Vendor Access Policy
Updated annually.
Overview
Setting appropriate limits and controls on what can be seen, copied, modified, and controlled by vendors reduces the risk of exposure, breach, liability, or loss of trust.
Purpose
This policy establishes vendor access procedures that address information resources and support services, vendor responsibilities, and protection of company information.
Scope
This policy applies to all company staff who interact, utilize, or manage vendors and contractors who used our information resources.
Policy
A. General
Vendors and contractors shall comply with all applicable company policies, procedures, and agreements.
B. Data Protection Officer Responsibilities
The DPO shall implement and maintain a list of vendors with access to company information resources. This list, as well as vendor agreements and contracts, shall specify:
- Resources that the vendor accesses
- Security measures vendor will take to protect company data
- Acceptable methods for the return, destruction, or disposal of company information under vendor control at the end of the contract
- Vendor assurance that information collected and stored during the term of the contract shall only be used for the purposes of the business/contract agreement
- Information acquired by the vendor during the course of contract execution cannot be used for any other purposes other than those specified in the contract and shall not be divulged to others
C. Vendor Responsibilities
We shall provide a point of contact for the vendor as part of its normal operating procedure. The point of contact will work with the vendor to make certain they are in compliance with company policies. Vendors shall comply with the following procedures as part of their working relationship with us:
Security Clearances – Vendors and contractors with access to Confidential Information or Personally Identifiable Information (PII) must be cleared to handle that information.
Incident Reporting – Vendors and contractors shall report all security incidents directly to the Data Protection Officer or designee.
Change Management – Vendors and contractors personnel must follow all applicable company change control processes and procedures.
Remote Access – Remote vendor and contractor access must be uniquely identifiable and password management must comply with company password standards.
Contractor Termination – Upon the departure of a contractor working with company information assets for any reason, the vendor shall ensure that all sensitive and confidential information is collected and returned or destroyed within a commercially reasonable timeframe.
Keycard and Security Access – Upon termination of contract or at the request of the company, the vendor or contractor shall surrender all identification badges, access cards, equipment, and supplies immediately.
Auditing and Compliance – Vendors and contractors are required to comply with all company auditing requirements.
Disclosure of Sub-Contractors – Third-party agreements that directly, or indirectly, impact company information resources are required to include explicit coverage of all relevant security requirements.
Enforcement
Staff members found in policy violation may be subject to disciplinary action, up to and including termination.