This Vendor Management Policy sets out the guidelines for how the Netspective Communications LLC interacts with its Information Technology (IT) vendors and partners. The policy applies to all IT vendors and partners who can affect the confidentiality, integrity, and availability of the Netspective Communications LLC’s technology and sensitive information, or who are covered by the Netspective Communications LLC’s information security program. Additionally, the policy applies to all employees and contractors who have responsibility for managing and supervising IT vendors and partners of the Netspective Communications LLC. [FII-SCF-025-TPM-01]
-
The appropriate parties must sign a contract containing security controls before IT vendors can access the Netspective Communications LLC’s information security assets.
-
All IT vendors must follow the security policies that are based on and defined in the Information Security Policy.
-
IT vendors or partners must document all security incidents in accordance with the Netspective Communications LLC’s Security Incident Response Policy, and immediately report them to the Information Security Manager (ISM).
-
The Netspective Communications LLC must comply with the terms of all Service Level Agreements (SLAs) with IT vendors. It must implement any necessary changes or controls to ensure compliance as terms are updated or new agreements are entered into.
-
Before IT vendors can enter into a contract and gain access to the parent Netspective Communications LLC’s information systems, the parent Netspective Communications LLC must perform a risk assessment on them.
-
The risk assessment process must identify security risks related to IT vendors and partners.
-
The risk assessment must identify risks related to information and communication technology, as well as risks related to IT vendor supply chains, including sub-suppliers.
-
-
IT vendors and partners must protect, safeguard, and dispose of Netspective Communications LLC records securely. The Netspective Communications LLC strictly adheres to all applicable legal, regulatory, and contractual requirements regarding the collection, processing, and transmission of sensitive data, such as Personally-Identifiable Information (PII).
-
The Netspective Communications LLC may audit IT vendors and partners to ensure compliance with applicable security policies, as well as legal, regulatory, and contractual obligations.
-
When vendor services terminate, contracts must require the return or destruction of all Netspective Communications LLC data. Information Services must immediately terminate all access to Citrus informatics information systems and, if applicable, facilities housing these systems.
Reporting Requirements
-
If the security of sensitive data is breached, the vendor must immediately notify and work with IS regarding notification, recovery, and remediation.
-
The contract’s security reporting requirements must also mandate that the vendor report all suspected loss or compromise of sensitive data exchanged pursuant to the contract within 24 hours of the suspected loss or compromise.
-
The vendor must notify all persons whose sensitive data may have been compromised because of the breach, as required by law.
-
All contracts must require the vendor to produce regular reports that focus on four primary potential risk areas: Unauthorized Systems Access, Compromised Data, Loss of Data Integrity, and Inability to Transmit or Process Data. Any exceptions from normal activity must be noted in the reports, reviewed, and appropriate responses determined.