A.15 Resolver Supplier Security Policy

1. Purpose, scope, and users

The purpose of this document is to define the rules for relationships with suppliers, subcontractors, and partners to comply with the following statements:

  • Establish professional collaboration partnerships that create long-term value for both parties, based on trust and mutual interest;
  • Ensure that individual partners and external providers comply with Resolver security requirements.

This document applies to all suppliers and partners who can influence the confidentiality, integrity, and availability of Resolver’s sensitive information including but not limited to personal data (PII and PHI) and/or financial information.

Users of this document are top management and persons responsible for suppliers and partners in Resolver.

All Suppliers are expected to meet a minimum set of security controls when being considered suitable to provide services to Resolver.

2. Reference documents

  • ISO/IEC 27001:2013 standard, controls A.7.1.1, A.7.1.2, A.7.2.2, A.8.1.4, A.14.2.7, A.15.1.1, A.15.1.2, A.15.1.3, A.15.2.1, A.15.2.2
  • EU GDPR Article 32

3. Supplier classification

3.1. Tier One

  • High-risk suppliers that can have a critical impact on the quality, integrity, confidentiality, or availability of Resolver’s business.
  • Suppliers storing or processing Internal, Confidential, or Customer Confidential information as described in Resolver Corporate Data Handling Policy.

3.2. Tier Two

  • Moderate risk suppliers that can have an indirect impact on Resolver’s business.
  • Suppliers storing or processing Public information as described in the Resolver Corporate Data Handling Policy.

3.3. Tier Three

  • Suppliers that do not directly store, process, or have access to Resolver information.

4. Procedure and/or guidance

All suppliers will be assessed prior to engaging their services and thereafter on an annual basis.

The assessment process uses the following stages of evaluation:

  • Supplier ownership identification
  • Supplier classification
  • Supplier assessment
  • Observations for improvement
  • Subsequent monitoring and review

4.1. Supplier Ownership Identification

Every supplier must have an owner identified. If that supplier is used by multiple departments, one person in one role must be identified as the owner of the supplier and will be the primary contact for the supplier assessment.

4.2. Supplier Classification

The supplier owner must provide a supplier classification (Tier 1, Tier 2, or Tier 3) by answering a series of questions about the supplier.

4.3. Supplier Assessment

The following security evidence is required for a supplier based on their classification and type of information we are going to process and store at their platform

ClassificationEvidence
Tier 1SCO 2 report (attachment) or
SOC 1 report (attachment) or
ISO 27001 (attachment or link) or
ISO 27017 (attachment or link) or
ISO 2718 (attachment or link) or
PCI DSS (attachment) or
Security Assurance Plane or
BCP for Pandemic or
HIPAA HITECH or
Privacy Policy or
Service Level Agreement or
Terms of Service
Tier 2SOC 2 report (attachment) or
SOC 3 (attachment or link) or
ISO 27001 (attachment or link) or
ISO 27017 (attachment or link) or
ISO 2718 (attachment or link) or
Privacy Policy (attachment or link) or
Information Security Policy (attachment or link) or
BCP for Pandemic or
Service Level Agreement or
Terms of Service or
Information Security self-assessment
Tier 3No evidence required

 

Once the evidence is obtained from the supplier, a review will take place under the direction of the CISO. The review will assess and assign the level of risk to Resolver, based on the adequacy of the supplier’s information security controls.

4.4. Observations for Supplier Improvement

If deficiencies are identified within the supplier’s security arrangements, a list of proposed improvements is to be generated. The list should address unacceptable risks to Resolver in proposing additional mitigating controls and should document agreed target dates for completion.

In the event the supplier cannot remedy deficiencies within an agreed timeline, the CISO will review and provide a final determination on the suitability of the supplier.

4.5. Subsequent Monitoring and Review

Suppliers will be reviewed at least once a year or in the event of major changes to either Resolver or the supplier’s business model. The review will ensure the supplier has an owner, the classification is correct, and a new assessment will be performed with observations for improvement.

5. Relationships with suppliers and partners

5.1. Identifying the risks

Security risks related to suppliers and partners are identified during the risk assessment process.

CISO or/and Information Security Analyst decides whether it is necessary to additionally assess risks related to individual suppliers or partners.

5.2. Screening

CISO or/and Information Security Analyst decides whether it is necessary to perform background verification checks for individual suppliers and partners and if so, which methods must be used.

In cases where personal data is being processed, the Owner is responsible for having potential or existing suppliers fill out the GDPR Compliance Questionnaire for Processors. Information gathered through these questionnaires will be used to decide whether to start working with a potential supplier and which improvements need to be made by existing suppliers.

5.3. Contracts

For Tier 1 suppliers, the General Counsel is responsible to evaluate and sign an agreement, SLA, and/or MSA.

For other suppliers, CISO or/and Information Security Analyst in collaboration with the owner and General Counsel are responsible for deciding which security clauses will be included in the contract with the supplier or partner. Such decisions must be based on the results of the risk assessment and treatment; however, the clauses which stipulate confidentiality and return of assets after the termination of the agreement are mandatory.

Further, the contracts must ensure the reliable delivery of the products and services, which is particularly important with cloud service providers.

5.4. Monitoring and review

The owner must regularly check and monitor the level of service and fulfillment of clauses by suppliers.

All the security incidents related to the partner’s/supplier’s job must be forwarded immediately to CISO or/and Information Security Analyst.

5.5. Removal of access rights/return of assets

When the contract is changed or terminated, the access rights for employees of partners/suppliers must be removed according to the Access Control Policy.

Further, when the contract is changed or terminated, the contract owner must make sure all the equipment, software, or information in electronic or paper form is returned.

6. Records and documentation

All documentation produced during the supplier assessment process should be preserved as evidence that the process has been completed.

7. Non-Compliance to the Supplier Security Policy

Non-compliance with this policy must be reported to the CISO, CFO, or Information Security Analyst. The CISO or VP Finance must approve, track, and report all exceptions to this policy in accordance with a formal documented process.

The process should include a method for escalating significant exceptions that may breach a documented level of business risk tolerance, to appropriate boards and committees in accordance with established governance procedures for review and mitigation or formal risk acceptance.

8. Validity and document management

This document is valid as of July 2020.

The owner of this document is an Information Security Analyst, who must check and, if necessary, update the document at least once a year.

When evaluating the effectiveness and adequacy of this document, the following criteria need to be considered:

  • The number and significance of incidents arising from suppliers’ and partners’ activities.
  • The number of contracts where the contract owner is not defined.

EFFECTIVE ON: September 2020

REVIEW CYCLE: Annual at least and as needed

REVIEW, APPROVAL & CHANGE HISTORY: Last time reviewed and approved in August 2020 by Resolver’s Information Technology Security team.