Vendor Management

Vendor Management Policy

Screendesk requires vendors to maintain their own security practices and procedures and to abide by Screendesk's security policies.

New Vendors

Using a defined process, Screendesk management assesses a potential vendor to evaluate its criticality and riskiness. Relevant assessment criteria may include but is not limited to:

  • The vendor's expertise, experience, and reputation

  • The nature and necessity of the service

  • Whether a vendor needs access to Sensitive or Confidential data

  • The vendor's security infrastructure

  • The vendor's level of contact with customers

A vendor's criticality rating determines the level and intensity of initial due diligence and ongoing monitoring. It also facilitates management's ability to appropriately manage process dependencies on suppliers and quickly identify which vendors have access to Sensitive or Confidential data.

Criticality Rating

Possible vendor criticality ratings are defined below.

Critical

  • Daily operations critically depend on the service.

  • Service failure or significant impairments would halt business processes.

  • Supplier provides a service critical to developing, supporting, and securing the company software product.

High

  • Daily operations significantly depend on the service.

  • Service failure or significant impairments would seriously disrupt business processes.

  • Supplier provides a service that is significantly important to developing, supporting, and securing the company software product.

Medium

  • Daily operations regularly use the service but do not depend on it.

  • Service failure or significant impairments would impair but not seriously disrupt business processes.

  • Supplier service is used for developing, supporting, and securing the company software product, but it is not a critical function.

Low

  • Operations regularly use the service but unevenly (i.e., not every day or not every user).

  • Service failure or significant impairments would present challenges to operations but would not disrupt business processes.

  • Supplier service is used for developing, supporting, and securing the company software product, but it is not an essential function.

Vendor Review

Screendesk collects and reviews a compliance report at least annually on all vendors rated critical or high risk. The review is documented and any exceptions or deviations noted in the reports are evaluated to determine their impact on the service.

For Screendesk, this includes annual reviews of:

  1. Render.com (cloud service provider)

  2. Amazon Web Services (S3 for data storage)

The CTO is responsible for conducting these reviews and reporting findings to the CEO. Any identified risks or concerns should be addressed promptly, and mitigation strategies should be developed and implemented as necessary.

Vendor Security Requirements

Screendesk requires all vendors, especially those handling Sensitive or Confidential data, to adhere to the following security requirements:

  1. Implement and maintain appropriate security measures to protect Screendesk's data.

  2. Comply with all applicable data protection and privacy laws and regulations.

  3. Notify Screendesk immediately of any security incidents that may affect Screendesk's data.

  4. Allow Screendesk to conduct security assessments or audits when deemed necessary.

  5. Provide documentation of their security practices and any relevant certifications upon request.

  6. Ensure that any subcontractors or third parties they engage also adhere to these security requirements.

Ongoing Monitoring

Screendesk continuously monitors its critical vendors for:

  1. Changes in their security posture or practices

  2. News of security incidents or breaches

  3. Updates to their services that may impact Screendesk's operations or security

  4. Compliance with agreed-upon service level agreements (SLAs)

The CTO is responsible for this ongoing monitoring and should report any significant findings or concerns to the CEO promptly.

Vendor Termination

When terminating a relationship with a vendor, especially one that has had access to Sensitive or Confidential data, Screendesk follows these steps:

  1. Revoke all access to Screendesk systems and data

  2. Ensure the return or secure destruction of any Screendesk data held by the vendor

  3. Update the vendor inventory and any relevant documentation

  4. Conduct a final security assessment to ensure no residual risks remain

The CTO oversees this process and ensures its completion before finalizing the termination of any vendor relationship.

Last updated