intelliHR's Vendor Management policy is to set forth the guidelines that should be followed to maintain the security of organization's information systems and data when intelliHR enters into any arrangement with a third-party supplier/vendor as well as to identify elements of managing vendors, due diligence, risk assessments as well as contract management. The scope of this policy covers intelliHR's relationship with business partners, suppliers, or third-party vendors (collectively referred to as ‘vendors’ or ‘third-parties’) including any third-party access to information, IT assets, IT infrastructure and facilities of intelliHR and/or its client information. This policy prescribes the minimum standards a vendor must meet from an information security standpoint, including security clauses, risk assessments, service level agreements, and incident management.
Policy
Managing Outsourcing Risks
Prior to outsourcing any intelliHR’s processes or services to a third party/ vendor or allowing third-party access to the organization's information or systems, the risks involved must be clearly identified and documented. A review of third-party risks along with mitigation strategies or whether the risks are acceptable should be performed by management prior to engaging with vendors.
To ensure that our information is protected when handled or managed by our third parties, we consider the following security risk areas:
- The third party has implemented the proper separation of duties, role-based access, and least-privilege access for all personnel
- Ongoing monitoring of the network and infrastructure is in place
- The third-party provides applicable incident information to intelliHR
- Confidential or Sensitive data is encrypted in transit and at rest
- Business continuity procedures are in place to ensure operations may be recovered
- SLAs are defined and enforced
In the event that a vendor can demonstrate that they maintain a current ISO 27001 certification or have an unqualified SOC 2 Type 2 report, the third party will be considered to meet the minimum requirements. For vendors who do not have either of these documents, the vendor may be required to complete an information security questionnaire for intelliHR. The response to these questionnaires should be reviewed to determine if the risk associated with engaging the vendor is acceptable.
Contracts
Third party relationships must be managed by contracts (supplier agreements). These contracts that include the exchange of confidential data must require confidentiality and non-disclosure agreements (NDA) to be executed by the vendor, and shall identify applicable security policies and procedures to which the vendor is subjected, where applicable.
Contracts should be assessed to ensure security is adequately managed, and must clearly identify security reporting requirements that stipulate that the vendor is responsible for maintaining the security of confidential data, under their control. In the event of a breach of the security of intelliHR’s confidential data, the vendor is responsible for notifying intelliHR regarding incident details, recovery, and remediation. Data Processing Agreement (DPA) between the supplier and intelliHR should be created and updated to support all contracts where data assessed as being confidential is being shared, the DPA shall ensure that local, federal and international laws and standards (i.e. GDPR) are adhered to where relevant.
Third party access to intelliHR information shall be granted only after authorization and signing the applicable agreements/contracts.
At a minimum, each of the following steps shall be completed prior to access provisioning (as outlined below):
- All parties sign a Supplier Agreement
- Vendor signs intelliHR-approved Non-Disclosure Agreement (NDA)
- Vendor staff requiring access acknowledges intelliHR Security Policy and Acceptable Use Policy within Drata
Access Provisioning
In the event that a vendor requires access to intelliHR systems and/or data, an access request must be made following the standard access request process. Access requests for vendors must, at a minimum, include:
- A documented access request from the vendor’s intelliHR manager
- Documentation regarding why the vendor needs the access and for how long
- A documented approval from an executive management member to provision the access Furthermore, it is required that access shall only be granted to vendors once they have completed the requirements outlined above. Lastly, vendors gaining access must meet the same criteria as intelliHR staff (e.g. background checks).
Vendor Inventory
An inventory of third-party service providers shall be maintained, and the inventory will include:
- Vendor risk level
- Types of data shared with the third party
- Brief description of services
- Main point of contact at the third party
- How access is granted to the third-party vendor
- Significant controls in place
- Security report and/or questionnaire
Vendor risk level assessment will be based on the following considerations:
High: the vendor stores or has access to sensitive data and a failure of this vendor would have a critical impact on your business
Moderate: the vendor does not store or have access to sensitive data and a failure of this vendor would not have a critical impact on your business
Low: the vendor doesn't store or have access to any data and a failure of this vendor would have very little to no impact on your business
Vendor Services Change Management
Changes to the provision of services by vendors, including maintaining and improving existing information security policies, procedures, and controls, should be managed. Such review should take careful consideration of our Data Classification specifications and Data Handling procedures. This will provide guidance of the business information criticality, systems, and processes involved and re-assessment of risks. The following aspects will be considered:
- Changes to supplier agreements;
- Changes made by the organization to implement:
- Enhancements to the current services offered;
- Development of any new applications and systems;
- Modifications or updates of the organization’s policies and procedures;
- New/changed controls to resolve security incidents and improve security.
- Changes in supplier services to implement:
- Changes and enhancement to networks;
- Use of new technologies;
- Adoption of new products or newer versions/releases;
- New development tools and environments;
- Changes to physical location of service facilities;
- Change of suppliers;
- Subcontracting to another supplier.