The purpose of this policy document is to set out the minimum information security requirements expected of third parties who intend to carry out any work for or on behalf of Sabio Ltd. The overall objective is to maintain confidentiality, integrity, availability and privacy of Sabio Ltd information in order to protect information assets for business, contractual, regulatory and legal reasons.
1.1.1 The scope of this standard includes any third party that will have access to Sabio Ltd information either on-site or through remote access. This policy also applies to all temporary staff and third parties employed directly and indirectly by the subcontractors.
1.1.2 Any data that can be classified as Personal Data must be processed in compliance with the Data Protection Act 1998 and Sabio’s data protection and information security policies.
1.2. Ownership and Responsibilities
1.2.1 This policy is owned and maintained by Sabio Ltd and can be amended with or without notice from time to time at Sabio Ltd’s discretion. Third parties will not be expected to comply with any changes to this document until they have been provided with such changes in writing and a reasonable period (not to exceed 120 days) to comply with such changes. This policy will be comprehensively reviewed by Sabio Ltd and updated at least once a year.
1.2.2 Any queries or feedback related to this policy should be directed to [email protected]
1.3. Information Security Assessments
1.3.1 Third parties who fall within the above scope may be subject to compliance review against this Policy and will be required to complete an assessment form. A review will be undertaken to highlight potential risks and Third Parties will be required to mitigate those risks before commencing any works.
2. Information Security Policy
2.1 The Third Party shall at all times maintain a management approved corporate Information Security Policy defining responsibilities and setting out the Third Party’s approach to information security. The Information Security Policies should follow Information Security programs that are based on the ISO 27001 or other similar frameworks e.g. PCI DSS, NIST etc.
2.2 The Third Party shall agree to provide Sabio Ltd with copies of their security policies on request and evidence of compliance with any of the standards demonstrated by the Third Party e.g. ISO 27001, CSTAR, PCI DSS etc.
2.3 The Third Party shall at all times maintain the above mentioned framework along with policies covering all requirements set out in this Policy document along with industry best-practice. All security policies must be communicated to all staff responsible for handling Sabio Ltd information.
2.4 A dedicated Information Security role should be defined and assigned to an individual in the company and these details communicated to Sabio Ltd. This individual will act as the primary contact for all Information Security matters.
3. Processes and Procedures
3.1 All processes for managing the security of Sabio Ltd must be assessed on an annual basis and communicated to Sabio Ltd if any changes are made. The Third Party shall not process or otherwise make use of Sabio Ltd information or access the System for any purpose other than that which is directly required for the supply of agreed Services.
3.2 The Third Party shall only perform such Services in accordance with the contract and shall not dispose of any Sabio Ltd information without the prior written approval from Sabio Ltd.
3.3 The Third Party shall establish and at all times maintain safeguards against the accidental or deliberate or unauthorised disclosure, access, manipulation, alteration and against any destruction, corruption of, damage, loss or misuse of Sabio Ltd information in possession of the Third Party or any sub-contractors or the Third Party.
3.4 The Third Party shall ensure they sign a non-disclosure agreement relating to Sabio Ltd information before they are given access to it.
4. Human Resources Security
4.1. Roles and responsibilities
4.1.1 The Third Party shall ensure that information security roles and responsibilities of all Third Party employees (and subcontractors) are clearly define and documented.
4.1.2 The Third Party shall have a comprehensive disciplinary policy, code of conduct & work rules directive in force to protect the interests and security of Sabio Ltd personnel and Sabio Ltd information.
4.2.1 The Third Party shall ensure that background checks such criminal record checks and credit checks are conducted at the Third Party’s cost and within a reasonable time period and in any event shall be completed prior to such Third Party or Subcontractor personnel commencing provision of the Services.
4.3. Employment References
4.3.1 The Third Party shall ensure that a written policy exists and is followed for pre-employment screening and that the screening and that the screening status and results for all Third Party personnel are fully collated and kept on record. Sabio Ltd may request evidence of the screening status (or a confirmation statement) be made available on request for audit and compliance purposes.
4.4. Contractual Agreements
4.4.1 The Third Party shall ensure that all personnel enter into a written contract of employment under which they agree to adhere to all Third Party policies, rules and procedures including all information protection policies.
4.6. Training and Awareness
4.5.1 The Third Party shall hold structured briefings with respect to security awareness and knowledge focusing on the risks resulting from poor information security, and legal and regulatory requirements to protect information.
5. Compliance and Asset Management
5.1. Security Reviews
5.1.1 The Third Party shall conduct annual security reviews of the Subcontractors where those Subcontractors have access to Sabio Ltd information or be able to demonstrate supplier has appropriate security controls and processes in place, and maintain detailed audits to include any security risks if supplier is reviewed along with recommendations and remedial actions.
5.1.2 The Third Party shall conduct security reviews in accordance with the requirements set out in this Policy document.
5.2. Information Classification
5.2.1 The Third Party shall ensure that Sabio Ltd information is classified in terms of its value, legal requirements, sensitivity and criticality. The Third Party shall also ensure that an appropriate set of procedures for information labelling and handling is developed and implemented in accordance with the classification scheme adopted by the Third Party, and that such procedures are reviewed as a result of any significant business changes.
5.3. Asset inventory
5.3.1 All information assets used to process Sabio Ltd information must be recorded in a maintained inventory. The Third Party shall ensure that any media used to record, store or process Sabio Ltd information as part of the Services, including hard copies of documents, laptops, portable storage devices and magnetic media are securely handled, transported and encrypted and that their use is authorised.
5.4. Data Privacy
5.4.1 The Third Party shall at all times ensure that it maintains and abides by an appropriate Data Protection Policy to safeguard Sabio Ltd information in accordance with the terms of the contract and the Data Protection Act 1998 (and any amendment thereto to or replacement thereof) and any other applicable statute, regulation or industry code.
5.4.2 Where any Sabio Ltd information is intended to be transferred, stored or processed outside of the UK, EU or EEA, the Third Party shall first obtain permission in writing from Sabio Ltd before doing so and provide full details of the locations, security arrangements and what information is to be transferred, stored or processed.
5.4.3 The Third Party shall ensure that appropriate retention and secure deletion/destruction policies and procedures are in place for all Sabio Ltd information held. Sabio Ltd may require a copy of the policies and procedures.
5.4.4 The Third Party shall transfer/exchange Sabio Ltd information via secure channels which are encrypted and further shall inform Sabio Ltd in writing of the encryption solution used to transfer/exchange Sabio Ltd information and the contents of the Sabio Ltd information in advance of any transfer or exchange.
5.4.5 The Third Party shall ensure that it adopts a policy to protect against the risk of using mobile computer, teleworking activities and communication facilities where these are used to deliver Services to Sabio Ltd.
5.4.6 The Third Party shall notify Sabio Ltd immediately in the event of data loss or data breach detailing severity of the exposure. This will handled as part of the incident management process (7.1) and a full report to be communicated to both parties.
5.4.7 The Third Party shall not make unauthorised copies of Sabio Ltd information
6. Network Security Management
6.1 The Third Party shall maintain the appropriate confidentiality, integrity and availability of Sabio Ltd information by:
- Utilising secure network architecture and operations;
- Ensuring that networks carrying Sabio Ltd information are designed, built, monitored and managed according to industry standards, best practices and frameworks e.g. ISO 27001, OWASP ITIL etc. to prevent unauthorised access to Sabio Ltd information
6.2 The Third Party shall ensure that utility programs capable of overriding system and application controls shall be restricted and tightly controlled.
6.3 The Third Party shall ensure that regular penetration testing is carried out and use equipment approved, owned and secured by the Third Party to access Sabio Ltd information.
6.4 The Third Party shall maintain systems security measures to guard against the accidental, deliberate unauthorised disclosure, access, manipulation, alteration, destruction, corruption of information through processing errors, damage or loss or misuse of Sabio Ltd information. As a minimum, these measures shall include software which:
- Requires all uses of the systems to enter a username or identification number and a password prior to gaining access to the Sabio Ltd information or Systems.
6.5 The Third Party shall ensure that it adopts a policy to protect against the risk of using mobile computing, teleworking activities and communication facilities where these are used to deliver Services to Sabio Ltd.
6.6 The Third Party shall have an established, documented and regularly reviewed formal procedure for the provision and limitation of access to Sabio Ltd information so that access is limited to those personnel that need access to such information or systems to carry out the according to the contractual agreements.
6.7 The Third Party shall have a system-enforced password and user account policy that meets or exceeds Sabio’s password policy (minimum 8 characters, must contain uppercase, lowercase, numeric and special characters). This shall include procedures to be followed when personnel leave their workstation (automated system lock) and a process to control and manage user accounts upon completion of employment or an individual’s short-term contract or change in role.
6.8 The Third Party must not share any credentials issued to them to any other Third Parties without the express permission of Sabio Ltd.
6.9 The Third Party shall maintain changes to Sabio Ltd information and Systems in accordance with Sabio’s change management processes. Wherever possible records should be kept of changes made for auditing and security purposes.
7. Incident Management
7.1. Policy and Procedure
7.1.1 The Third Party shall at all times maintain a security incident response procedure.
7.1.2 The Third Party shall require all Third Party personnel to report any observed or suspected security weaknesses in Systems or Services to the Third Party. The Third Party shall inform Sabio Ltd immediately about any such weaknesses of which it becomes aware.
7.2. Contact details
7.2.1. All incidents must be reported to [email protected]
8. Related policy documents
Sabio – Third Party Assessment Form
9. Appendix 1 – Definitions
“Sabio Ltd Information” means any information or data owned, processed or produced by Sabio Ltd or Sabio’s end customers data.
“Third Party” applies to contractors, temporary staff or anyone else that has or intend to have access to Sabio Ltd information or the System
“System” means (in whole or part) the servers, networks and/or software used in the provision of the services to either Sabio Ltd or its customers. Any data stored on, transmitted through or accessed from the System shall be deemed to form part of the System
“Services” means the services provided by the third party to Sabio Ltd as set out in the supplier’s legal agreement.
“Subcontractor” means contractor appointed by the third party in accordance with the agreement to provide all or part of the services.