Supplier Security and Acceptable Use Policy

DigitalXC works closely with system integrators and resellers to deliver services to its customers. As part of these engagement’s suppliers could potentially have access to DigitalXC information assets and platforms. However, recent information security breaches have shown that sometimes a third-party supplier can represent a significant weakness in the defences of our information assets. 

The objective of this Supplier Security Policy (“Supplier Security Policy”) is to ensure the protection of the organization’s assets that are accessible by suppliers and to identify & minimize the risk from suppliers and vendors.  It is very important therefore that our relationships with suppliers are based on a clear understanding of our expectations and requirements in the area of information security. These requirements must be documented and agreed in a way that leaves no doubt about the importance we place on the maintenance of effective controls to reduce risk. 

Refer the Controller – Processor agreement policy for controls related to suppliers acting as controller or processor or both. 

The following documents are relevant to this policy: 

• Supplier Information Security Agreement 
• Supplier Information Security Evaluation Procedure 
• Supplier and Processor Due Diligence Assessment 
• Controller – Processor Agreement Policy 

The purpose of this document is to set out the organization’s information security policy in the area of supplier relationships. 

Scope 

Selecting the suppliers should be done with due diligence and that the ongoing monitoring and review of the service supplied is performed in an effective way. This Supplier Security Policy is applicable to all suppliers and vendors of DigitalXC.  

Responsibility 

• Procurement planning and contract formation are responsible for determining the KPIs the successful suppliers need to achieve when supplying goods and services on the contract. 
• Supplier service requestor to identify security risk for supplier or vendor being onboarded. 
• Project Manager is responsible for: 
• Procurement Manager to ensure supplier agreement is available.
• Chief Information Security Officer (CISO) to ensure compliance. 

Reference 

Information Security Management based on HITRUST CSF requirement. 

Policy Statement   

DigitalXC shall identify and mandate information security controls to specifically address supplier risks to its information assets. 

Policy Considerations 

General Provisions 

In general, information security requirements will vary according to the type of contractual relationship that exists with each supplier and the services delivered.  

However, the following will generally apply. 

• Supplier who deploys resources and having access to information assets or information processing facilities shall be subjected to background screening depending on the engagement nature and duration of the engagement.  
• The information security requirements and controls must be formally documented in a contractual agreement which may be part of, or an addendum to, the main commercial contract.  
• Separate Non-Disclosure Agreements must be used where a more specific level of control over confidentiality is required. 
• Appropriate due diligence must be exercised in the selection and approval of new suppliers before contracts are agreed. 
• The information security provisions in place at existing suppliers (where due diligence was not undertaken as part of initial selection) must be clearly understood and improved where necessary. 
• Remote access by suppliers must be via approved methods that comply with our information security policies. 
• Access to DigitalXC information must be limited where possible according to clear business need.  
• Basic information security principles such as least privilege, separation of duties and defence in depth must be applied. 
• The supplier will be expected to exercise adequate control over the information security policies and procedures used within sub-contractors who play a part in the supply chain of delivery of services to DigitalXC. 
• The supplier shall conduct background check of their supply chain as required and make copy of report available to DigitalXC. 
• DigitalXC will have the right to audit the information security practices of the supplier and, where appropriate, sub-contractors. 
• Incident management and contingency arrangements must be put in place based on the results of a risk assessment. 
• Awareness training will be carried out by both parties to the agreement, based on the defined processes and procedures. 

The selection of required controls must be based upon a comprehensive risk assessment taken into account information security requirements, the service to be provided, its criticality to the organization and the capabilities of the supplier. 

Acceptable use for suppliers and supplier personnel  

Ethical or Legal Activities  

DigitalXC resources must be used for ethical and legal activities only but not for unethical or illegal activities which include, but are not limited to: 

• The intentional creation, downloading, viewing, storage, copying, or transmission of sexually explicit, sexually oriented, gambling or hate materials is not permitted.  
• The intentional creation, downloading, viewing, storage, copying, or transmission of materials related to gambling, illegal weapons, terrorist activities, and any other illegal or otherwise prohibited activities is not permitted.  
• The unauthorized acquisition, use, reproduction, transmission, or distribution of any DigitalXC defined controlled information including, but not limited to, software and information that includes privacy information, copyrighted, trademarked, or otherwise protected intellectual property (beyond fair use), proprietary data, or export-controlled software or data is not permitted.  
• Engaging in any unauthorized fundraising activity, including non-profit activities, endorsing any product or service, participating in any lobbying activity, or engaging in any prohibited partisan political activity is not permitted.  

Unacceptable activities  

The following activities are, in general, prohibited, unless specifically allowed during the course of legitimate job responsibilities (e.g., systems administration staff may be required to disable the network access of a host if that host is disrupting services). 

The list below is by no means exhaustive but attempts to provide a framework for activities, which fall into the category of unacceptable use. 

General System Activities 

• Violations of the rights of any person or company protected by copyright, trade secrets, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of, “pirated” or other software products that are not appropriately licensed for use by DigitalXC. 
• Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books, or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which DigitalXC or the end-user does not have an active license. 
• Accessing data, a server, or an account for any purpose other than conducting DigitalXC business, even if you have authorized access, is prohibited. 
• Exporting software, technical information, encryption software or technology, in violation of international or regional export control laws, is illegal.  Management should be consulted prior to the export of any material that is in question.   
• Introduction of malicious programs into the network or server (e.g., viruses, worms, Trojan horses, email bombs, etc.).   
• Revealing your account password to others or allowing the use of your account by others. This includes colleagues, friends, family, and other household members when work is being done at home.   
• Using DigitalXC computer assets to actively engage in procuring or transmitting material that is in violation of any laws in the user’s local jurisdiction.  
• Using personal devices, other than those expressly approved by the CISO, to conduct DigitalXC client work development is expressly prohibited.  
• Providing information about, or lists of, DigitalXC employees to parties outside DigitalXC.  

System and Network Activities 

• Port scanning or security vulnerability scanning without authorization from management.  
• Executing any form of network monitoring which will intercept data not intended for the supplier personnel’s host unless this activity is a part of the supplier personnel’s normal job/duty.   
• Circumventing user authentication or security of any host, network, or account.   
• Introducing honeypots, honeynets, or similar technology on the DigitalXC network.  
• Interfering with or denying service to any user other than the supplier personnel’s host (for example, denial of service attack). 
• Using any program/script/command, or sending messages of any kind, with the intent to interfere with, or disable, a user’s terminal session, via any means, locally or via the Internet/ Intranet/Extranet.   
• Effecting security breaches or disruptions of network communication.  Security breaches include, but are not limited to, accessing data for which the supplier personnel is not an intended recipient or logging into a server or account that the supplier personnel is not expressly authorized to access unless these duties are within the scope of regular duties. For purposes of this section, “disruption” includes, but is not limited to, network sniffing, ping floods, packet spoofing, denial of service, and forged routing information for malicious purposes.   

Communications Activities 

• Sending unsolicited email messages or other advertising material to individuals who did not specifically request such material (email spam).   
• Any form of harassment via email, telephone, or paging, whether through language, frequency, or size of messages.   
• Unauthorized use, or forging, of email header information.
• Solicitation of email for any other email address, other than that of the poster’s account, with the intent to harass or to collect replies.  
• Creating or forwarding “chain letters”, “Ponzi” or other “pyramid” schemes of any type.  
• Use of unsolicited email originating from within DigitalXC networks of other Internet/Intranet/Extranet service providers on behalf of, or to advertise, any service hosted by DigitalXC or connected via DigitalXC network.  
• Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam).

Blogging and Social Media 

• Blogging by supplier personnel, whether using DigitalXC property and systems or personal computer systems, is also subject to the terms and restrictions set forth in this Acceptable Use Policy. Limited and occasional use of DigitalXC’s systems to engage in blogging is acceptable, provided that it is done in a professional and responsible manner, does not otherwise violate DigitalXC’s acceptable usage policy, is not detrimental to DigitalXC’s best interests, and does not interfere with a supplier personnel’s regular work duties. Blogging from DigitalXC systems is also subject to monitoring. 
• DigitalXC Confidential Information policy also applies to blogging. As such, supplier personnel are prohibited from revealing any DigitalXC confidential or proprietary information, trade secrets or any other material covered by DigitalXC Confidential Information policy when engaged in blogging.  
• Supplier personnel shall not engage in any blogging that may harm or tarnish the image, reputation, and/or goodwill of DigitalXC and/or any of its employees. Supplier personnel are also prohibited from making any discriminatory, disparaging, defamatory, or harassing comments when blogging or otherwise engaging in any conduct prohibited by DigitalXC Non-Discrimination and Anti-Harassment policy. 
• Supplier personnel may also not attribute personal statements, opinions, or beliefs to DigitalXC when engaged in blogging. If a supplier personnel is expressing his or her beliefs and/or opinions in blogs, the supplier personnel may not, expressly, or implicitly, represent himself or herself as an employee or representative of DigitalXC. Supplier personnel assume any and all risks associated with blogging. 
• Apart from following all laws pertaining to the handling and disclosure of copyrighted or export-controlled materials, DigitalXC trademarks, logos and any other DigitalXC intellectual property may also not be used in connection with any blogging activity. 

Prohibited Uses of the Internet 

Except where it is strictly and necessarily required for your work, for example, IT audit activity or other investigation, you must not use the Internet access provided by DigitalXC to: 

• Create, download, upload, display, or access knowingly, sites that contain pornography or other “unsuitable” material that might be deemed illegal, obscene, or offensive.
• Subscribe to, enter, or use peer-to-peer networks, or install software that allows the sharing of music, video, or image files.
• Subscribe to, enter, or -utilize real-time chat facilities such as chat rooms, text messenger, or pager programs.  
• Subscribe to, enter, or use online gaming, or betting sites. 
• Subscribe to, or enter “money-making” sites, or enter, or use “money-making” programs.  
• Run a private business. 
• Download any software that does not comply with the organization’s software policy.

Cloud services 

DigitalXC clearly recognize the risks associated with the cloud systems, so the access to and management of DigitalXC cloud data may be managed appropriately.  DigitalXC information security policy must be implemented as part of the agreement. DigitalXC will also ensure that information security objectives are set for third parties who provide components of the cloud service to customers and that they carry out adequate risk assessment in order to achieve an acceptable level of security. 

Due diligence 

Before contracting with a supplier, it is incumbent upon DigitalXC to exercise due diligence in reaching as full an understanding as possible of the information security approach and controls the company has in place. It is important that the documented Supplier Due Diligence Assessment Procedure is followed so that all the required information is collected, and an informed assessment can be made. 

This is particularly important where cloud computing services are involved, as legal considerations regarding the location and storage of personal data must be considered. 

Addressing security within supplier agreements 

Once a potential supplier has been positively assessed with due diligence the information security requirements of DigitalXC must be reflected within the written contractual agreement entered into. This agreement must take into account the classification of any information that is to be processed by the supplier (including any required mapping between DigitalXC classifications and those in use within the supplier), legal and regulatory requirements and any additional information security controls that are required. 

For cloud service contracts, information security roles and responsibilities must be clearly defined in areas such as backups, incident management, vulnerability assessment and cryptographic controls. 

A template DigitalXC Supplier Information Security Agreement may be used as a starting point. 

Appropriate legal advice must be obtained to ensure that contractual documentation is valid within the country or countries in which it is to be applied. 

Evaluation of existing suppliers 

For those suppliers that were not subject to an information security due diligence assessment prior to an agreement being made, an evaluation process must be undertaken in order to identify any required improvements.  

For details of this process see Supplier Information Security Evaluation Process.

Monitoring and Review of Service Delivery 

A process must be developed to monitor and assess the service delivery of a supplier to ensure it is meeting appropriate business and security requirements, as well as meeting any contract or SLA requirements. Each supplier will have a designated contract manager within DigitalXC who is responsible for arranging, chairing, and documenting the meetings.  

The performance of strategic suppliers will be monitored on a regular basis in line with the recommended meeting frequency. This will take the form of a combination of supplier-provided reports against the contract and internally produced reports. 

Contract Administration KPIs 

• Compliance with agreed invoicing requirements (e.g., timeliness of invoicing and the accuracy of invoicing against agreed contract pricing)  
• Compliance with agreed reporting requirements (e.g., timeliness of reporting and the accuracy of data against agreed reporting)   
• Adherence to an agreed meeting schedule   
• Compliance with agreed insurance requirements (e.g., timeliness of updated Certificates of Currency and the coverage of insurance) 

Performance Administration KPIs 

• Customer service provided to the DigitalXC Customers  
• Compliance with the delivery of goods and services against contract requirements. (e.g., timeliness and accuracy)   
• Commitment to working with DigitalXC to resolve issues   
• Compliance with the quality of goods and/or services received against contract requirements 
• Compliance with the transition in and transition out requirements   
• Compliance with any other contract performance KPIs specific to the contract   
• Overall performance of the supplier   

Where possible, a frequent cross-check will be made between the supplier reports and those created internally to make sure the two present a consistent picture of supplier performance. Both sets of reports will be reviewed at supplier meetings and any required actions agreed. 

Managing changes to supplier services 

Changes within contract 

Changes to services provided by suppliers will be subject to the DigitalXC change management process. This process includes the requirement to assess any information security implications of changes so that the effectiveness of controls is maintained. 

Contractual Disputes 

In the event of a contractual dispute, the following initial guidelines must be followed: 

• The DigitalXC Chief Financial Officer (CFO) must be informed that a dispute exists 
• The CFO will then decide on next steps, based on an assessment of the dispute  
• Where applicable, legal advice should be obtained via the CFO 
• All correspondence with the supplier in dispute must be in writing and with the approval of the CFO 
• An assessment of the risk to the organization should be carried out prior to escalating any dispute, and contingency plans put in place 
• When the contract is changed or terminated, the access rights for employees of suppliers must be removed according to the Access Control Policy. 
• Further, when the contract is changed or terminated, the requester must make sure all the equipment, software, or information in electronic or paper form is returned. 

At all times, the degree of risk to the business must be managed and if possible minimized. 

End of contract 

The following process will be followed for scheduled end of contract, early end of contract or transfer of contract to another party: 

• The end of contract will be requested in writing within the agreed terms  
• Transfer to another party shall be planned as a project and appropriate change control procedures followed 
• An assessment of the risk to the organization should be carried out prior to ending or transferring the contract, and contingency plans put in place 
• Any budgetary implications shall be incorporated into the financial model 

The various aspects of ending a contract must be carefully considered at initial contract negotiation time. 

Monitoring 

CISO will review this Supplier Security Policy annually.  

Enforcement 

All supplier personnel (permanent, temporary and contract) shall acknowledge the Information Security Policy on a yearly basis; on the need for information security and protecting the information that they normally handle. For third parties working within DigitalXC, the corresponding Project Manager is to ensure that such third parties understand DigitalXC Information Security Policy. 

Enforcement of this Supplier Security Policy is mandatory & violations of this Supplier Security Policy shall be reported through the Security Incident Response Team (SIRT) procedure.  

The action taken after a violation is encountered is as follows: 

• All violations shall be reported to Security Committee.  
• A person violating this Supplier Security Policy shall be issued a warning or shall face stricter action depending upon nature of incidence for the first time of the violation. 

Any further violation of this Supplier Security Policy by the same person should result in strict disciplinary action that may extend up to termination of employment.