The purpose of this document is to define the rules for relationships with suppliers, subcontractors, and partners to comply with the following statements:
This document applies to all suppliers and partners who can influence the confidentiality, integrity, and availability of Resolver’s sensitive information, including but not limited to personal data (PII and PHI) and/or financial information.
Users of this document are top management and persons responsible for suppliers and partners in Resolver.
All Suppliers are expected to meet a minimum set of security controls when being considered suitable to provide services to Resolver.
All vendors and contractors must be screened against Canadian and US; individuals and entities subject to specific sanctions regulations made under various legislations and acts.
Following, you can find a number of sanction lists against which you must verify potential vendors, companies, and contractors.
All Tier One suppliers will be assessed prior to engaging their services and thereafter on an annual basis.
The assessment process uses the following stages of evaluation:
Every supplier must have an owner identified. If multiple departments use that supplier, one person from one department in one role must be identified as the owner of the supplier and will be the primary contact for the supplier assessment.
The supplier owner must provide a supplier classification (Tier 1, Tier 2, or Tier 3) by answering a series of questions about the supplier.
The following security evidence is required for a supplier based on their classification and type of information we are going to process and store at their platform
Classification | Evidence |
Tier 1 | SOC 2 report (attachment) or SOC 1 report (attachment) or ISO 27001 (attachment or link) or ISO 27017 (attachment or link) or ISO 2718 (attachment or link) or PCI DSS (attachment) or Security Assurance Plane or BCP for Pandemic or HIPAA HITECH or Privacy Policy or Service Level Agreement or Terms of Service or Cyber Essentials or Cyber Essentials Plus |
Tier 2 | SOC 2 report (attachment) or SOC 3 (attachment or link) or ISO 27001 (attachment or link) or ISO 27017 (attachment or link) or ISO 2718 (attachment or link) or Privacy Policy (attachment or link) or Information Security Policy (attachment or link) or BCP for Pandemic or Service Level Agreement or Terms of Service or Information Security self-assessment or Cyber Essentials or Cyber Essentials Plus |
Tier 3 | No evidence required |
Once the supplier obtains the evidence, a review will occur under the CISO’s direction. The review will assess and assign the level of risk to Resolver, based on the adequacy of the supplier’s information security and data privacy controls.
If deficiencies are identified within the supplier’s security arrangements, a list of proposed improvements is to be generated. The list should address unacceptable risks to Resolver in proposing additional mitigating controls and should document agreed target dates for completion.
If the supplier cannot remediate the deficiencies within an agreed timeline, the CISO will review and determine the supplier’s suitability.
Suppliers will be reviewed at least once a year or in the event of major changes to either Resolver or the supplier’s business model. The review will ensure the supplier has an owner, the classification is correct, and a new assessment will be performed with observations for improvement.
Security risks related to suppliers and partners are identified during the risk assessment process.
CISO or/and Information Security Analyst decides whether it is necessary to assess risks related to individual suppliers or partners additionally.
CISO or/and Information Security Analyst decides whether it is necessary to perform background verification checks for individual suppliers and partners and, if so, which methods must be used.
In cases where personal data is being processed, the Owner is responsible for having potential or existing suppliers fill out the GDPR Compliance Questionnaire for Processors. Information gathered through these questionnaires will be used to decide whether to start working with a potential supplier and which improvements need to be made by existing suppliers.
For Tier 1 suppliers, the General Counsel is responsible for evaluating and signing an agreement, SLA, and/or MSA.
For other suppliers, CISO, DPO, or/and Information Security Analysts in collaboration with the owner and General Counsel, are responsible for deciding which security clauses will be included in the contract with the supplier or partner. Such decisions must be based on the results of the risk assessment and treatment; however, the clauses stipulating confidentiality and the return of assets after the termination of the agreement are mandatory.
Further, the contracts must ensure the reliable delivery of the products and services, which is particularly important with cloud service providers.
The owner must regularly check and monitor suppliers’ level of service and fulfillment of clauses.
All the security incidents related to the partner’s/supplier’s job must be forwarded immediately to CISO and DPO or/and an Information Security Analyst.
When the contract is changed or terminated, the access rights for employees of partners/suppliers must be removed according to the Access Control Policy.
Further, when the contract is changed or terminated, the contract owner must ensure all the equipment, software, or information in electronic or paper form is returned.
All documentation produced during the supplier assessment process should be preserved as evidence that the process has been completed.
Non-compliance with this policy must be reported to the CISO, DPO, CFO, or Information Security Analyst. The CISO, DPO, or VP of Finance must approve, track, and report all exceptions to this policy in accordance with a formal documented process.
The process should include a method for escalating significant exceptions that may breach a documented level of business risk tolerance to appropriate boards and committees in accordance with established governance procedures for review and mitigation or formal risk acceptance.
This document is valid as of August 2023.
The owner of this document is an Information Security Analyst who must check and, if necessary, update the document at least once a year.
When evaluating the effectiveness and adequacy of this document, the following criteria need to be considered:
EFFECTIVE ON: August 2023
REVIEW CYCLE: Annual at least and as needed