Process: INFORMATION SECURITY MANAGEMENT

VENDOR RELATIONSHIP POLICY

Document No: PL-SSI-03
Version: 02
Date: 11/11/2022
Written by: Information Security Group
Document approved by
Revised Approved
Name Nelsy Mayerly Benavides López Álvaro Barbosa
Position Security Senior Analyst Risks & Information Security Manager
Date 09/11/2022 09/11/2022

1. Index

2. History of versions

Date Version Autor Description
03/05/2022 01 Nelsy Benavides Creation
11/11/2022 02 Nelsy Benavides Update

3. INTRODUCTION

For Sophos Solutions and its subsidiaries (hereinafter “Sophos Solutions” or “The Organization”), it is important to identify and establish information security guidelines and controls that ensure the protection and assurance of the principles of integrity, confidentiality and availability of information, minimizing the risks associated with unauthorized interception, copying, modification, disclosure, and disposition of information between the company and its relationship with Providers/third parties that provide services to the Company (hereinafter “Vendors”).
3.1 Objective
Establish guidelines and security controls for third parties (vendors) that have a contractual relationship with the company.

Provide Sophos Solutions vendors or third parties with appropriate security protection mechanisms and controls for the contracted service object and under standards established as acceptable by the organization.
3.2 Scope
This policy applies to all Company vendors that within their contractual relationship to offer or have access to infrastructure services, technology platform/information systems, processing, storage, exchange, modification and/or creation of physical, digital or human resource information for the purpose of protect the confidentiality, integrity and availability of information owned by Sophos Solutions.

4. VENDOR RELATIONSHIP POLICY

This Vendor Relationship Policy is an integral part of the Information Security Policy and is therefore considered mandatory and knowledgeable for all Sophos Solutions related vendors and third parties:
4.1 Vendor Information Security
  • Any vendor who provides services to The Company, and who has access to information assets, must have information security policies, standards, and standards within your organization, which must be developed and kept up to date in accordance with the risks your organization faces. These Policies must be shared with Sophos Solutions before starting the delivery of services, so that they can be known and evaluated.
  • Requirements to address the information security risks associated with the information and communication technology product and service supply chain should be included in agreements with vendors to ensure that they function properly and as expected by the company.
  • In addition, any vendor who provides services to The Company, and who, by the type of service it provides, must access the data network or restricted areas within the premises of Sophos Solutions, must comply with the requirements set out in the Restricted Areas Access Policy stipulated in document PL-SSI-01 ABC Information Security. This policy may be requested from Sophos Solutions at the time of recruitment.
  • Sophos Solutions will conduct a security analysis associated with the service provided by the Vendor in order to identify gaps that may be or become potential vulnerabilities that may expose or jeopardize the continuity of service, confidentiality, integrity or availability of information owned by Sophos or that may materialize some type of reputational, operational or financial impact on the Company
  • It is the provider’s duty to close or address gaps identified in your service and reported from the Information Security area in order to comply strictly with the requirements of this policy.
  • In the event that the vendor requires information from the company that is additional to that authorized or set forth in the contractual agreement or is not related to the object of its service, it shall be the discretion of the information owner to analyze the reasons for such request and to approve or reject access to or delivery of this information, with the consent of the Information Security area.
  • Any confidential company information that must be exchanged or transferred by the vendor must be secured, using encryption mechanisms and by secure and authorized means by Sophos Solutions.
  • If access to the company’s technological tools or assets is required by the vendor, a security exception request must be made via seguridad.info@sophossolutions.com or through the internal Flow2l/Security information/Exception application by the process responsible for tracking the vendor. The Information Security Area will analyze the reasons for this request and proceed to grant or deny it. Such access will be managed by the infrastructure area if the information security area is granted the endorsement.
  • The use of resources provided by Sophos Solutions for activities not related to the contracted service is expressly prohibited.
  • It is expressly prohibited to introduce or connect to the Sophos Solutions network any type of malware (programs, macros, etc.), logical devices, physical devices or any other type of order sequence that cause or are likely to cause any alteration or damage to computer resources and information systems.
  • In the event that the vendor must have collaborators in the offices of Sophos Solutions for the development of his or her work, he or she must inform the administrative, infrastructure and security areas of information by e-mail, the reason for the visit, the dates and times of attendance at the Sophos facilities, the required information technology elements, access to restricted areas (if the work so requires), the person or processes responsible for his or her stay at the premises, as well as the respective identification of the persons who will assist. These persons must be properly identified during their stay at the Company’s premises, bearing in a visible place their identification as related by the PL-SSI-01 ABC Information Security in their physical access policy
  • Vendors will be held directly responsible for their employees’ access to confidential documents or access to Sophos Solutions tools, and this access should be understood to be strictly temporary, without granting them any rights of ownership or copy of such information. In addition, the vendor must return the above support(s) immediately after the completion of the tasks that have caused the temporary use of them and, in any case, upon the termination of the contractual relationship.
  • Any installation, configuration or maintenance by vendors to the company’s technological infrastructure, such as servers, network equipment, support equipment, structured cabling, power cabling, among others, must comply with the requirements established by the Infrastructure area and current regulations. The Infrastructure area will be responsible for verifying and validating these configurations and/or maintenance, as well as reporting weaknesses and opportunities for improvement to the vendor.
4.2 Business Continuity in Vendor Relationship
  • Vendors must have and apply good business continuity practices, ensuring service delivery to the organization in the event of disruptive events.
  • Every Sophos Solutions vendor must have properly documented and proven disaster recovery and continuity plans, which must be delivered once the contractual agreement has been formalized and at least once a year along with the business continuity testing report to continuidaddelnegocio@sophossolutions.com
4.3 General Procedure
Vendors shall know and abide by the procedures referred to in this chapter, relating to data linking, unlinking, business continuity, and processing.

Secure information erasure processes, and incident reporting, must be defined according to the specific services provided by the vendor, however, Sophos Solutions will establish generic procedures in case they cannot or must be defined at the time of the engagement.
4.3.1 Binding Procedure - Unlinking Vendors
Sophos Solutions establishes a general procedure for linking and unlinking Vendors. However, the above can be particularities for each process according to the specific need. Such particularities will be exposed to the vendors at the time of linking or unlinking.
4.3.2 Vendor linking process
To start with the linking process, the Purchasing area will request the following documents from the vendor:

In case of being a legal person:
  • Certificate of Existence and Legal Representation
  • RUT
  • Bank Account Certificate
  • Identification of the Legal Representative
  • Vendor linking format with restrictive list search authorization

In case of being a natural person:
  • RUT
  • Bank Account Certificate
  • Identification of the Legal Representative
  • Vendor linking format with restrictive list search authorization

Once the above-mentioned documents have been obtained and the search authorization has been accepted in restrictive lists, the purchasing area will verify that the information provided by the vendor is consistent and proceed with the verification of the company or natural person in restrictive lists.

In case of any finding in the search of restrictive lists or any inconsistency in the information, this information will be reported to the risk area of Sophos Solutions, to obtain their considerations on the origin of the link of the Provider.

In case you do not find and find all the matching documents, the Purchasing area will proceed with the documentation file in the Sophos Solutions repositories and request the accounting outsourcing, creation of the vendor.
4.3.3 Vendor Unlinking Process
Once the need for vendor service delivery is complete, the requesting area must inform the purchasing area of the intention to unlink the vendor, whatever the cause.

In the event that the vendor’s service has been performed instantaneously, a letter will be sent informing the service’s compliance with the agreement of the requesting area and the contractual relationship will end.

If, on the contrary, the service has been performed successively, and has had a contract with special obligations by means, the area of purchase will give notice to the legal area to verify that the special contractual obligations have been fulfilled and it is possible to terminate the contract in accordance with the specific terms of the contract, and the requesting area will be notified to give its consent on the fulfillment of the contractual object.

Once the previous stage has been completed, the legal area shall draw up a notice of termination of the contract and request the signing of a record indicating the termination, performance of the contractual obligations.

The purchasing area will perform, in conjunction with the requesting areas and areas involved in the provision of the service, according to specific needs, a checklist of final obligations such as: secure deletion of information, delivery or destruction of confidential information, among others.

Finally the purchasing area will request the removal of the vendor in the accounting outsourcing.
4.3.4 Information Secure Delete Procedure
  • The vendor must ensure the safe erasure of information owned by Sophos Solutions in accordance with the parameters set by the Legal and Information Security area in the contractual terms included in the service contracts. This deletion must be executed once the contractual relationship between the parties has ended, as well as at the express request of Sophos at any time of the contractual link.
  • Prior to secure deletion, the vendor will ensure the delivery of a copy (backup) with all information to Sophos Solutions. The means available for the delivery of this copy shall be in common agreement between the parties.
  • Once the vendor has generated the security erasure of the information owned by Sophos Solutions, it must submit a report that relates the evidences of erasure (logs, screenshots) and so on as it deems appropriate.
4.3.5 Procedure to Report Security Incidents to Sophos
  • Vendors who are related to storage, communication, technology infrastructure, platforms or information systems that are provided or delivered to the company as part of the contracted service shall establish and document procedures for the management of security and cybersecurity incidents, which shall include such data as the contact person, telephone number and/or e-mail. This information shall be documented and formalized between the parties. Sophos Solutions may also request reports or evidence to validate the treatment given in the management of the incident.
  • Vendors must report any suspicious event or incident of information security associated with leakage, loss or alteration of company-owned information, its customers and/or users that compromises the integrity and confidentiality of information associated with Sophos Solutions S.A.S’ activities to the seguridad.info@sophossolutions.com email account no later than 24 hours after the incident occurred
  • The vendor must comply with the instructions issued by Sophos Solutions regarding the reported security incident.
  • It is necessary to obtain evidence of what happened and the data of the person or persons involved in the incident. This evidence must be kept for a period of at least 6 months.
  • There is a need to implement a strategy or plan of care for the security incident presented in order to minimize or reduce the impact and likelihood of an incident of equal or similar characteristics happening again.
4.4 Data Treatment
This Privacy Notice (hereinafter “Notice”) sets forth the terms and conditions under which Sophos Solutions will process your personal data.
4.4.1 Treatment And Purpose
Sophos Solutions’ treatment with personal information will be as follows: The collection, storage, use, circulation, request for satisfaction surveys, among others related to the operation of The Company, to carry out the relevant steps for the development of the company’s social object in relation to the fulfillment of the object of the contract concluded with the Owner of the information, among others related.
4.4.2 Rights of the Information Owner
As the owner of your personal data you have the right to:
  • Free access to data provided that have been processed.
  • Know, update and rectify your information against partial, inaccurate, incomplete, fractured, misleading data, or data whose processing is prohibited or not authorized.
  • Request proof of the authorization granted.
  • To lodge complaints with the Superintendency of Industry and Trade about violations of the provisions of the current regulations.
  • Revoke the authorization and/or request the deletion of the data, provided that there is no legal or contractual duty to prevent the deletion of the data.
  • Refrain from answering questions about sensitive data. Answers on sensitive data or data on children and adolescents will be optional.
4.4.3 Request, Consultation and Grievance Care
The channel through which you can access requests, queries and complaints related to data processing is: habeasdata@sophossolutions.com
4.4.4 Mechanisms to know the Data Treatment Policy
The Owner can access our Information Treating Policy, which is published on the Company’s official website Home – Sophos Solutions /Corporate Information/ Data Processing Policy.
4.5 Vendor Audit
Sophos Solutions reserves the right to request the Vendor to carry out scheduled visits both face to face and virtual (subject to agreement between the parties), and in accordance with the provisions of the contracts, specifically those which, by their service of guarding or processing information, are considered critical to the company. This is in order to verify the security conditions implemented by the vendor and to provide guarantees regarding third-party risks, including the warranty on internal controls of external service providers
4.6 Vendor Relationship Policy Dissemination
Sophos Solutions will establish the appropriate guidelines for the dissemination and delivery of these guidelines to each vendor with whom it has a contractual relationship in order to comply with and implement the requirements of the company.

“Sophos Solutions S.A.S. reserves the right to modify this document according to changes within the company”