Third-Party Management Policy

Version

1.1

Owner

Head of Engineering

Last Updated On

Jun 27, 2023

Last Updated by

@Bruno Belizario

Approved by

@Sean Oldfield

Purpose

Ensure the protection of the organization's data and assets that are shared with, access to, or managed by suppliers, including external parties or third-party organizations such as service providers, vendors, and customers, and to maintain an agreed level of information security and service delivery in line with supplier agreements.

This document outlines a baseline of security controls that ecoPortal expects partners and other third-party companies to meet when interacting with ecoPortal Confidential data.

Scope

All data and information systems owned or used by ecoPortal that are business critical and/or process, store, or transmit Confidential data. This policy applies to all employees of ecoPortal and to all external parties, including but not limited to ecoPortal consultants, contractors, business partners, vendors, suppliers, partners, outsourced service providers, and other third-party entities with access to ecoPortal data, systems, networks, or system resources.

Policy

Information security requirements for mitigating the risks associated with the supplier's access to the organization's assets shall be agreed upon with the supplier and documented.

For all service providers who may access ecoPortal Confidential data, systems, or networks, proper due diligence shall be performed prior to provisioning access or engaging in processing activities. Information shall be maintained regarding which regulatory or certification requirements are managed by or impacted by each service provider, and which are managed by ecoPortal as required. Applicable regulatory or certification requirements may include ISO 27001, SOC 2, PCI DSS, CCPA, GDPR, or other frameworks, compliance standards, or regulations.

Information Security in Third-Party Relationships

Addressing Security in Agreements

Relevant information security requirements shall be established and agreed upon with each supplier that may access, process, store, transmit, or impact the security of Confidential data and systems, or provide physical or virtual IT infrastructure components for ecoPortal.

For all service providers who may access ecoPortal production systems, or who may impact the security of the ecoPortal production environment, written agreements shall be maintained that include the service provider's acknowledgment of their responsibilities for the confidentiality of company and customer data, and any commitments regarding the integrity, availability, and/or privacy controls that they manage in order to meet the standards and requirements that ecoPortal has established in accordance with ecoPortal’s information security program or any relevant framework.

Technology Supply Chain

ecoPortal will consider and assess the risk associated with suppliers and the technology supply chain. Where warranted, agreements with suppliers shall include requirements to address the relevant information security risks associated with information and communications technology services and the product supply chain.

Third-Party Service Delivery Management

Monitoring & Review of Third-Party Services

ecoPortal shall regularly monitor, review, and audit supplier service delivery. Supplier security and service delivery performance shall be reviewed at least annually.

Management of Changes to Third-Party Services

Changes to the provision of services by suppliers, including changes to agreements, services, technology, policies, procedures, or controls, shall be managed, taking into account the criticality of the business information, systems, and processes involved. ecoPortal shall assess the risk of any material changes made by suppliers and make appropriate modifications to agreements and services accordingly.

Third-Party Risk Management

ecoPortal will ensure that potential risks posed by sharing Confidential data or providing access to company systems are identified, documented, and addressed according to this policy. Risk management plays an integral part in the governance and management of the organization at a strategic and operational level. The purpose of a partner and third-party security policy is to ensure that partnerships and services achieve their business plan aims and objectives, and are consistent with ecoPortal’s requirements for information security.

ecoPortal shall not share or transmit Confidential data to a third party without first performing a third-party risk assessment and fully executing a written contract, statement of work, or service agreement that describes expected service levels and any specific information security requirements.

Third-Party Security Standards

All third parties must maintain reasonable organizational and technical controls as assessed by ecoPortal.

Assessment of third parties which receive, process, or store Confidential data or access ecoPortal’s resources shall consider the following controls as applicable based on the service provided and the sensitivity of data stored, processed, or exchanged.

Information Security Policy

Third parties maintain information security policies supported by their executive management, which are regularly reviewed.

Risk Assessment & Treatment

Third parties maintain programs that assess, evaluate, and manage information and technology risks.

Operations Security

Third parties implement commercially reasonable practices and procedures designed, as appropriate, to maintain operations security. Protections may include:

  • Technical testing

  • Protection against malicious software

  • Network protection and management

  • Technical vulnerability management

  • Logging and monitoring

  • Incident response

  • Business continuity planning

Access Control

Third parties maintain a technical access control program.

Secure System Development

Third parties maintain a secure development program consistent with industry software and systems development best practices including risk assessment, formal change management, code standards, code review, and testing.

Physical & Environmental Security

If third parties are storing or processing confidential data, their physical and environmental security controls should meet the requirements of the ecoPortal Physical Security Policy.

Human Resources

Third parties maintain human resource policies and processes which include criminal background checks for any employees or contractors who access ecoPortal confidential information.

ecoPortal shall consider all applicable regulations and laws when evaluating suppliers and third parties who will access, store, process, or transmit ecoPortal confidential data.  Third-party assessments should consider the following criteria:

  • Protection of customer data, organizational records, and records retention and disposition

  • Privacy of Personally Identifiable Information (PII)

Customer Data Transfer Procedure

ecoPortal has designed and created an SFTP server that caters to clients and organizations. Ensuring the secure and reliable transfer of sensitive data, protecting data confidentiality, integrity, and availability during transfers, implementing access controls and permissions to manage file transfer activities, and monitoring and auditing file transfer activities for compliance and security purposes.

Each organization has its own file system /sftp/<org_name> and user /home/<org_username>under their own respective organization names.

Depending on the configuration, clients have defined IN and OUT folders for inbound and outbound traffic, respectively. An additional layer of PROD and UAT or DEV folders may be provided to supplement change management in the system.

Data transfer will be completed in accordance with the following steps:

  1. File Preparation: Prepare the file(s) for transfer, ensuring encryption, compression, or other necessary security measures are applied.

  2. SFTP Connection: Establish a secure connection to the SFTP server using SSH key-based authentication provided by ecoPortal will be established.

  3. File Upload: The file(s) will be uploaded from the local system to the SFTP server, ensuring data integrity and encryption during transit.

  4. File Download: The file(s) will be downloaded from the SFTP server after a secure connection to the intended recipient's system is established, maintaining data confidentiality and integrity.

  5. Verification: File integrities will be verified after the successful transfer of the file(s) and, if required, any additional validation checks.

  6. File Removal: The file(s) will be removed from the SFTP server periodically, ensuring secure deletion or archiving as per organizational requirements.

Where SFTP is not configured for a third party, information will be shared by encrypted and password-protected .zip folders, with passwords provided in a separate communication to the folder distribution.

Exceptions

Requests for an exception to this Policy must be submitted to the COO for approval.

Violations & Enforcement

Any known violations of this policy should be reported to the COO. Violations of this policy can result in immediate withdrawal or suspension of the system and network privileges and/or disciplinary action in accordance with company procedures up to and including termination of employment.