Purpose

The purpose of this policy is to establish guidelines for managing the risks associated with the use of suppliers’ products and services.

Scope

This policy applies to all employees, contractors, and third parties who are involved in the procurement and use of suppliers’ products and services.

Policy

1. Risk Assessment: Before engaging with a supplier, a risk assessment must be conducted to identify potential risks associated with the supplier’s products or services. The risk assessment should consider factors such as the supplier’s security practices, compliance with relevant standards, and the sensitivity of the data that will be handled by the supplier.
2. Supplier Agreements: All supplier agreements must include clauses that address information security requirements. This includes the right to audit the supplier’s security practices, requirements for data protection, and the responsibilities of each party in the event of a security incident.
3. Monitoring and Review: The performance and security practices of suppliers should be regularly monitored and reviewed. Any changes in the supplier’s practices that could impact information security must be addressed promptly.
4. Incident Management: Suppliers must report any security incidents that could impact the company’s information. The company must have a process in place to manage and respond to such incidents.
5. Termination of Agreement: When a supplier agreement is terminated, the supplier must return or securely destroy all company information in their possession.

Enforcement

Failure to comply with this policy may result in disciplinary action, up to and including termination of employment.