Vendor Management Policy

# Vendor Management Policy ## 1. Purpose This policy establishes procedures for evaluating, onboarding, monitoring, and offboarding third-party vendors at **[Company Name]**. ## 2. Vendor Risk Tiering | Tier | Criteria | Review Frequency | Due Diligence Level | |------|----------|-----------------|-------------------| | **Critical** | Processes customer data, production infrastructure | Quarterly | Full assessment + SOC 2 report | | **High** | Accesses internal data, development tools | Semi-annually | Security questionnaire + certifications | | **Medium** | Business services with limited data access | Annually | Security questionnaire | | **Low** | No data access, commodity services | Biennially | Self-attestation | ## 3. Vendor Onboarding ### 3.1 Security Assessment Before engaging any vendor of Medium tier or above: 1. Complete vendor security questionnaire 2. Review SOC 2 Type II report (or equivalent certification) 3. Evaluate data handling practices and encryption standards 4. Assess business continuity and disaster recovery capability 5. Review breach history and incident response capability ### 3.2 Contractual Requirements All vendor contracts must include: - **Data Processing Agreement (DPA)** if processing personal data - **Security obligations** aligned with our policies - **Breach notification** within 72 hours - **Right to audit** or evidence of third-party audit - **Data deletion** requirements upon contract termination - **Insurance** requirements (cyber liability for Critical tier) - **Subprocessor** approval and notification requirements ## 4. Ongoing Monitoring - Critical vendors: Quarterly review of SOC 2 reports, SLA performance, and security posture - Monitor vendor security news and breach disclosures - Annual vendor risk re-assessment - Track vendor certifications and expiration dates ## 5. Vendor Offboarding When a vendor relationship ends: 1. Revoke all system access within **24 hours** 2. Request written confirmation of data deletion within **30 days** 3. Retrieve or confirm destruction of all company data 4. Remove vendor from sub-processor list 5. Update vendor registry 6. Archive vendor documentation for retention period ## 6. Vendor Register Maintain a centralized vendor register with: - Vendor name, primary contact, contract dates - Risk tier and last assessment date - Data types processed/accessed - Certifications held and expiry dates - Sub-processor status --- *Approved by: [Name, Title]* *Effective Date: [Date]* *Version: 1.0*