Purpose

Due to the specialized expertise needed to design, implement and service new technologies, vendors may be needed to provide resources that Ambassify is unable to provide on its own. This could include consulting services, Software-as-a-Service (SaaS), new application implementations or existing application upgrades.

Scope

This policy applies to all vendor engagements including, but not limited to any software purchase that is accompanied by a contract or agreement.

Policy

No software or service contract may be entered into by a Ambassify employee without prior approval/review by the Chief Information Officer (CISO).

Guidance

  • Must clearly state the security requirements for the vendors to ensure that their work is consistent with Ambassify policies.
  • Must clearly identify all types of sensitive data to be exchanged and managed by the vendor.
  • Must contain a documented System Security Plan which describes all existing and planned security controls.
  • Security reporting requirements in the contract must also require the vendor to report all suspected loss or compromise of sensitive data exchanged pursuant to the contract within 24 hours of the suspected loss or compromise.
  • GDPR compliance is a requirement