Skip to content
English
Sign in
Go to safetynetsolutions.co.uk
  • There are no suggestions because the search field is empty.

3rd Party Management Policy

To protect the organisation's data and assets when shared with a 3rd party

3RD PARTY POLICY

To protect the organisation's data and assets when shared with a 3rd Party

Purpose
The purpose of this policy is to ensure protection of the organisation’s data and assets that are shared with, accessible to, or managed by suppliers. This includes external parties or third party organisations such as service providers, vendors, and customers, and to make an agreed level of information security and service delivery in line with supplier agreements.
This document outlines a baseline is security controls that Safetynet Solutions Ltd. expects partners and other third party companies to meet when interacting with Safetynet’s confidential data.

Scope
All data and information systems owned or used by Safetynet Solutions Ltd. that are business critical and/or process, store, or transmit confidential data. This policy applies to all employees of Safetynet and to all external parties, including, but not limited to, Safetynet’s consultants, contractors, business partners, vendors, suppliers, partners, outsourced service providers and any other third party entities with access to Safetynet’s data systems, networks, or system resources.

General Requirements
Information Security requirements for mitigating the risks associated with suppliers’ access to the organisation’s assets shall be agreed with the supplier and documented.

For all service providers who may access Safetynet’s confidential data, systems or networks, proper due diligence shall be performed prior to perform provisioning access or engaging in processing activities. Information shall be maintained regarding which regulatory or certification requirements are managed only or impacted by each service provider, and which are managed by Safetynet as required.
Applicable regulatory or certification requirements may include ISO 27001, SOC 2, PCI DSS, CCPQA, GDPR or other frameworks, compliance standards, or regulations.

Addressing Security in Agreements
Relevant Information Security requirements shall be established and agreed upon with each supplier that may access, process, store, transmit or impact of the security of confidential data and systems, or provide physical or virtual IT infrastructure components for Safetynet.

For all service providers who may access Safetynet’s production systems, or who may impact the security of safety net production environment, written agreements shall be maintained that include the service providers acknowledgment to their responsibilities for the confidentiality of company and customer data, and, any commitments regarding the integrity, availability, and/or privacy controls that they manage in order to meet the standards and requirements that Safetynet has established in accordance with Safetynet’s Information Security Programme or any relevant framework.

Technology Supply Chain
Safetynet will consider and assess risk associated with suppliers and the technology supply chain. Where warranted, agreements with suppliers shall include requirements to address the relevant Information Security risks associated with Information and Communications Technology Services and the product supply chain.

Monitoring & Review of 3rd Party Services

  • Safetynet shall regularly monitor, review and audit Supplier Service Delivery.
  • Supplier security and service delivery performance shall be reviewed at least annually.

Management of changes to 3rd Party Services
Changes to the provision of services by suppliers, including changes to agreements, services, technology, policies, procedures or controls, shall be managed. This will include taking account of the criticality of the business information, systems and processes involved. Safetynet shall assess the risk of any material changes made by suppliers and make appropriate modifications to agreements and services accordingly.

3rd Party Risk Management
Safetynet will ensure that potential risk posed by sharing Confidential Data or providing access to company systems are identified, documented and addressed according to this policy.

Risk management plays an integral part in the governance and management of the organisation at its strategic and operational level. The purpose of a partner and 3rd party security policy is to ensure that the partnerships and services achieve their business plan aims and objectives, and are consistent with Safetynet’s requirements for Information Security.

Safetynet shall not share or transmit confidential data to a third party without first performing a 3rd party risk assessment and fully executing a written contract, statement of work or service agreement, which describes expected service levels and any specific information security requirements.

Information Security for Use of Cloud Services
This section outlines the fundamental parameters for managing and mitigating risks related to cloud service usage.

Responsibilities and Risk Management:

  • Roles and responsibilities related to the use and management of cloud services can be found in the Roles and Responsibilities policy.
  • Information security risks associated with cloud services use shall be managed in accordance with this policy and the Risk Management policy.

Security Requirements and Control:

  • The Company shall be responsible for all customer controls as defined in the Cloud Service Providers Responsibility Matrices.

Service Selection and Usage Scope:

  • Reviews of cloud service agreements for inherently high risk providers shall be performed annually to ensure the alignment currently requirements.

Incident Management:

  • Bank information security incidents related to cloud services managed in accordance with the incident response plan.

Service Review and Exit Strategy:

  • Risks related to exit and vendor locking should be evaluated prior to the acquisition as part of the vendor security assessment.

Provider and Customer Agreement:

  • Agreements with cloud service providers will specify protection for Safetynet’s data and service availability, even though they might be pre-defined and non-negotiable.
  • Where possible, Safetynet will seek advance notification from providers concerning substantial changes in service delivery, including changes in Technical Infrastructure, data storage location, or usage of sub-contractors.

Ongoing Management and Assurance:

  • Information regarding how to obtain and utilise information security capabilities provided by the Cloud Service Provider should be assessed as part of the Vendor Review at the time of the acquisition.


3rd Party Security Standards

All 3rd-parties must maintain reasonable organisational and technical controls as assessed by Safetynet Solutions Ltd.
Assessment of 3rd Parties which receive, process or store Confidential Data or access Safetynet’s resources shall consider the following controls as appliable, based in the service provided and the sensitivity of the data stored, processed or exchanged.

Risk Assessment & Treatment

3rd Parties maintain programmes that assess, evaluate, and manage information and technology risks.

Operations Security

3rd Party implement commercially reasonable practices and procedures designed, as appropriate, to maintain operations’ security.
Protections may include:

  • Technical Testing
  • Protection against malicious software
  • Network Protection & Management
  • Technical Vulnerability Management
  • Logging and Monitoring
  • Incident Response
  • Business Continuity Testing.


Access Control

3rd Parties maintain a Technical Access Control Program.

Secure System Development

3rd Parties maintain a secure development program consistent with industry software and systems development best practices including Risk Assessment, formal Change Management, Code Standards, Code Review and Testing.


Physical & Environmental Security

If 3rd Parties are storing or processing confidential data, their physical and environmental security controls should meet the requirements of Safetynet’s Physical Security Policy.


Human Resources

3rd Parties maintain Human Resource Policies and Processes which include criminal background checks for any employees or contractors who access Safetynet’s Confidential Information.

Compliance & Legal

Safetynet shall consider all applicable regulations and laws when evaluating suppliers and 3rd Parties who will access, store, process or transmit Safetynet’s Confidential Data.
3rd Party Assessments should consider the following criteria:

  • Protection of Customer Data, Organisational Records, and Records’ Retention and Disposition.
  • Privacy of Personally Identifiable Information (PII).

 

Exceptions

Requests for an exception to this Policy must be submitted to the Company for approval.


Violations & Enforcement

Any known violation of this Policy should be reported the Company Directors.
Violations of this Policy can result in immediate withdrawal or suspension of system and network privilege and/or disciplinary action in accordance with Company procedures, up to and including Termination of Employment.

SAFETYNET SOLUTIONS LTD. Reg.GB3903968                                V 1.0.0.01 30/04/25 LAS