Vendor Access Policy

Last Updated: 07/24/2018

Overview

Setting appropriate limits and controls on what can be seen, copied, modified, and controlled by vendors reduces the risk of exposure, breach, liability, and loss of trust.

Purpose

This policy establishes vendor access procedures that address information resources and support services, vendor responsibilities, and protection of confidential information.

Scope

This policy applies to all of our staff who interact, utilize, or manage vendors and contractors who use our information resources.

Policy

A. General
Vendors and contractors shall comply with all applicable policies, procedures, and agreements of Skycore.

B. Data Protection Officer Rwsponsibilities
The DPO shall implement and maintain a list of vendors with access to our information resources. This list, as well as vendor agreements and contracts, shall specify:

  • Resources that the vendor accesses
  • Security measures vendor will take to protect confidential data
  • Acceptable methods for the return, destruction, or disposal of customer information under vendor control at the end of the contract
  •  Vendor assurance that information collected and stored during the term of the contract shall only be used for the purposes of the business/contract agreement
  •  Information acquired by the vendor during the course of contract execution cannot be used for any other purposes other than those specified in the contract and shall not be divulged to others

C. Vendor Responsibilities 

We shall provide a point of contact for the vendor as part of its normal operating procedure. The point of contact will work with the vendor to make certain they are in compliance with our policies. Vendors shall comply with the following procedures as part of their working relationship with us:

Security Clearances​ – Vendors and contractors with access to Confidential Information or Personally Identifiable Information (PII) must be cleared to handle that information.

Incident Reporting​ – Vendors and contractors shall report all security incidents directly to the Data Protection Officer or designee.

Change Management​ – Vendors and contractors personnel must follow all applicable Skycore change control processes and procedures.

Remote Access​ – Remote vendor and contractor access must be uniquely identifiable and password management must comply with our password policy and standards.

Contractor Termination​ – Upon departure of a contractor working with Skycore information assets for any reason, the vendor shall ensure that all sensitive and confidential information is collected and returned or destroyed within a commercially reasonable timeframe.

Keycard and Security Access​ – Upon termination of contract or at the request of Skycore, the vendor or contractor shall surrender all identification badges, access cards, equipment and supplies immediately.

Auditing and Compliance​ – Vendors and contractors are required to comply with all Skycore auditing requirements.

Disclosure of Sub-Contractors​ – Third party agreements that directly, or indirectly, impact our information resources are required to include explicit coverage of all relevant security requirements.

Enforcement

Staff members found in policy violation may be subject to disciplinary action, up to and including termination.