BPM Consulting
Supplier Relationship Security Policy
| OBJECTIVE: |
|
SCOPE: |
física. |
ASSOCIATED DOCUMENTS: |
Policy Information Transfer Policy Backup and Information Transfer Procedure Change Management Procedure Confidentiality Agreement |
Asset: Anything that has significant value for the organization. Among an organization’s assets are hardware, software, electronic or physical documents, infrastructure, services, personnel, among others. The term Asset is synonymous with Information Asset.
Confidentiality: The property of safeguarding the information asset from unauthorized persons, processes, or entities.
Availability: The property of ensuring that the information asset is accessible and usable when required by authorized persons, processes, or entities.
Integrity: The property of safeguarding the accuracy and completeness of the information asset, according to the different processing methods to which it may be exposed.
Service Level Agreements (SLAs): A written agreement between a service provider and its client for the purpose of establishing the agreed level of service quality. The SLA is a tool that helps both parties reach a consensus regarding the level of service quality in aspects such as response time, service availability, available documentation, personnel assigned to the service, etc.
Scope of Service Delivery and SLA Definition
- The contract signed between the parties must define the types of components and services provided by the supplier that may affect the confidentiality, integrity, and availability of the organization’s information and/or services.
- BPM Consulting and the supplier must clearly and explicitly define the technical, operational, information handling (including periodic backups, end-of-service backup, secure deletion, data transfer), administrative (e.g., periodic report delivery, follow-up meetings, periodic review of security controls), and personnel Service Level Agreements necessary to address the provision/delivery of the products/services that the supplier will provide to the organization. These SLAs must be documented in the contract or in annexes that form an integral part of it.
- In defining the scope of the service, BPM Consulting and the supplier must determine, according to the type of service to be provided, access to:
- Sensitive customer information / customer user information / private or confidential company information.
- Sensitive physical/logical infrastructure that impacts BPM Consulting’s service delivery or the organization’s internal operations.
These definitions must be part of the scope indicated in the contract or its technical annexes and must provide clarity regarding the information, ICT services, and physical infrastructure that the supplier may access, use, and/or manage, as applicable. BPM Consulting’s logical access control and physical access control policies must be followed, as applicable.
- Any installation, configuration, or maintenance carried out by suppliers on the company’s technological infrastructure, such as servers, network equipment, support equipment, structured cabling, power systems, among others, must comply with the requirements established by the Technology and Infrastructure Management and the Administrative and Financial Management (for maintenance of the physical facilities infrastructure). These areas will be responsible for verifying and validating such configurations and/or maintenance, as well as reporting weaknesses and opportunities for improvement. In applicable cases, BPM Consulting must follow the guidelines established in the organization’s Change Management procedure.
Use of Information and Resources
- The supplier must include the appropriate confidentiality clause in its contract and must also sign the “Confidentiality Agreement” document provided by BPM Consulting.
- All confidential information of the organization that must be exchanged or transferred by the supplier must be handled securely, using encryption mechanisms, through secure means authorized by the Technology and Infrastructure Manager. The guidelines established in BPM Consulting’s Information Transfer Policy must be followed.
- The supplier is responsible for maintaining the confidentiality of BPM Consulting’s information accessed by its employees and must maintain non-disclosure agreements with them. Access by these employees is defined as temporary, and therefore there is no ownership right or right to copy such information. Accordingly, the supplier must return all information provided by BPM Consulting immediately after the completion of the tasks that originated the temporary use of the information and, in any case, upon termination of the contractual relationship.
- If the supplier requires information from BPM Consulting’s information systems/platforms beyond what is authorized or established in the contractual agreement, or unrelated to the purpose of its service, it must notify the Technology and Infrastructure Manager by email, who will process the request according to the definitions of the logical access control policy. In cases of physical information, it is at the discretion of the information asset owner to grant the relevant access. Nevertheless, a written record of the request and response must be kept and shared with the Security Officer.
- If the supplier requires access to BPM Consulting tools or technological assets, it must submit a security exception request through the asset owner. This request must be documented in writing with the corresponding response (approval/denial) and in accordance with the logical access control policy guidelines.
- BPM Consulting expressly prohibits the use of resources provided by the organization for activities unrelated to the contracted service. Likewise, it prohibits connecting to the company’s network any type of malware (programs, macros, etc.), logical devices, physical devices, or any other type of command sequence that causes or may cause any type of alteration or damage to computer resources and information systems.
Risk Management and Treatment
- BPM Consulting will request from the supplier the definitions established for the treatment of its information security risks associated with the contracted products/services, as well as those risks related to its supply chain (including people as a component of risk), which may affect the continuity, availability, and integrity of the information and the service provided. This is intended to validate that the supplier has considered the risks in its value chain that may impact the proper delivery of the services contracted by the organization.
- BPM Consulting may suggest actions or controls based on the results of the operation of the contracted/delivered services.
Incident Management, Functional and Hierarchical Escalation
- The supplier providing services related to information storage, communication, technological infrastructure (physical/logical), platforms, or information systems must establish and document procedures for security incident management. These procedures must be communicated in writing to BPM Consulting so that the organization clearly understands the defined mechanisms for notification, escalation, response times, resolution times, and points of contact (contact person, phone number, and/or email address) for incident management.
- The supplier must report, within no more than 24 hours after identifying the incident, to the Technology and Infrastructure Manager, as well as to BPM Consulting’s Security Officer, any suspicious event or information security incident that compromises the confidentiality, availability, and integrity of the service provided by the suppliers and/or the information owned by BPM Consulting, its clients, and/or users.
- BPM Consulting may request reports or evidence that allow understanding of the incident, validation of the treatment and solution provided, as well as the lessons learned identified during the incident management process. Such evidence must be retained for a minimum period of 6 months and, if necessary, the supplier will be required to implement an incident response plan to reduce the likelihood of recurrence or similar events.
- In the case of major incidents, in addition to functional escalation, the supplier must provide at the beginning of the contractual relationship the contact details of the employees to whom BPM Consulting should direct immediate handling of situations (e.g., Project Manager, IT Manager, Deputy Manager, Manager).
Secure Information Deletion
- Where applicable and according to the scope of the contracted service, the supplier must guarantee the secure deletion of information owned by BPM Consulting in accordance with the SLAs established between the parties. This deletion must be carried out once the contractual relationship ends and additionally upon the express request of BPM Consulting at any time during the relationship. In all cases, the supplier must provide a report demonstrating evidence of deletion with the corresponding dates (e.g., logs, screenshots).
- Prior to secure deletion, the supplier must guarantee the delivery of a complete backup copy of all information to BPM Consulting. The medium used for delivering this copy shall be agreed upon by both parties.
Business Continuity
- To ensure the availability of the contracted service, the supplier must have a duly documented, tested, and updated service continuity plan (at least once a year), which must be available whenever BPM Consulting considers it necessary to request and review it.
Fines, Sanctions, and Penalties
- BPM Consulting will transfer the fines, sanctions, and/or penalties imposed by its clients resulting from non-compliance with any of the SLAs agreed upon with the supplier, which affect the confidentiality, integrity, and availability of the service and/or the information of the organization’s clients/final users.
Access to Facilities
- If the supplier needs to have employees working at BPM Consulting’s offices to perform their duties, they must inform the Administrative and Financial Management by email several days in advance, indicating the reason for the visit, the dates and times of attendance at the facilities, the required IT equipment, access to restricted areas (if required for the work), the person or persons responsible for their stay at the facilities, as well as the corresponding identification of the people attending.
- These individuals must be properly identified during their stay at the Company’s facilities by visibly carrying their identification, in compliance with BPM Consulting’s Physical Access Control Security Policy
Follow-up and Control Meetings, Supplier Audits
- BPM Consulting will verify the security conditions implemented by the supplier, taking into account the scope of the contract and its annexes, through follow-up and control meetings agreed upon by both parties and carried out as part of contract management. As a result of these meetings, commitments may arise between the supplier and the client, which must be managed and processed in order to minimize risks and ensure the confidentiality, availability, and integrity of the information and/or the services provided.
- Likewise, BPM Consulting may conduct second-party audits in order to supervise compliance with the Information Security requirements established by the supplier, especially for those suppliers considered critical to the organization.
Termination of the Contractual Relationship
Upon conclusion of the contractual relationship, the employee responsible for managing and administering the contract must notify the Technology and Infrastructure Management, Administrative and Financial Management, and Human Talent and Culture Management of the termination of the contractual relationship, in order to ensure the following elements:
- Removal of access rights
- Handling of information
- Ownership of intellectual property developed during the contractual relationship
- Portability of information in case of supplier change or internal resource transition (insourcing)
- Document management
- Return of assets
- Secure deletion of information and other associated assets
- Confidentiality requirements
- Supplier evaluation/re-evaluation, as applicable
- Closure of billing processes, if necessary
- Completion of employee onboarding/offboarding processes
Data Processing
As established by the Data Processing Policy available to stakeholders on the corporate website https://www.bpmconsulting.com.co/, supplier data is processed for the following purposes: requesting goods or services, managing the delivery of purchased supplies, providing feedback on their performance, and managing payment activities.
Disclosure of This Policy
This policy will be available for consultation by stakeholders on the corporate website https://www.bpmconsulting.com.co/. Notwithstanding the above, BPM Consulting will establish the communication channels it considers appropriate to provide each supplier with this document.
Petitions, Complaints, Claims, Requests, and Compliments
BPM Consulting has made available, through its corporate website https://www.bpmconsulting.com.co/, the PQRSF section so that suppliers may submit their requests as they deem appropriate. To identify the request, please indicate the word “supplier” in the subject field.
Compliance with this policy is mandatory. In the event that employees and third parties do not adhere to it, the organization reserves the right to take the corresponding measures. Any employee who becomes aware of a violation of this policy must report it to their direct supervisor or to the Control, Improvement, and Innovation Manager.
CHANGE CONTROL | ||
| VERSION | APPROVAL DATE | CHANGE CONTROL |
| 01 | 16-11-2020 | Policy creation |
| 02 | 02-04-2024 | Full document content update |