Security & Compliance
< Back to Article ListIS-13 Supplier and Partner Security Policy
Last updated: 24 October 2024 at 11:47:25 UTC by Russell Briggs
Supplier and Partner Security Policy
Document Ref No |
IS-13 |
Version No |
V1 |
Last review date |
18/10/2021 |
Approved by |
Dom Tyler |
Next review |
28/02/2022 |
Contents
1.Purpose, scope and users 3
2.Identifying the risks 3
3.Screening 3
4.Contracts 3
5.Training and awareness 3
6.Monitoring and review 4
7.Change or Termination 4
8.Document management 4
9.Change history 4
1. Purpose, scope and users
The purpose of this document is to define the rules for relationship with suppliers and partners.
This document is applied to all suppliers and partners who have the ability to influence confidentiality, integrity and availability of Recyclys sensitive information.
Users of this document are top management and persons responsible for suppliers and partners in Recycly.
2. Identifying the risks
Security risks related to suppliers and partners are assessed prior to engaging the supplier. During the risk assessment, special care must be taken to identify risks related to information and communication technology, as well as risks related to product supply chain.
3. Screening
The contract owner decides how supplier security should be assessed and which methods should be used. Suppliers who will have access to Recycly data should be considered higher risk.
4. Contracts
The contract owner (i.e. person authorising purchase) is responsible for deciding which security clauses will be included in the contract with the supplier or partner, if terms are negotiable, or whether to accept supplier terms as satisfactory.
Clauses which stipulate confidentiality are mandatory. As is return of assets on termination, where applicable.
Further, the contract must be reviewed to ensure that it details how reliable delivery of the products and services is achieved. This is particularly important when assessing cloud service providers.
The contract owner is the person who signs the contract.
5. Monitoring and review
Suppliers should be monitored for the level of service and fulfilment of security clauses by suppliers or partners. Where appropriate and agreed, key suppliers may be audited periodically.
Any security incidents related to the partner/supplier should be forwarded immediately to the contract owner.
6. Change or Termination
When the contract is changed or terminated, the access rights for employees of partners/suppliers must be adjusted or removed according to the Access Control Policy.
Further, when the contract is changed or terminated, the contract owner must make sure all the equipment, software or information in electronic or paper form is returned.
7. Document management
This policy shall be available to all Recycly Employees and any Third Parties where required. The policy must be reviewed and, if necessary, updated at least once a year. Notice of significant revisions shall be provided to Recycly Employees via email.
8. Version history
Summary of Change |
Date of Change |
Author |
Version No |
First Draft |
18/10/2021 |
Dom Tyler |
1 |
|
|
|
|
|
|
|
|