Vendor Management Policy -  Governance


Tools and vendor consolidation are related to vendor management policy in that they are both ways to streamline and simplify the vendor management process. By consolidating vendors, an organization can reduce the number of vendors it has to manage, which can make the process more efficient and effective. Similarly, by using tools to automate and streamline the vendor management process, an organization can reduce the amount of time and resources required to manage vendors. 


Vendor Management

Third-party service provider and vendor agreements require that {Company Name} third-parties maintain the privacy and security of the confidential information stored, used, or disclosed on behalf of {Company Name}. Agreements also require that third-parties use and disclose confidential information strictly for the purpose(s) for which it was provided or as required by law.

Prior to the selection of a third-party service provider, impacts to the security, availability, and integrity of {Company Name}’s system shall be evaluated to determine the possible risk and impact. This evaluation shall be documented and retained for audit purposes according to the document retention policy.

Service agreements shall be in place, where applicable, with each service provider that include, but are not limited to, the following:

  1. Service definitions

  2. Delivery levels

  3. Security controls

  4. Aspects of service management

  5. Issues of liability, reliability of services, and response times

{Company Name} will periodically review all third-party agreements to reasonably ensure that their third-party service providers and vendors remain in compliance with state and federal law and appropriately address any legal risk to {Company Name}. Agreements will be updated and amended as necessary when business and regulatory requirements change.

Annual reviews of third-party service providers and other vendors will be conducted by the Security Officer or their designee and will be documented and retained for audit purposes. The annual review shall also include the gathering of applicable compliance audits (SOC 1, SOC 2, PCI, HITRUST, ISO 27001, etc.) or other evidence of security compliance including, but not limited to, on-site visits and/or review of in-place security controls.

Third-Party Service Provider Controls

Third-party service provider controls shall include the following requirements:

  • Not to use or further disclose confidential information other than as permitted or required by the agreement or as required by law.

  • Define the following, where applicable:

  • Service definitions

  • Delivery levels

  • Security controls

  • Aspects of service management

  • Issues of liability, reliability of services, and response times

  • Use appropriate safeguards to prevent use or disclosure of confidential information other than as provided for by the agreement.

  • Employ or implement appropriate administrative, physical, and technical security safeguards and privacy practices that meet the use and disclosure requirements of {Company Name}.

  • Report inappropriate use or disclosure/breach of confidential information.

  • Report any breaches of confidential information no later than sixty (60) calendar days from the date the breach was discovered.

  • Breach notification must include the following:

    • breached individual’s name and contact information

    • date breach occurred and the date breach was discovered

    • information/data that was breached (e.g., social security number, name, address, etc.)

    • mitigating activity undertaken to limit damages

    • security controls that will be implemented to reasonably ensure a similar breach does not occur in the future

  • Reasonably ensure that any agents, including subcontractors, who use and disclose confidential information will agree to the same restrictions and conditions that apply to {Company Name} and {Company Name}’s workforce members.

  • Require that third-parties coordinate, manage, and communicate changes to any services currently provided that could affect the security, availability, or integrity of covered data.

  • Make every effort to mutually indemnify the other party. If one party is responsible for a breach or significant security or privacy incident, that party shall make every effort to hold the other party harmless for any inappropriate actions taken or inappropriate releases of information.

  • Upon termination of the agreement, if feasible, the service provider or vendor will return or destroy all confidential information, used or disclosed by the service provider on behalf of {Company Name}, in any form and will retain no copies of such information.

  • If return or destruction is not feasible, the service provider shall extend the agreement’s privacy and security protections to confidential information and limit further uses and disclosures to those purposes that make the return or destruction of confidential information infeasible.

  • Authorize {Company Name} to terminate the agreement if {Company Name} determines the service provider or vendor has or is violating any provision of the executed agreement.



Third- Party Service Provider/Vendor Agreement and Management

  • A standard agreement will be developed and maintained by the Security Officer or their designee.

  • Updates to the agreement template will be made, as necessary, to meet new statutory, regulatory, and contractual requirements.

  • The agreement template will be reviewed at least annually and updated if necessary.

  • An agreement addendum will be developed and implemented to address regulatory, statutory, or related contractual changes.

  • The agreement addendum will be distributed to third-parties as needed instead of renegotiating an agreement that is currently in effect.

  • The full template will be used for renewals and with new third-parties.

  • A designated individual is responsible for executing agreements with third-parties at the beginning of the business relationship with {Company Name}.

  • If the third-party forwards an agreement to {Company Name} at the beginning of the business relationship, a designated individual will forward the agreement to the general counsel or designee for review and approval.

  • If the third-party returns {Company Name}’s customized agreement and forwards their own version of the agreement, the Security Officer or their designee will forward the agreement to the general counsel or designee for review and approval.

  • A third-party agreement must be executed prior to any use and/or disclosure of confidential information between {Company Name}and the third-party.


 Annual Review of Third-Parties

The Security Officer or their designee shall conduct an annual review of all third-party agreements and ensure the following:

  • Reviews are documented and results retained for audit purposes and in accordance with documented retention policies and procedures.

  • Results of the reviews shall be compared to in-place agreements and/or SLAs to ensure that services are being provided as intended.

  • If third-party service providers or vendors are found to be in violation of any executed agreement(s), action plans and processes shall be initiated to remedy the issue(s) or access to {Company Name} systems (if applicable) shall be removed immediately and be fully tested before re-deployment.