The objective of this document is to ensure information security in supplier relationships and to safeguard and protect the organization’s assets that are accessible to suppliers with an agreed level of service delivery and information security.
Information Security Policy applies to all the suppliers of the
(CTO) along with Information Security Manager (ISM) is responsible to execute and implement physical and logical access control procedures mentioned in this document.
4.1. Clearly defined supplier segmentation and criteria for evaluation based on Client needs.
4.1.1 What are the supplier segmentation and criteria?
4.2. Clear processes for management of supplier relationships from evaluation, onboarding to management and exit
4.2.1 What are the processes for management of suppliers?
4.3. Clear guidelines should be set up for suppliers that need to access information assets (eg: software code development, accounting payroll information, etc)
4.4. Supplier access controls to be set up with clearly defined roles and responsibilities
4.4.1 What are the supplier access controls?
4.5. Clear traceability of system controls and audit tracking
4.6. Ensure supplier staff is aware of the Client’s internal controls, and information system policies and are sufficiently trained and onboarded prior to the commencement of work.
4.7. All relevant information security should be in place with each supplier that has access to the Client’s information assets
4.8. Keep track of supplier requirements and provide these for annual audit tracking. For example requirement of suppliers to be ISO27001 compliant.
4.8.1 What are the supplier requirements?
4.9. Clearly defined security requirements and access controls for supplier personnel based on a needs basis only
5.1. Access to Client’s information is only provided after sufficient checks have been performed.
5.2. The Client should define the standard operating procedure and checks for this process.
5.2.1 Is the SOP adhered to for each supplier?
5.2.1. Justification for supplier relationship
5.2.2. Management approval
5.2.3. Evaluation criteria met and minimum standards of information security are met
5.3. All security controls are implemented
5.4. Risk assessment conducted to ensure all controls are in place
5.4.1. Is a risk assessment conducted for each supplier?
5.5. Random checks of supplier access may be conducted
5.6. Client shall maintain overall control and visibility into all security aspects of sensitive information shared with the supplier and all security activities through a defined process.
5.7. Any changes to the supplier relationship should be documented and managed based on the criticality of the Client’s systems and related processes.
6.1. Exceptions shall not be universal but shall be agreed upon on a case-to-case basis, upon official request made by the information owner. These may arise, for example, because of local circumstances, conditions, or legal reasons existing at any point in time.
6.2. All exception requests shall be submitted to (CTO). These shall be submitted through an email and be approved by (CTO)
7.1. reserves all rights and is the exclusive owner of all intellectual property rights over this Policy document. This document shall not, either in part or in full, be reproduced, published, copied, displayed, distributed, transferred, or stored in any media (such as hard disks, USB Drives, Pen Drives, Memory Cards, CDs, DVDs), and/or captured or transmitted through by any means (such as electronic, digital, mechanical, photocopying, recordings, video and film or photographs and otherwise) by any person without prior consent from the ISM. This Policy and procedure document is available with ISM and/or any other forum as decided by the management of . Anything not specifically stated in this Policy and procedure document shall not be considered as implied in any manner.
7.2. For any clarifications related to this Policy and procedure document with respect to its interpretation, applicability, and implementation, please write to the ISMS team at dpo@.com
8.1. This policy and procedure is applicable to all the employees of the company who have access to and use the information assets and IT assets as listed in the Information Asset register which has been created for
8.2. Anyone found to have violated this policy will be subject to a process that will determine if the violation is just a process non-compliance issue that requires addressing or also includes ethical violations In the event of only the former, non-compliance could be issued by an internal auditor which would require corrective/preventive actions.
8.3. In the event of the latter, the ethical/regulatory concern process will be invoked to decide whether an ethical/security violation has occurred and to decide on appropriate disciplinary actions as per the Disciplinary procedure of
8.4. Management’s interpretation of the clauses in this procedure shall be final and binding. Management reserves the right to alter or amend any clause in this document at any time as per its discretion.