Supplier Security Policy

1. Purpose, scope, and users

The purpose of this document is to define the rules for relationships with suppliers, subcontractors, and partners to comply with the following statements:

  • Establish professional collaboration partnerships that create long-term value for both parties based on trust and mutual interest;
  • Ensure that individual partners and external providers comply with Resolver security requirements.

This document applies to all suppliers and partners who can influence the confidentiality, integrity, and availability of Resolver’s sensitive information, including but not limited to personal data (PII and PHI) and/or financial information.

Users of this document are top management and persons responsible for suppliers and partners in Resolver.

All Suppliers are expected to meet a minimum set of security controls when being considered suitable to provide services to Resolver.

2. Reference documents

  • ISO/IEC 27001:2013 standard, controls A.7.1.1, A.7.1.2, A.7.2.2, A.8.1.4, A.14.2.7, A.15.1.1, A.15.1.2, A.15.1.3, A.15.2.1, A.15.2.2
  • ISO/IEC 27701:2019 standard clause 6.12
  • EU GDPR Article 32

3. Supplier classification

3.1. Tier One

  • High risk: Suppliers can critically impact the quality, integrity, confidentiality, or availability of Resolver’s business.
  • High risk: Suppliers may significantly impact Resolver’s business reputational risk.
  • Suppliers storing or processing Internal, Confidential, or Customer Confidential information as described in Resolver Corporate Data Handling Policy.

3.2. Tier Two

  • Moderate risk: Suppliers that can indirectly impact Resolver’s business.
  • Moderate risk: Suppliers may impact Resolver’s business reputational risk.
  • Suppliers Not storing or processing Customer’s Confidential information as described in the Resolver Corporate Data Handling Policy.

3.3. Tier Three

  • Low to No risk: suppliers with minimal or no impact on Resolver’s business and reputation.
  • Suppliers that do not store, process, or have access to Internal, Confidential, or Customer Confidential

4. Vendor Sanction Screening

All vendors and contractors must be screened against Canadian and US; individuals and entities subject to specific sanctions regulations made under various legislations and acts.

Following, you can find a number of sanction lists against which you must verify potential vendors, companies, and contractors.

5. Procedure and/or guidance

All Tier One suppliers will be assessed prior to engaging their services and thereafter on an annual basis.

The assessment process uses the following stages of evaluation:

  • Supplier ownership identification
  • Supplier classification
  • Supplier assessment
  • Observations for improvement
  • Subsequent monitoring and review

5.1. Supplier Ownership Identification

Every supplier must have an owner identified. If multiple departments use that supplier, one person from one department in one role must be identified as the owner of the supplier and will be the primary contact for the supplier assessment.

5.2. Supplier Classification

The supplier owner must provide a supplier classification (Tier 1, Tier 2, or Tier 3) by answering a series of questions about the supplier.

5.3. Supplier Assessment

The following security evidence is required for a supplier based on their classification and type of information we are going to process and store at their platform

ClassificationEvidence
Tier 1SOC 2 report (attachment) or
SOC 1 report (attachment) or
ISO 27001 (attachment or link) or
ISO 27017 (attachment or link) or
ISO 2718 (attachment or link) or
PCI DSS (attachment) or
Security Assurance Plane or
BCP for Pandemic or
HIPAA HITECH or
Privacy Policy or
Service Level Agreement or
Terms of Service or
Cyber Essentials or
Cyber Essentials Plus
Tier 2SOC 2 report (attachment) or
SOC 3 (attachment or link) or
ISO 27001 (attachment or link) or
ISO 27017 (attachment or link) or
ISO 2718 (attachment or link) or
Privacy Policy (attachment or link) or
Information Security Policy (attachment or link) or
BCP for Pandemic or
Service Level Agreement or
Terms of Service or
Information Security self-assessment or
Cyber Essentials or
Cyber Essentials Plus
Tier 3No evidence required

 

Once the supplier obtains the evidence, a review will occur under the CISO’s direction.  The review will assess and assign the level of risk to Resolver, based on the adequacy of the supplier’s information security and data privacy controls.

5.4. Observations for Supplier Improvement

If deficiencies are identified within the supplier’s security arrangements, a list of proposed improvements is to be generated. The list should address unacceptable risks to Resolver in proposing additional mitigating controls and should document agreed target dates for completion.

If the supplier cannot remediate the deficiencies within an agreed timeline, the CISO will review and determine the supplier’s suitability.

5.5. Subsequent Monitoring and Review

Suppliers will be reviewed at least once a year or in the event of major changes to either Resolver or the supplier’s business model. The review will ensure the supplier has an owner, the classification is correct, and a new assessment will be performed with observations for improvement.

6. Relationships with suppliers and partners

6.1. Identifying the risks

Security risks related to suppliers and partners are identified during the risk assessment process.

CISO or/and Information Security Analyst decides whether it is necessary to assess risks related to individual suppliers or partners additionally.

6.2. Screening

CISO or/and Information Security Analyst decides whether it is necessary to perform background verification checks for individual suppliers and partners and, if so, which methods must be used.

In cases where personal data is being processed, the Owner is responsible for having potential or existing suppliers fill out the GDPR Compliance Questionnaire for Processors. Information gathered through these questionnaires will be used to decide whether to start working with a potential supplier and which improvements need to be made by existing suppliers.

6.3. Contracts

For Tier 1 suppliers, the General Counsel is responsible for evaluating and signing an agreement, SLA, and/or MSA.

For other suppliers, CISO, DPO, or/and Information Security Analysts in collaboration with the owner and General Counsel, are responsible for deciding which security clauses will be included in the contract with the supplier or partner. Such decisions must be based on the results of the risk assessment and treatment; however, the clauses stipulating confidentiality and the return of assets after the termination of the agreement are mandatory.

Further, the contracts must ensure the reliable delivery of the products and services, which is particularly important with cloud service providers.

6.4. Monitoring and review

The owner must regularly check and monitor suppliers’ level of service and fulfillment of clauses.

All the security incidents related to the partner’s/supplier’s job must be forwarded immediately to CISO and DPO or/and an Information Security Analyst.

6.5. Removal of access rights/return of assets

When the contract is changed or terminated, the access rights for employees of partners/suppliers must be removed according to the Access Control Policy.

Further, when the contract is changed or terminated, the contract owner must ensure all the equipment, software, or information in electronic or paper form is returned.

7. Records and documentation

All documentation produced during the supplier assessment process should be preserved as evidence that the process has been completed.

8. Non-compliance to the Supplier Security Policy

Non-compliance with this policy must be reported to the CISO, DPO, CFO, or Information Security Analyst. The CISO, DPO, or VP of Finance must approve, track, and report all exceptions to this policy in accordance with a formal documented process.

The process should include a method for escalating significant exceptions that may breach a documented level of business risk tolerance to appropriate boards and committees in accordance with established governance procedures for review and mitigation or formal risk acceptance.

9. Validity and document management

This document is valid as of August 2023.

The owner of this document is an Information Security Analyst who must check and, if necessary, update the document at least once a year.

When evaluating the effectiveness and adequacy of this document, the following criteria need to be considered:

  • The number and significance of incidents arising from suppliers’ and partners’ activities.
  • The number of contracts where the contract owner is not defined.

EFFECTIVE ON: August 2023

REVIEW CYCLE: Annual at least and as needed