Supplier Assessment Minimum security eligibility requirements

The vendor review process is an internal process that facilitates the gathering of information necessary to manage and evaluate vendors and facilities and ensures the proper levels and frequency of governance are applied where necessary. The process enables the Security and Risk team to assess vendors/suppliers that host and/or process data or data on behalf of a standard, intuitive, defensible manner that enables rapid decision making and cross vendor comparisons. Minimum Standards for vendors and organizations that maintain CLIENT information or maintain access to the CLIENT network are :

Security and Risk Involvement 

When leveraging a 3rd party organization that will store information or maintain access to the network, the effort must follow standard security protocol which includes completion of Security and Risk Questionnaire

Human Resources

Organization shall establish and maintain controls to ensure that employees and other third parties who require access to Confidential Information are suitably screened. The organization shall conduct criminal background checks as part of pre-employment and pre-contracting screening practices for employees and other third parties commensurate with the employee’s or and other third parties’ position and level of access to the Organization’s data processing and physical facilities and the Organization’s network.  

Physical and Environmental Security

  • Organization shall establish a security perimeter around the data processing facilities and physical work environment where Confidential Information is stored or processed which includes (a) physical entry controls to reasonably ensure that only authorized individuals to gain access to such facilities and (b) environmental controls to reasonably protect against damage from fire, flood, and other forms of man-made or natural disasters.
  • Passage through the physical barriers shall be established either through electronic access control validation (e.g., card access systems, etc.) or validation by human security personnel (e.g., contract or in-house security guard service, receptionist, etc.). Employees and other third parties shall be assigned photo-ID badges that must be worn while at the facilities.
  • Visitors shall be required to sign-in with designated personnel, show appropriate identification, and assigned a visitor ID badge that must be worn while the visitor is at any of the facilities, and shall be continually escorted by authorized employees or Organizations while visiting the facilities.
  • Organization shall only provide access to the facilities to those employees and third parties who have a legitimate business need for such access privileges. When an employee or third party no longer has such a business need for the access privileges assigned to him/her, the access privileges shall be promptly revoked, even if the employee or a third party continues to be an employee of or have a third party relationship with Organization.
  • All access points to the data processing facilities shall be maintained in a secured (locked) state. Access points to all facilities shall be monitored by video surveillance cameras that will record all individuals accessing the facilities. Organization shall also maintain electronic intrusion detection systems that will detect unauthorized access to the facilities. All physical access to the facilities by employees and third parties shall be logged and routinely audited.
  • To the extent applicable to the nature of services provided, Organization shall maintain throughout data processing facilities fire, smoke, heat, and water detection and fire suppression mechanisms. Sufficient power backup systems to ensure uninterrupted power supply shall be established as appropriate.

Continuity of Business Operations

An organization shall have business continuity and disaster recovery plans established to maintain a level of service consistent with its obligations of the Agreement. Such business continuity and disaster recovery plans shall be periodically tested. Upon request, Organization shall provide test activity logs for review by CLIENT.

Access Controls

  • Organization shall make Confidential Information available only to its employees or third parties who have a legitimate business need to access Confidential Information in order to assist Organization carry out its Agreement obligations with CLIENT, who are bound by legally enforceable confidentiality, privacy and data security obligations at least equivalent to those provided in the Agreement and this Information Protection Agreement, and who have received training on the appropriate processing of Confidential Information.
  • Organization shall use secure user authentication protocols, including assigning unique identifications and strong passwords to each person with computer access.
  • Passwords shall not be vendor supplied default passwords and shall be kept in a location and/or format that do not compromise the security of the data they protect.
  • The display and printing of passwords must be masked, suppressed, or otherwise obscured such that unauthorized parties are not able to observe or subsequently recover them. Passwords must not be logged or captured as they are being entered. User passwords must not be stored in clear text.
  • Password for each technology must be chosen to mitigate the risks associated with known password length vulnerabilities and must be documented. In no case may the password length be configured to be less than eight (8) characters. Password complexity level should not be less than 3 out of 4 character classes and must have character class choices such as upper case letters, lower case letters, numeric digits, or special characters (such as $, &, #, @, etc).
  • When provided by the specific technology being implemented, a mechanism must be in place to prevent the reuse of at least the last fourteen (14) passwords. Passwords must be changed every 90 days.
  • User IDs and password must not be shared without a formal approval from Management for systems that store, access and transmit Confidential Information.
  • Access to user identification shall be blocked after five unsuccessful attempts to gain access. Inactivity timeouts shall be established for no longer than 30 minutes for all systems and applications that store Confidential Information.
  • Organization shall establish reasonable monitoring of systems for unauthorized use of or access to Confidential Information. Actual or attempted login violations and access violations shall be logged. These logs shall be protected during their lifetime to ensure confidentiality and integrity and retained for the duration of the Agreement. Upon request, the logs shall be provided in a secure electronic format to CLIENT.
  • Remote access to Organization’s network, systems, and applications that store Confidential Information shall be established upon a formal approval, using strong authentication. Remote access activity shall be logged and monitored. Remote access to CLIENT network shall be established only upon request and in accordance with CLIENT policies.
  • Organization shall maintain records of all access requests and logs of access activities for all systems that store, access, process and transmit Confidential Information for a period of no less than 180 days. Upon request, Organization shall provide such records to CLIENT for review.
  • The organization shall ensure separation of duties for security administration, access review, and security violation investigations. Organization shall establish a separation between development and operations personnel, as well as other potentially conflicting roles.
  • Storage, hosting and processing of Confidential Information must be logically separate from that of other companies’ serviced by Organization. In instances where a shared storage, hosting or processing work area is authorized by CLIENT, proper due diligence must be followed by Organization to prevent the inadvertent disclosure of Confidential Information.
  • Organization shall establish clean desk/clear screen policies to make sure that Confidential Information is not left unattended in any public place at any time.

Transfer and Encryption

  • Organization shall take appropriate precautions transmitting Confidential Information (by fax, email, courier, etc.) to make sure that the correct contact information is used for the recipient and making prior arrangements with the intended recipient to secure the receipt of Confidential Information.
  • Organization shall encrypt, using an appropriate industry-standard encryption, all records and files containing Confidential Information:
  1. stored on laptops, portable devices or portable electronic media including backup tapes when in transit to an offsite storage facility
  2. stored or transported outside of CLIENT’s or Organization’s physically secured offices and facilities, excluding hard copy paper documents
  3. while traveling across public networks
  4. while being transferred between CLIENT and Organization
  5. while being transmitted wirelessly
  6. stored on servers and databases

Network Security

  • Organization shall use reasonably up-to-date versions of system security software such as firewalls, proxies, web application firewalls and interfaces. Such software must include malware protection and reasonably up-to-date patches and virus definitions and must be set to receive the most current security updates on a regular basis. The organization shall have current antivirus software installed and running to scan for and promptly remove viruses on all laptops, servers, and networks.
  • Organization shall have a patch management process that includes testing patches before installation on all systems used to store, access and transmit Confidential Information or are used to deliver services to CLIENT.
  • Organization shall ensure that system administrators maintain complete, accurate, and up-to-date information regarding the configuration of all information systems used to store, access and transmit Confidential Information.
  • Organization shall maintain intrusion detection and/or prevention and monitoring and response processes in a manner which shall identify both internal and external vulnerabilities and risks that could result in unauthorized disclosure, misuse, alteration, or destruction of Confidential Information or information systems that are used to deliver services to CLIENT.
  • Organization shall subscribe to vulnerability intelligence services or to information security advisories and other relevant sources providing current information about system vulnerabilities.
  • Organization shall perform quarterly vulnerability assessments of its network. Corrective actions shall be taken within 30 days for all high-risk vulnerabilities, 60 days for medium and 90 days for low. If remediation cannot occur within these timeframes Organization shall inform CLIENT and agree on an appropriate time frame. Upon request, Organization shall provide vulnerability assessment reports and a description of corrective action plans to CLIENT.
  • Organization shall maintain network and remote access logs for a minimum of six (6) months.
  • Organization shall maintain a program that includes periodic dynamic and manual penetration testing of applications and systems that maintain CLIENT information

Data Center Hosting

  • If a third party is used to host Organization’s Data center, Organization must ensure that the third party complies with all requirement herewith. In addition, if the hosting provider holds any certifications Organization must ensure that those certifications are maintained for the life of this Agreement.
  • Organization shall notify CLIENT immediately if the third party hosting provider changes, fails to comply with requirements herewith or to renew their certification.

Asset Management

Organization must have and use a documented process and tools for tracking both physical and data assets.

Software Application Development and Change Management

  • Organization shall follow secure application development and coding practices and shall establish an application development and maintenance framework that protects the integrity of production applications and associated source code from unauthorized and untested modifications.
  • Organization shall not copy production data to development and test environments unless appropriate masking is performed or appropriate controls are in place to prevent compromise of production data. Any use of Confidential Information for development and testing must be authorized by CLIENT.
  • Application programs/software provided by Organization under this Agreement must be free of any viruses, malicious or backdoor code, undisclosed features designed to access, disable, damage, impair, erase, deactivate or electronically repossess Confidential Information or CLIENT’s environment, and must be appropriate for CLIENT’s intended purpose. Source code shall be protected from unauthorized copy, use, duplication, modification, and shall be securely stored.
  • Organization shall establish a change management process which includes recording and formal approval of changes and back out procedures.
  • All changes shall be thoroughly tested in a test environment prior to implementation in a production environment. Testing shall include user acceptance testing as well as security testing.
  • Organization shall conduct vulnerability scans/penetration testing of the applications that store and process Confidential Information. Corrective actions shall be taken within 30 days for all high-risk vulnerabilities, 60 days for medium and 90 days for low. If remediation cannot occur within these timeframes Organization shall inform CLIENT and agree on an appropriate time frame. Upon request, Organization shall provide vulnerability assessment reports and a description of corrective action plans to CLIENT.
  • Organization shall separate non-production systems and data from production systems and data.
  • Organization shall have database transaction logging features enabled and retain database transaction logs for a minimum of six (6) months.

Confidential Information Return and Destruction

  • Organization shall take all reasonable steps to return, securely destroy, or arrange for the secure destruction and permanently erase from all Organization owned hardware and software of Confidential Information received from CLIENT at the termination of this Agreement, when CLIENT requests same and when there is no longer any legitimate business need to retain such Confidential Information in accordance with standards and protocols established by CLIENT. Upon CLIENT’s request, Organization shall present CLIENT with a written confirmation of completion of such Confidential Information return and destruction.
  • Organization shall ensure that storage media used to store or process Confidential Information is appropriately wiped or degaussed prior to media reuse and prior to transfer of such media offsite for maintenance or destruction.

Audits and Inspections

  • Upon prior reasonable notice and at mutually agreed upon time, Organization agrees to provide CLIENT with, copies of and/or information concerning Organization’s written information security program. CLIENT shall also have the right to conduct reasonable inspections and/or audits of Organization’s information security protocols at Organization’s facilities where Confidential Information is processed or where systems that store, access and transmit Confidential Information are hosted. Organization agrees to cooperate with CLIENT regarding such inspections or audits. CLIENT will endeavor to conduct such inspections or audits in a manner that does not unreasonably interfere with Organization’s business operations.
  • Contractor shall at its expense undergo a third party auditor attestation (e.g. SSAE16, ISO, AUP, etc.) performed by an independent organization and shall provide to CLIENT upon request a report produced at least once a year as a verification and assurance of the effectiveness of internal controls over the handling of Confidential Information.


  • Organization must ensure that all sub-Organizations and/or third parties engaged in the fulfillment of this Agreement with CLIENT are also aware of and agree in writing to adhere to all provisions contained in the CLIENT Information Protection Agreement.
  • If Organization cannot, has not or does not comply with the terms of this Information Protection Agreement, CLIENT shall be entitled to suspend Organization’s processing of Confidential Information and to terminate any of Organization’s further processing of Confidential Information, and CLIENT retains all other rights and remedies for breach of this Information Protection Agreement or Organization’s Agreement with CLIENT.
  • Cloud services and providers are subject to and responsible for compliance with additional mandatory and recommended requirements as defined by CLIENT. Additional information may be found by reviewing CLIENT’s Cloud Security Principles document or by contacting CLIENT Security and Risk Policies
Rate this article: 
Average: 1 (2 votes)
Article category: