturity}}

Implementation Check

  1. Who owns this? {{policy_owner}}
  2. Are we doing it? {{implementation_status}}
  3. When will we check again? {{next_review_date}}