Supplier and Partner Security Policy

Contents

1.      Purpose, scope and users                                                                                                                         3

2.      Identifying the risks                                                                                                                                 3

3.      Screening                                                                                                                                                  3

4.      Contracts                                                                                                                                                 3

5.      Training and awareness                                                                                                                          3

6.      Monitoring and review                                                                                                                           4

7.      Change or Termination                                                                                                                           4

8.      Document management                                                                                                                           4

9.      Change history                                                                                                                                         4

1.    Purpose, scope and users

The purpose of this document is to define the rules for relationship with suppliers and partners.

This document is applied to all suppliers and partners who have the ability to influence confidentiality, integrity and availability of Accelliers sensitive information.

Users of this document are top management and persons responsible for suppliers and partners in Accellier.

2.    Identifying the risks

Security risks related to suppliers and partners are assessed prior to engaging the supplier. During the risk assessment, special care must be taken to identify risks related to information and communication technology, as well as risks related to product supply chain.

3.    Screening

The contract owner decides how supplier security should be assessed and which methods should be used. Suppliers who will have access to Accellier data should be considered higher risk.

4.    Contracts

The contract owner (i.e. person authorising purchase) is responsible for deciding which security clauses will be included in the contract with the supplier or partner, if terms are negotiable, or whether to accept supplier terms as satisfactory.

Clauses which stipulate confidentiality are mandatory. As is return of assets on termination, where applicable.

Further, the contract must be reviewed to ensure that it details how reliable delivery of the products and services is achieved. This is particularly important when assessing cloud service providers.

The contract owner is the person who signs the contract.

5.    Monitoring and review

Suppliers should be monitored for the level of service and fulfilment of security clauses by suppliers or partners. Where appropriate and agreed, key suppliers may be audited periodically.

Any security incidents related to the partner/supplier should be forwarded immediately to the contract owner.

6.    Change or Termination

When the contract is changed or terminated, the access rights for employees of partners/suppliers must be adjusted or removed according to the Access Control Policy.

Further, when the contract is changed or terminated, the contract owner must make sure all the equipment, software or information in electronic or paper form is returned. 

7.    Document management

This policy shall be available to all Accellier Employees and any Third Parties where required. The policy must be reviewed and, if necessary, updated at least once a year. Notice of significant revisions shall be provided to Accellier Employees via email.

8.    Version history