Third-Party/Vendor Security Policy
| Property | Value |
|---|---|
| Document ID | POL-010 |
| Version | 1.0 |
| Status | Draft |
| Owner | Chief Information Security Officer (CISO) |
| Last Updated | 2026-01-11 |
| Next Review | 2027-01-11 |
| Related Controls | SOC 2: CC9.2 / ISO 27001: A.15.1, A.15.2 |
1. Purpose
This policy establishes requirements for assessing and managing security risks associated with third-party vendors, suppliers, and service providers. Effective third-party risk management protects the organization from security incidents originating from external partners.
2. Scope
This policy applies to:
- Vendors: All third parties with access to organizational data or systems
- Services: SaaS applications, cloud services, outsourced services, contractors
- Data Access: Any vendor handling, processing, or storing organizational data
- System Access: Any vendor with network or system connectivity
- Personnel: Procurement, Legal, IT, Security, and business unit owners
3. Policy Statements
3.1 Vendor Classification
Vendors are classified based on risk level determined by data access and criticality:
| Risk Tier | Criteria | Examples | Assessment Requirements |
|---|---|---|---|
| Critical | Access to RESTRICTED data, critical infrastructure, or high business dependency | Cloud infrastructure (AWS, GCP), payment processors, core SaaS | Full assessment + annual review |
| High | Access to CONFIDENTIAL data or significant system access | HR systems, CRM, development tools | Standard assessment + annual review |
| Medium | Access to INTERNAL data or limited system access | Marketing tools, collaboration software | Questionnaire + biennial review |
| Low | No data access, minimal risk | Office supplies, facilities | Basic due diligence |
3.2 Vendor Risk Assessment
3.2.1 Assessment Requirements by Tier
| Assessment Element | Critical | High | Medium | Low |
|---|---|---|---|---|
| Security questionnaire | Required | Required | Required | N/A |
| SOC 2 report review | Required | Required | If available | N/A |
| ISO 27001 certification | Required (or equivalent) | Preferred | If available | N/A |
| Penetration test results | Required | Preferred | N/A | N/A |
| Business continuity plan | Required | Required | N/A | N/A |
| Insurance verification | Required | Required | Preferred | N/A |
| On-site assessment | As needed | N/A | N/A | N/A |
3.2.2 Security Questionnaire Topics
The security questionnaire must cover:
- Information Security Policy and governance
- Access control and authentication
- Data encryption (at rest and in transit)
- Network security and segmentation
- Vulnerability management and patching
- Incident response capabilities
- Employee security training
- Physical security
- Business continuity and disaster recovery
- Subcontractor/fourth-party management
- Compliance certifications (SOC 2, ISO 27001, etc.)
- Data handling and retention practices
- Privacy and regulatory compliance
3.3 Contractual Requirements
All vendor contracts must include:
| Requirement | Description | Tier Applicability |
|---|---|---|
| Data Protection Clause | Requirements for data handling and protection | All tiers |
| Confidentiality/NDA | Non-disclosure obligations | All tiers |
| Security Requirements | Minimum security controls | Critical, High |
| Right to Audit | Right to assess vendor security | Critical, High |
| Breach Notification | Timeline for incident notification (24-72 hours) | All tiers |
| Subcontractor Approval | Approval required for subcontractors | Critical, High |
| Data Processing Agreement | GDPR DPA where applicable | As required |
| Insurance Requirements | Cyber liability insurance minimums | Critical, High |
| Termination Rights | Right to terminate for security breach | All tiers |
| Data Return/Deletion | Data handling upon contract end | All tiers |
3.4 Ongoing Monitoring
| Activity | Critical | High | Medium | Frequency |
|---|---|---|---|---|
| SOC 2 report review | Yes | Yes | If available | Annually |
| Security questionnaire | Yes | Yes | Yes | Annually (Critical/High) or Biennially |
| Performance review | Yes | Yes | Optional | Quarterly |
| Continuous monitoring (SecurityScorecard, etc.) | Yes | Yes | No | Continuous |
| Incident review | Yes | Yes | Yes | Per incident |
| Contract compliance | Yes | Yes | Yes | Annually |
3.5 Vendor Access Controls
| Requirement | Standard |
|---|---|
| Unique Accounts | Individual accounts for vendor personnel (no shared) |
| Least Privilege | Minimum necessary access only |
| MFA Required | Multi-factor authentication mandatory |
| Time-Limited Access | Access expires with contract/engagement |
| Access Logging | All vendor access logged and monitored |
| Separate Network | Network segmentation where applicable |
| Access Reviews | Quarterly review of vendor access |
3.6 Vendor Inventory
Maintain a vendor inventory including:
| Field | Description |
|---|---|
| Vendor Name | Legal entity name |
| Risk Tier | Critical, High, Medium, Low |
| Services Provided | Description of services |
| Data Access | What data the vendor can access |
| System Access | What systems the vendor can access |
| Contract Owner | Internal owner of relationship |
| Contract Expiration | End date |
| Last Assessment Date | Date of most recent security review |
| Next Assessment Date | Scheduled next review |
| Compliance Status | Current compliance status |
| Key Contacts | Vendor security/account contacts |
3.7 Vendor Lifecycle Management
┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│ Selection & │───▶│ Security │───▶│ Contract │───▶│ Ongoing │───▶│ Termination │
│ RFP │ │ Assessment │ │ Negotiation │ │ Monitoring │ │ │
└─────────────┘ └─────────────┘ └─────────────┘ └─────────────┘ └─────────────┘
│ │ │ │ │
▼ ▼ ▼ ▼ ▼
Security Risk tier Security Periodic Access
requirements determined clauses assessments revocation
in RFP included & data return
Termination/Offboarding
Upon vendor termination:
- Revoke all system access immediately
- Disable vendor accounts
- Recover any organizational assets
- Ensure data return or certified destruction
- Obtain written confirmation of data deletion
- Update vendor inventory
- Archive contract documentation
3.8 Subcontractor (Fourth-Party) Management
| Requirement | Standard |
|---|---|
| Approval | Subcontractors processing data must be approved |
| Flow-Down | Security requirements must flow to subcontractors |
| Notification | Advance notice of subcontractor changes |
| Right to Object | Right to object to new subcontractors |
| Inventory | Maintain list of critical subcontractors |
4. Roles and Responsibilities
| Role | Responsibilities |
|---|---|
| CISO / Security Lead | Define vendor security requirements, approve Critical vendors |
| Procurement | Manage vendor selection process, ensure contract compliance |
| Legal | Review and negotiate contracts, ensure required clauses |
| Security Team | Conduct security assessments, review SOC reports |
| Business Owners | Own vendor relationship, define requirements |
| IT Operations | Manage vendor access, monitor vendor activity |
5. Implementation Checklist
Technical Controls
- Vendor access uses unique accounts with MFA
- Vendor access logging enabled
- Network segmentation for vendor access
- Vendor access review process automated
- Continuous monitoring tool deployed (optional)
Process Controls
- Vendor inventory maintained
- Security questionnaire developed
- Assessment process documented
- Contract templates include security clauses
- Vendor onboarding procedure documented
- Vendor offboarding procedure documented
- Annual assessment schedule established
6. Evidence Requirements
| Evidence Type | Description | Location | Retention |
|---|---|---|---|
| Vendor Inventory | Complete list of vendors with classifications | GRC/risk platform | Current |
| Security Assessments | Completed questionnaires and reports | Document repository | 3 years |
| SOC 2 Reports | Vendor SOC 2 reports (Bridge letters) | Secure storage | Current + 1 year |
| Contracts | Signed contracts with security clauses | Contract management | Duration + 7 years |
| Access Records | Evidence of vendor access provisioning | IAM system | 3 years |
| Assessment Schedule | Planned and completed assessments | GRC platform | Current |
7. Related Documents
- Access Control Policy (POL-002)
- Data Classification & Handling Policy (POL-005)
- Access Provisioning/De-provisioning Procedure (PROC-001)
8. Approved Security Certifications
The following certifications demonstrate adequate security controls:
| Certification | Acceptance |
|---|---|
| SOC 2 Type II | Accepted (preferred) |
| SOC 2 Type I | Accepted with roadmap to Type II |
| ISO 27001 | Accepted |
| SOC 1 | Accepted for financial controls only |
| PCI DSS | Accepted for payment processing |
| HIPAA | Accepted for health data |
| FedRAMP | Accepted |
9. Version History
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | 2026-01-11 | Security Team | Initial release |
10. Approval
| Role | Name | Signature | Date |
|---|---|---|---|
| CISO | _________________ | _________________ | ________ |
| Legal | _________________ | _________________ | ________ |
| Procurement | _________________ | _________________ | ________ |
This document is classified as INTERNAL. Unauthorized distribution is prohibited.