Vendors and contractors shall comply with all applicable policies, procedures, and agreements of ID123.
B. Data Protection Officer Responsibilities
The DPO shall implement and maintain a list of vendors with access to our information resources. This list, as well as vendor agreements and contracts, shall specify:
- Resources that the vendor accesses
- Security measures vendor will take to protect confidential data
- Acceptable methods for the return, destruction, or disposal of customer information under vendor control at the end of the contract
- Vendor assurance that information collected and stored during the term of the contract shall only be used for the purposes of the business/contract agreement
- Information acquired by the vendor during the course of contract execution cannot be used for any other purposes other than those specified in the contract and shall not be divulged to others
C. Vendor Responsibilities
We shall provide a point of contact for the vendor as part of its normal operating procedure. The point of contact will work with the vendor to make certain they are in compliance with our policies. Vendors shall comply with the following procedures as part of their working relationship with us:
Security Clearances – Vendors and contractors with access to Confidential Information or Personally Identifiable Information (PII) must be cleared to handle that information.
Incident Reporting – Vendors and contractors shall report all security incidents directly to the Data Protection Officer or designee.
Change Management – Vendors and contractors personnel must follow all applicable ID123 change control processes and procedures.
Remote Access – Remote vendor and contractor access must be uniquely identifiable and password management must comply with our password policy and standards.
Contractor Termination – Upon departure of a contractor working with ID123 information assets for any reason, the vendor shall ensure that all sensitive and confidential information is collected and returned or destroyed within a commercially reasonable timeframe.
Keycard and Security Access – Upon termination of contract or at the request of ID123, the vendor or contractor shall surrender all identification badges, access cards, equipment and supplies immediately.
Auditing and Compliance – Vendors and contractors are required to comply with all ID123 auditing requirements.
Disclosure of Sub-Contractors – Third party agreements that directly, or indirectly, impact our information resources are required to include explicit coverage of all relevant security requirements.