Third Party Management Policy
Version: v9.3 | Effective Date: November 15, 2020
- Document Created: October 28, 2020
- Last Reviewed: February 15, 2025
- Next Review Date: February 2026
- Approved By: Chief Technology Officer
- Policy Owner: Security Officer
17.1 Purpose
This Third Party Management Policy establishes requirements for assessing, selecting, contracting, monitoring, and managing third-party vendors, suppliers, and service providers to ensure they meet Blue Whale Apps’ security, privacy, compliance, and operational standards while enabling beneficial business relationships.
17.2 Scope
Applies to all third parties with access to Blue Whale Apps information systems, networks, facilities, assets, or data, including cloud providers, SaaS vendors, professional services, contractors, outsourced providers, and analytics tools.
17.3 Third-Party Risk Classification
- High Risk: Access to production systems or sensitive data. Examples: Cloud hosting providers, analytics with PII, critical SaaS.
- Medium Risk: Limited access or exposure. Examples: Marketing tools, non-critical applications, professional services.
- Low Risk: No system/data access. Examples: Office supply vendors, facility services.
17.4 Vendor Selection and Due Diligence
- Business Justification: Document need, alternatives, cost-benefit, approval.
- Security & Privacy Assessment: Comprehensive for High Risk, standard for Medium, basic for Low.
- Compliance Verification: Regulatory and certification requirements checked.
- Contract Negotiation: Security/privacy terms, SLAs, liabilities, audit rights.
- Approval: Security Officer, CTO, Legal, and Procurement sign-offs.
17.5 Required Contractual Terms
- Security Requirements: Encryption, access controls, incident notification, audit rights.
- Privacy & Data Protection: DPA required, GDPR/CCPA compliance, sub-processor disclosure.
- Compliance & Audit: Audit reports, certification reviews, regulatory compliance.
- Service Level: Uptime, performance metrics, response times, service credits.
- Liability & Insurance: Cyber liability insurance, indemnification terms.
17.6 Customer PII Access
Vendors with PII access (e.g., AWS, Azure, analytics) must sign BAAs/DPAs, hold SOC 2 certifications, comply with GDPR/CCPA, implement encryption and access controls, and notify Blue Whale Apps of incidents within 24 hours.
17.7 Third-Party Compliance with Security Standards
- High Risk Vendors: SOC 2 Type II required, ISO 27001 preferred.
- Alternative Evidence: FedRAMP, PCI DSS, HITRUST accepted where applicable.
- Ongoing Compliance: Annual reassessment, updated certifications, incident reviews.
17.8 Vendor Monitoring and Oversight
- Performance Monitoring: SLA compliance, availability, responsiveness.
- Security Monitoring: Incident reports, certification status, breach monitoring.
- Vendor Reviews: Quarterly (critical vendors), annual (all vendors).
17.9 Incident Management
Vendors must notify within 24–48 hours of breaches or disruptions. Blue Whale Apps coordinates with vendors on containment, remediation, and notifications.
17.10 Cybersecurity Incidents
No significant incidents in past 3 years. Vendors must provide incident history, lessons learned, and transparency in disclosures.
17.11 Ongoing Litigation
Blue Whale Apps has no ongoing cybersecurity litigation. Vendors must disclose litigation risks, financial impacts, and reputational concerns.
17.12 Vendor Offboarding
- Advance notification, transition planning, data return or deletion, credential and asset return.
- Vendors must certify deletion within 30 days unless contract specifies otherwise.
- Knowledge transfer and documentation handover required for continuity.
17.13 Compliance
Supports ISO/IEC 27001:2022 (A.5.19, A.5.20, A.5.21), SOC 2 Type II (CC9.2), NIST CSF (ID.SC), and GDPR Article 28. Monitoring includes quarterly vendor reviews, annual audits, and continuous compliance checks.