On This Page
Other policies
- Personnel policy
- Risk assessment policy
- Information classification policy
- Incident disclosure and notification policy
- Incident response policy
- Incident response process
- BCP/DR policy
- Access control policy
- Password policy
- Change management policy
- Testing policy
- Patch management policy
- Data retention and deletion policy
Third party vendor review policy
51Ö±²¥ reviews vendor security practices before contracting, and on a regular basis, to ensure vendors properly handle 51Ö±²¥â€™s customer data, confidential data, and other data.
Scope
This policy only applies to vendors or contractors handling 51Ö±²¥ or its customers’ data.
Schedule
Vendors’ security practices should be initially evaluated as part of their contract review, and while still in use, on an annual basis.
Contractors must read and acknowledge 51Ö±²¥â€™s security policies as part of their onboarding. Contractors must complete 51Ö±²¥â€™s information security training as part of their onboarding and thereafter, while still under contract, on an annual basis.
Vendor assessment
As part of vendor evaluation and contracting, vendors’ security practices should be reviewed to ensure they sufficiently protect 51Ö±²¥â€™s and its customers’ data.
The requirements for a vendor may change based on the risk classification of the assets they are handling (see the Information classification policy), such as sensitive data, or access to production resources; and may change during a contract if a vendor’s scope or responsibilities change.
51Ö±²¥ will:
- Ask vendors for their SOC 2 type II or type I report for an overview of their current security practices. If a SOC 2 report does not exist or where insufficient information is provided, 51Ö±²¥ will ask the vendor to complete the .
- Review the vendor’s responses and compare these to 51Ö±²¥â€™s security policies to identify any gaps where the vendor may have weaker policies.
- For each notable gap or where insufficient information is provided, 51Ö±²¥ can: ask the vendor to make a change or provide additional information, implement a mitigating control, or accept the risk. These should be documented in the risk register.
51Ö±²¥ will document vendor information, to help in case of a potential incident. This information includes:
- Vendor name, i.e. Which vendor?
- Vendor contact information, i.e. How do we contact the vendor? List different contacts for billing, support, and/or security where they apply.
- Type of data shared, i.e. What types of data from 51Ö±²¥ does the vendor collect or otherwise have access to?
- Terms of Service for services provided by the vendor
- Security report or questionnaire shared by the vendor