Third-Party Vendor Security Policy

• Table of Contents

  • EDC Inc Third-Party Vendor Security Policy
  • 1. Purpose
  • 2. Scope
  • 3. Policy
  • 3.1 Vendor Access
  • 3.2 Security Requirements
  • 3.3 Monitoring and Auditing
  • 3.4 Exceptions
  • 4. Enforcement
  • 5. Review and Update
  • 6. Contact
  • Summary

EDC Inc Third-Party Vendor Security Policy

This policy outlines the security requirements and guidelines for third-party vendors accessing EDC Inc’s information systems and data. It is designed to protect EDC Inc and its stakeholders from potential risks associated with third-party access.

1. Purpose

The purpose of this policy is to establish a standard approach to managing third-party vendor security risks. This includes ensuring that vendors comply with EDC Inc’s security requirements and that their access to EDC Inc’s systems and data is appropriately managed and monitored.

2. Scope

This policy applies to all third-party vendors that have access to EDC Inc’s information systems and data, regardless of the technology used for access. This includes vendors using Active Directory user and service accounts, and those accessing data through the CMDB inventory management tool.

3. Policy

3.1 Vendor Access

All vendor access to EDC Inc’s systems and data must be approved by the IT Security Operations department. Vendors must provide a valid business justification for the access, and the access must be reviewed and approved by the IT Director or Manager of the relevant department.

3.2 Security Requirements

Vendors must comply with EDC Inc’s security requirements, which include:

• Using secure methods for accessing EDC Inc’s systems and data
• Complying with EDC Inc’s password and authentication policies
• Ensuring that their systems are patched and updated regularly, in line with EDC Inc’s patching policy
• Reporting any security incidents to the IT-SOC (Incident management) department

3.3 Monitoring and Auditing

Vendor access to EDC Inc’s systems and data will be monitored by the IT Monitoring Operations department. Any suspicious activity will be reported to the IT-SOC department and the Corporate Physical Security department.

Vendors must also comply with EDC Inc’s auditing requirements, which are managed by the IT Audit and Compliance department. This includes providing evidence of compliance with this policy and cooperating with any audits or investigations.

3.4 Exceptions

Any exceptions to this policy must be approved by the IT Security Operations department. Vendors must submit a request for an exception, which will be reviewed by the Change Audit Board (CAB).

4. Enforcement

Failure to comply with this policy may result in the termination of the vendor’s access to EDC Inc’s systems and data. Serious breaches may also result in legal action.

5. Review and Update

This policy will be reviewed and updated annually by the IT Security Operations department, or as required by changes in technology or business practices.

6. Contact

For any questions or concerns about this policy, please contact the IT Director or Manager of the IT Security Operations department.

Summary

This Third-Party Vendor Security Policy is a critical component of EDC Inc’s overall security strategy. It ensures that vendors accessing EDC Inc’s systems and data comply with our security requirements, and that their access is appropriately managed and monitored. By adhering to this policy, we can significantly reduce the risk of security incidents and protect the confidentiality, integrity, and availability of our systems and data.