Skip to content
Book a Demo

Vendor Management Policy

Last Updated: July 9, 2024

Purpose

The purpose of this policy is to establish requirements for ensuring third-party service providers/vendors meet Breakout Learning Inc requirements for preserving and protecting Breakout Learning Inc information.

Scope

The policy applies to all IT vendors and partners who have the ability to impact the confidentiality, integrity, and availability of Breakout Learning Inc’s technology and sensitive information, or who are within the scope of Breakout Learning Inc’s information security program. This policy also applies to all employees and contractors that are responsible for the management and oversight of IT vendors and partners of Breakout Learning Inc.

Background

This policy prescribes the minimum standards a vendor must meet from an information security standpoint, including security clauses, risk assessments, service level agreements, and incident management.

Roles and Responsibilities

Vendor Manager:

The Vendor Manager is responsible for overseeing the entire vendor management process and ensuring compliance with the Vendor Management Policy.

  • Vendor Onboarding: The Vendor Manager has the authority to initiate and oversee the onboarding process for new vendors, ensuring that necessary due diligence is conducted.
  • Contract Negotiation and Approval: The Vendor Manager has the authority to negotiate contracts with vendors and seek approval from relevant stakeholders. They ensure that contracts align with organizational requirements and policies.
  • Vendor Performance Monitoring: The Vendor Manager monitors the performance of vendors and is responsible for addressing any issues related to service levels, quality, or contractual obligations.
  • Vendor Relationship Management: The Vendor Manager maintains relationships with key vendors, conducts regular meetings, and ensures effective communication between the organization and its vendors.

Policy

Breakout Learning Inc makes every effort to assure all 3rd party organizations (including cloud service providers) are compliant and do not compromise the integrity, security, and privacy of Breakout Learning Inc or its customer data. 3rd parties include customers, partners, subcontractors, and contracted developers.

  • IT vendors are prohibited from accessing Breakout Learning Inc’s information security assets until a contract containing security controls is agreed to and signed by the appropriate parties.
  • All IT vendors must comply with the security policies defined and derived from Breakout Learning Inc’s Information Security Program to include the Acceptable Use Policy.
  • IT vendors and partners must ensure that organizational records are protected, safeguarded, and disposed of securely. Breakout Learning Inc strictly adheres to all applicable legal, regulatory and contractual requirements regarding the collection, processing, and transmission of sensitive data such as Personally-Identifiable Information (PII).
  • Breakout Learning Inc may choose to audit IT vendors and partners to ensure compliance with applicable security policies, as well as legal, regulatory and contractual obligations.

 

Vendor Inventory

 

An inventory of third party service providers shall be maintained, and will include:

  • Vendor risk level
  • Types of data shared with the third party
  • Brief description of services
  • Main point of contact at the third party
  • How access is granted to the third party vendor
  • Significant controls in place
  • Security report and/or questionnaire

 

Vendor risk level assessment will be based on the following considerations:

 

  • High: the vendor stores or has access to sensitive data and a failure of this vendor would have critical impact on your business
  • Moderate: the vendor does not store or have access to sensitive data and a failure of this vendor would not have critical impact on your business
  • Low: the vendor doesn't store or have access to any data and a failure of this vendor would have very little to no impact on your business

 

Vendor Contracts - General

 

Formal contracts that address relevant security and privacy requirements must be in place for all third parties that process, store, or transmit confidential data or provide critical services. The following must be included in all such contracts:

  • Contracts will acknowledge that the third party is responsible for the security of the institution’s confidential data that it possesses, stores, processes, or transmits.
  • Contracts stipulate that the third-party security controls are regularly reviewed and validated by

an independent party.

  • Contracts identify information security policies relevant to the agreement.
  • Contracts establish training and awareness requirements for specific procedures and information security requirements.
  • Contracts identify relevant regulations for sub-contracting.
  • Contracts implement a monitoring process and acceptable methods for validating the adherence to security requirements of delivered information and communication technology products and services.
  • Contracts implement specific processes for managing information and communication technology component lifecycle and availability and associated security risks.
  • Contracts identify and outline use of key controls to ensure the protection of organizational assets – e.g. physical controls, controls for protection against malicious code, physical protection controls, controls to protect integrity, availability and confidentiality of information, controls to ensure the return or destruction of information assets after their use, controls to prevent copying and distributing information.
  • Contracts define information security requirements and identify the owner of information and how intellectual property rights are regulated.
  • Contracts will include screening requirements and background verification checks for contractors, which must be completed prior to joining the organization.
  • Screening requirements for personnel provided to Breakout Learning Inc must be included within the agreement.
  • Contracts identify the recourse available to Breakout Learning Inc should the third party fail to meet defined security requirements.
  • Contracts establish responsibilities for responding to direct and indirect security incidents including timing as defined by service-level agreements (SLAs).
  • Contracts specify the security requirements for the return or destruction of data upon contract termination.
  • Responsibilities for managing devices (e.g., firewalls, routers) that secure connections with third parties are formally documented in the contract.
  • Contracts stipulate geographic limits on where data can be stored or transmitted.

 

Vendor Contracts - Cloud Service Providers

 

(For Cloud Service Customers) When selecting a cloud service provider, Breakout Learning Inc will determine its information security needs for the cloud service and will evaluate whether a potential vendor's services can meet these needs. To facilitate this evaluation, Breakout Learning Inc will request information on the cloud service provider's information security capabilities.

  • Information security requirements aimed at mitigating risks associated with a vendor's access to Breakout Learning Inc's assets will be mutually agreed upon and documented with the vendor.
  • For mitigating risks associated with the cloud service provider's access to and management of customer data, Breakout Learning Inc will consider the cloud service provider as a type of supplier within its information security policy framework for supplier relationships.

(For Cloud Service Providers) Breakout Learning Inc will provide comprehensive information about their information security capabilities to cloud service customers. However, this information will not disclose details that could potentially be exploited by malicious actors.

  • If Breakout Learning Inc utilizes services of a peer cloud service providers, Breakout Learning

Inc will ensure that information security levels promised to cloud service customers are either maintained or surpassed.

  • When Breakout Learning Inc's services are based on a supply chain, it will communicate its information security objectives to all suppliers within that chain. Furthermore, Breakout Learning Inc will require each supplier to engage in risk management activities to ensure the achievement of these objectives.

Collaborative efforts and responsibilities with cloud service providers will be defined, with consideration given to the following aspects:

  • Cloud service selection criteria and scope of cloud service usage;
  • Information security controls that are managed by the cloud service provider and those that are managed by the organization as the cloud service customer;
  • How to obtain and utilize information security capabilities provided by the cloud service provider;
  • How to obtain assurance on information security controls implemented by cloud service providers;
  • How to manage controls, interfaces and changes in services when an organization uses multiple cloud services, particularly from different cloud service providers;
  • Procedures for handling information security incidents that occur in relation to the use of cloud services;
  • The approach for monitoring, reviewing and evaluating the ongoing use of cloud services to manage information security risks;
  • How to change or stop the use of cloud services including exit strategies for cloud services.

Formal contracts that address relevant security and privacy requirements must be in place for all cloud service providers that process, store, or transmit confidential data or provide critical services. The following must be included in all such contracts:

  • Providing solutions based on industry accepted standards for architecture and infrastructure;
  • Managing access controls of the cloud service to meet the requirements of the organization (including procedures and processes for cloud service customers to participate in granting access for agreed high-risk privileged access roles defined by the organization's risk assessment, when applicable);
  • Implementing malware monitoring and protection solutions;
  • Supporting the organization in gathering digital evidence, taking into consideration laws and regulations for digital evidence across different jurisdictions;
  • Providing appropriate support and availability of services for an appropriate time frame when the organization wants to exit from the cloud service;
  • Providing required backup of data and configuration information and securely managing backups as applicable, based on the capabilities of the cloud service provider used by the organization, acting as the cloud service customer.

Breakout Learning Inc, acting as the cloud service customer, will consider whether the agreement should require cloud service providers to provide advance notification prior to any substantive customer impacting changes being made to the way the service is delivered to the organization, including:

  • Changes to the technical infrastructure (e.g. relocation, reconfiguration, or changes in hardware or software) that affect or change the cloud service offering;
  • Processing or storing information in a new geographical or legal jurisdiction;
  • Use of peer cloud service providers or other sub-contractors (including changing existing or using new parties).

 

Vendor Contracts - Public Cloud PII Protection

 

When Breakout Learning Inc is acting as a Cloud Service Provider, Breakout Learning Inc clearly allocates responsibilities between the Breakout Learning Inc, its sub-contractors and the cloud service customer, taking into account the type of cloud service in question (e.g. a service of an IaaS, Paas of SaaS category of the cloud computing reference architecture). For example, the allocation of responsibility for application layer controls can differ depending on whether Breakout Learning Inc is providing a SaaS service or rather is providing a PaaS or IaaS service on which the cloud service customer can build or layer its own applications. Breakout Learning Inc designates a point of contact for use by the cloud service customer regarding the processing of PII under the contract.

 

Vendor Contracts - Telecommunications Services

 

Agreements with primary and alternative telecommunications service provider will include:

  • Requirement for contingency plans;
  • Contingency plan review, to ensure that the plans meet Breakout Learning Inc’s contingency requirements; and,
  • Periodic record of the provider conducting contingency testing and training by providers

 

Vendor Services Change Management

 

Changes to the provision of services by vendors, including maintaining and improving existing information security policies, procedures and controls, should be managed, taking account of business information criticality, systems and processes involved and re-assessment of risks. The following aspects will be considered:

  • Changes to supplier agreements;
  • Changes made by the organization to implement:
    • Enhancements to the current services offered;
    • Development of any new applications and systems;
    • Modifications or updates of the organization’s policies and procedures;
    • New/changed controls to resolve security incidents and improve security.
  • Changes in supplier services to implement:
    • Changes and enhancement to networks;
    • Use of new technologies;
    • Adoption of new products or newer versions/releases;
    • New development tools and environments;
    • Changes to physical location of service facilities;
    • Change of suppliers;
    • Subcontracting to another supplier.

Revision History