Vendor Management Policy
Breakout Learning Inc
Purpose
The purpose of this policy is to establish requirements for ensuring third-party service providers/vendors meet Breakout Learning Inc's requirements for preserving and protecting Breakout Learning Inc's information.
Scope
This policy applies to all IT vendors and partners who have the ability to impact the confidentiality, integrity, and availability of Breakout Learning Inc’s technology and sensitive information, or who are within the scope of Breakout Learning Inc’s information security program. This also applies to employees and contractors managing and overseeing IT vendors and partners of Breakout Learning Inc.
Background
This policy prescribes the minimum standards vendors must meet from an information security standpoint, including security clauses, risk assessments, service level agreements, and incident management.
Roles and Responsibilities
Vendor Manager
- Vendor Onboarding: Initiates and oversees the onboarding process for new vendors, ensuring necessary due diligence is conducted.
- Contract Negotiation and Approval: Negotiates contracts with vendors and seeks approval from relevant stakeholders, ensuring that contracts align with organizational requirements and policies.
- Vendor Performance Monitoring: Monitors vendor performance and addresses any issues related to service levels, quality, or contractual obligations.
- Vendor Relationship Management: Maintains relationships with key vendors, conducts regular meetings, and ensures effective communication between Breakout Learning Inc and its vendors.
Policy
General Vendor Requirements
Breakout Learning Inc requires that all third-party vendors and service providers comply with security controls to ensure the integrity, security, and privacy of Breakout Learning Inc's data and operations. No vendor may access Breakout Learning Inc’s information assets until a contract containing the necessary security controls is signed.
- IT vendors are required to comply with Breakout Learning Inc’s security policies derived from its Information Security Program, including the Acceptable Use Policy.
- Vendor compliance may be audited to ensure adherence to relevant security, regulatory, and contractual obligations.
- Vendors must ensure secure disposal of any organizational records and data in line with legal and regulatory requirements.
Vendor Inventory
An inventory of all third-party service providers will be maintained, including:
- Risk level of the vendor
- Types of data shared with the third party
- Description of services provided
- Point of contact at the third party
- Access details granted to the vendor
- Security controls in place
- Security assessments or questionnaires for ongoing validation
Vendor risk levels will be assessed as follows:
- High: Vendor stores or accesses sensitive data and a failure would critically impact the business.
- Moderate: Vendor does not store or access sensitive data, but a failure would moderately impact the business.
- Low: Vendor has minimal or no access to sensitive data and a failure would have little to no impact.
Vendor Contracts
General Contract Requirements
Formal contracts that address relevant security and privacy requirements must be in place for all third-party vendors that process, store, or transmit confidential data or provide critical services. The contract must include:
- Responsibility for securing Breakout Learning Inc’s data.
- Regular review and validation of the third party’s security controls by an independent auditor.
- Defined information security policies relevant to the agreement.
- Requirements for incident management and security incident response.
- Data return or destruction procedures upon contract termination.
- Screening requirements and background checks for vendor personnel with access to sensitive data.
- Geographic limitations on where data can be stored or transmitted.
Cloud Service Providers (CSPs)
Contracts with cloud service providers must include:
- Mutually agreed information security requirements and the allocation of responsibility for customer data.
- Definition of roles and responsibilities between Breakout Learning Inc and the CSP, including access controls and segregation of data.
- Advance notification of any significant changes that could affect the cloud service or data, such as technical infrastructure changes or the involvement of additional subcontractors.
For public cloud service providers, data protection obligations must also be defined, including:
- Ensuring compliance with applicable PII protection and data security requirements.
- Establishing backup and recovery processes to ensure data availability and integrity.
Vendor Contracts - Telecommunications Services
Agreements with telecommunications service providers must include contingency plans for:
- Service continuity and contingency testing.
- Security for communications during disruptions.
- Regular contingency plan reviews to meet Breakout Learning Inc’s requirements.
Vendor Services Change Management
Changes to vendor services that could impact Breakout Learning Inc’s information security must be managed appropriately, including:
- Changes to supplier agreements or services.
- Enhancements to networks or adoption of new technologies.
- Development of new applications or updates to existing services.
- Subcontracting or changes in physical locations of services.
Revision History
Version |
Date |
Editor |
Approver |
Description of Changes |
1.1 |
2024/10/01 |
Nikita Rogatnev |
Joshua Oster-Morris |
Standardized role titles across all relevant policies, replacing previous variations |
1.0 |
2024/01/01 |
Joshua Oster-Morris |
Jake Shepherd |
Initial version |