Information Security Policy for Contractors
1.0 Summary of Policy Topic and Purpose
Vendavo takes security seriously. In the ordinary course of business, Vendavo’s employees and contractors access and use confidential information that belongs to Vendavo or its customers. Vendavo’s Information Security Program and supporting standards and procedures are based upon the industry standard ISO 27001:2013 and provide the foundation on which Vendavo develops and maintains a consistent and secure environment for the operation of its business processes.
Vendavo treats all confidential and proprietary information as a corporate asset which must be appropriately evaluated and protected against all forms of unauthorized access, use, disclosure, modification, or destruction. Security controls must be sufficient to ensure confidentiality, integrity, availability, accountability, and auditability for important information and associated information technology resources, and must be aligned with the requirements based on the classification of the information.
Each department, including the employees and consultants, is required to determine in coordination with responsible staff functions, the proper levels of protection for any information under their control, and to implement appropriate safeguards.
This Policy is subject to change over time as Vendavo reserves the right to revise, modify, suspend, rescind, delete from, or add to this and any policies, procedures, or benefits stated herein or as part of its wider Information Security Program from time to time in its sole and absolute discretion. Each new version of the Policy will supersede and replace all previous versions as of its effective date.
1.1 Objective
This Information Security Policy for Contractors (the “Policy”) outlines Vendavo’s security fundamentals, principles, and controls. The purpose of this Policy is to establish the necessary principles, requirements, and responsibilities to ensure information security when granting contractors access to Vendavo’s information and systems, and adequate protection for any confidential information of Vendavo or its customers which is handled by contractors during their work for Vendavo.
1.2 Scope
This policy applies to all contractors of Vendavo who may access Vendavo resources and access or use confidential or proprietary information relating to Vendavo or its customers stored in Vendavo infrastructure and/or SaaS systems. The Policy applies regardless whether contractors work on-site or remotely, and wherever in the world they are located. While the Company recognizes there are sometimes regional differences in practices and expectations, this Policy represents the high standard of conduct expected of all users worldwide.
Vendavo treats all confidential and proprietary information as a corporate asset which must be appropriately evaluated and protected against all forms of unauthorized access, use, disclosure, modification, or destruction. Security controls must be sufficient to ensure confidentiality, integrity, availability, accountability, and auditability for important information and associated information technology resources and must be aligned with the requirements based on the classification of the information.
If at any time you have questions about the appropriate use of a particular technology that is not covered in this Policy, you must exercise sound judgment and seek help from your management.
For the purpose of this Policy, “contractor” means any external user (non-Vendavo employee), whose work for Vendavo involves handling of Vendavo confidential information, or customer confidential information, or access to Vendavo or customer systems. This would include an individual contractor, a freelancer, an advisor, a consultant, an assigned or agency employee, or an employee of a company that provides services to Vendavo based on a contract.
1.3 Policy Compliance
Compliance with this Policy is mandatory for all Vendavo contractors, as specified in the scope stated above. If it is suspected that the proper procedures as outlined in this Policy have not been or are not being followed, such non-compliance must be immediately reported to the Information Security Officer. Violations, whether deliberate or due to careless disregard, will be treated as serious misconduct and may result in termination of the contractor relationship.
1.4 Segregation of Duties
Segregation of Duties is an important security control which needs to be adhered to whenever the contractor participates on applicable business process. Notably, it must be enforced when working on customer systems or solutions, or when accessing environments with customer data as follows:
- Access to environment with customer data is subject to a formal approval of the system owner(s). When applicable, approval from the customer must be secured upfront.
- Notification of access and approval of changes to customer production products and segregation requirements must be part of the product Software Development Life Cycle (SDLC) and include all customer requirements.
1.5 Policy Exemption
Any exemption to the control practices outlined in this Policy must be made in writing by the department manager to Vendavo Information Security and the stakeholder requesting the exception. Information Security will track the requests and any associated approvals in a central register.
2.0 Personnel Responsibilities
It is the responsibility of all contractors to perform the following:
- Comply with this Policy and any updates to this Policy provided to the contractor in writing.
- Be aware of and comply with the Acceptable Use of Technology Policy.
- Be aware of customer security and other health and safety and policy requirements at customer locations or when handling customer data, as notified to the contractor as applicable.
- Participate in security education sessions as appropriate for his/her job function and as directed by the supervisor and/or manager.
- Conduct themselves in a manner consistent with the policies and standards outlined in this Policy.
2.1 Background Screening
Subject to applicable laws, Vendavo may require all contractors that are provided access to Vendavo’s systems to provide any requested information regarding background screening processes. The result of such background screening must be provided before establishing account access to Vendavo systems. The background check screening process, if applicable, must include criminal checks, verification of education, identity checks, and regulatory and employment history verification checks in accordance with or to the level allowed by local jurisdictions.
2.2 Facility Access Control and Usage of Company Badges
All Vendavo contractors must display a Vendavo issued identification badge while in any Vendavo facility. Once granted, access cards, fobs, and/or keys must not be shared or loaned to others. Access cards, fobs, and/or keys that are no longer required must be immediately returned to the person responsible for the computing resources and/or the restricted facility. Cards must not be reallocated to other individuals bypassing the return process. Lost or stolen access cards, fobs, and/or keys must be reported immediately to Vendavo Information Security by email at security@Vendavo.com, as well as to the contractor’s immediate manager, and the local office manager or IT representative.
2.3 Information Security Awareness, Education and Training
Security and compliance are critical concerns for Vendavo and its customers, and its people play a vital role in ensuring that high standards are maintained. Consequently, all Vendavo contractors with Vendavo named user IDs are required to complete annual compliance training. Such training is a stated requirement for both ISO and SOC certifications, and maintaining up to date knowledge is essential for the continued improvement of Vendavo’s overall security and compliance posture. Failure to comply with requests to complete such training will be taken seriously, and may result in the suspension of system access, suspension of work orders, or termination.
3.0 Internet Security and Usage
Connections from Vendavo locations to the Internet are to be used for Vendavo sanctioned activities only, except as permitted under Vendavo’s Acceptable Use of Technology Policy. A copy of this document can be found in our Information Security Policy.
3.1 Individual Access
The Internet is a public network, and therefore, Vendavo contractors must not transmit sensitive/confidential organizational information over the Internet unless encrypted to Information Security standards. If such data must be transmitted, it must be in an encrypted format, which is decipherable only by the intended recipient, and only after it has reached a secure system that is isolated from the Internet by a secure firewall. Vendavo contractors must keep in mind that all messages transmitted over the Internet from Vendavo computing resources bear a company address and may be attributed to Vendavo. In addition, whenever a contractor sends electronic mail or other information from Vendavo computing resources over the Internet, the name of the individual and Vendavo is included in each message. The individual is thus responsible for all electronic messages originating from their assigned account(s). Granting Internet access from a Vendavo computing resource to persons other than Vendavo employees is prohibited, unless the third-party’s Internet connection is segregated from Vendavo’s network and approval is obtained by Information Security.
3.2 External Access
Connections from Vendavo to the Internet will prohibit all inward remote logins (such as device management) to corporate computer resources unless via one of the approved remote access solutions approved by both Vendavo Information Technology and Information Security departments. All external remote access into a Vendavo computing resource requires the use of two-factor authentication, as well as the approval of the design and account management process via Information Security. Any external access or use of personal information must also be encrypted. Internet-accessible services available must be segregated on separate devices within a DMZ or segregated network.
3.3 Password Management and User Authentication
Contractors are responsible for safeguarding their own access credentials and protecting them from unauthorized use. Passwords must not be stored in workstations unless they can be protected from unauthorized use and disclosure by a combination of approved access and encryption controls. Passwords can never be communicated to any staff, including management and Information Technology. When creating or modifying passwords related to Vendavo systems, contractors must follow the then current Vendavo Password Policy.
It is prohibited to disclosure or share individual access credentials with others. Any unauthorized attempt to access Vendavo systems via other individual’s credentials is strictly prohibited.
Shared credentials might be used only to the extent they are necessary for a specific access; these will be provided solely using a credentials management system approved by Vendavo, and contractors are prohibited from recording these on devices which are not fully managed by Vendavo.
In case of suspected disclosure or loss of confidentiality of access credentials, contractors must change the affected password(s) immediately and notify Vendavo Information Security via email security@Vendavo.com without undue delay.
3.4 Protection Against Malicious Code (Anti-Virus)
Contractors must access Vendavo resources only by devices which are appropriately protected against malware. To the extent access will be obtained using a device that is not managed by Vendavo, an industry standard anti-malware with daily updates must be installed and active. Disabling malicious software protection is prohibited. The Vendavo Information Technology department should be consulted in the event of any questions or potential non-compliance with this requirement.
3.5 Software Security Requirements
In the event that a contractor is using Vendavo-provided devices, Vendavo’s Acceptable Use of Technology Policy must be followed at all times. For usage of non-Vendavo equipment, contractors are fully responsible for the security and compliance of the software installed, including but not limited to avoiding malware, keeping the software up to date and patched, and using the software only according to the applicable licensing agreements.
3.6 Portable Computing Device Security Controls
In this Policy, “portable computing devices” refers to laptops, smartphones, tablets, iPads, and other similar devices. It does not include desktop workstations or server-class devices.
Contractors who need to be accessing sensitive Vendavo information related to development and operation of Vendavo SaaS products and/or customer solutions, including Vendavo source code, and data or environments of Vendavo customers must either have their portable devices configured according to Vendavo standards, including deployment of remote management system and extended detection and response tooling, or must use a Vendavo-provided virtual desktop environment for that purpose.
Any use of non-managed portable computing devices, including contractor-provided laptops and BYODs, is strictly limited to non-sensitive coordination and communication purposes. Examples of permitted uses include scheduling meetings, setting reminders, and non-sensitive verbal or text communications with team members or management. Under no circumstances should these devices be used to access, store, or process Vendavo source code, internal documentation, or any other sensitive company information. For the sake of clarity, access to more sensitive information in Vendavo SaaS systems through a browser is allowed only when justified by the nature of the engagement.
3.7 Connectivity of Portable Devices
Connecting an unauthorized non-Vendavo managed personal computer device (e.g. desktop, laptop, wireless access point (WAP), iPad) directly to a Vendavo network is prohibited unless approved in advance by Vendavo Information Security.
3.8 Use of Imaging and Recording Devices
Imaging and recording devices (e.g. cameras, voice recorders, and video equipment) are prohibited unless they fulfil valid business and production needs and have prior approval by management and Legal. Failure to adhere to this policy is grounds for immediate termination.
The use of imaging and recording devices (including cell phone cameras) is always prohibited under the following conditions or situations, even if done without malicious or harmful intention:
- In areas where personal privacy is expected and inherent, such as locker rooms, restrooms, and other such areas.
- To covertly record or create a photo image of sensitive information, including customer information and trade secrets, for any purpose.
- To capture sensitive research, trade secrets, merger plans, stock information, etc., that may be written on whiteboards, flip charts, blackboards, or desktops.
- When such use constitutes a distraction from productivity or interferes with work.
3.9 Monitoring
Management reserves the right to monitor all Internet connections to determine access levels, information security, and appropriate use of those connections, subject to local laws. All contractors should be aware that Vendavo has software and systems in place that are capable of monitoring and recording all contractor activity to and from any Vendavo owned device contractors may use, or where the activity takes place on Vendavo systems and networks.
Monitoring is only carried out to the extent permitted or as required by law, and as necessary and justified for business purposes. Particularly, on termination of a contractor relationship for any reason, Vendavo reserves the right to conduct a forensic analysis of Vendavo-owned property (including, but not limited to, laptop computers) used by a contractor as it relates to Vendavo business and as such analysis is considered necessary and justifiable for business purposes or to protect a strategic business interest. Personal communications that are marked as such will not ordinarily be monitored or investigated, but it remains possible that these will be accessed inadvertently. Accordingly, no contractor should have any expectation of privacy as to his or her Internet or technology systems usage within Vendavo systems and should not use these systems for information they wish to keep private.
Vendavo reserves the right to retrieve the contents or messages or internet activity for the following purposes (this list is not exhaustive):
- To monitor whether the use of the email system or the internet is legitimate;
- To find lost messages or to retrieve messages lost due to computer failure;
- To assist in the investigation of wrongful acts; and
- To comply with any legal obligation.
3.10 Peer to Peer Sharing and Copyrighted Materials
The use of Vendavo owned hardware, software, or network elements to acquire, receive, store, or transmit files containing unauthorized copyrighted work is prohibited. Departments must proactively limit the possibility of any such activity in a systematic fashion. Such activity has a negative impact on available bandwidth for the business. The active acquisition, receipt, storage, or transmission of the information contained in such files may violate various copyright laws. Since all the equipment elements are the property of Vendavo and not the individual, the only information that must be acquired, received, stored, or transmitted across them must be business-related.
4.0 Data Protection and Privacy of Personal Information
Electronic files created, sent, received, or stored on information resources owned, leased, administered or otherwise under the custody and control of Vendavo are not private, subject to local jurisdictions, and may be accessed by authorized Vendavo Information Security and Information Technology employees at any time without the knowledge of the information resources user or owner. To manage systems and enforce security, Vendavo may log, review, and otherwise utilize any information stored on or passing through its information systems. Vendavo management reserves the right to examine electronic mail, files on personal computers, smartphones, iPads, web browser cache files, web browser bookmarks, logs of websites visited, and other information stored on or passing through Vendavo computers, including equipment privately owned by Vendavo personnel, if used to attach to and/or access Vendavo systems and networks. Such management access assures compliance with internal policies, assists with internal investigations, and assists with the management of Vendavo information systems. A wide variety of third parties have entrusted their information to Vendavo for business purposes, and all contractors at Vendavo must safeguard the privacy and security of this information. Access to confidential and sensitive data will be granted on the need-to-see basis and contractors must maintain full confidentiality and use the data only for the legitimate business purposes. Internal standards for protecting these data must be followed at all times and contractors must never store these data outside of Vendavo systems. Users must not attempt to access any data or programs contained on Vendavo platforms for which they do not have authorization or explicit consent.
5.0 Security Incident Notification
Contractors acknowledge that they are responsible for identification and timely report of any potential or confirmed security incidents related to Vendavo they become aware of, regardless whether these directly affect the contractor or the engagement. Security incidents include, but are not limited to, malicious software, unauthorized use of computer accounts and computer systems, unauthorized or otherwise unintended disclosure of Vendavo confidential information or documents to third parties, response to a phishing email, inadvertent disclosure of password or credentials, and lost Vendavo device or contractor device related to the engagement. All Information Security incidents must be reported without any delay to Vendavo Information Security via email internally to security@Vendavo.com and to the responsible manager.
6.0 Version and Change History
1.0 | August 2019 | Vendavo Information Security | Information Security Policy, Release 8.1 |
1.1 | 2024/01/10 | Raquel Bermúdez Sánchez (Security & Compliance Project Manager). | Initial policy draft. |
1.2 | 2024/03/11 | Tomas Honzak (Chief Information Security Officer).Sian Story (General Counsel). | Reviewed initial policy draft. |
2.0 | 2024/03/21 | Raquel Bermúdez Sánchez (Security & Compliance Project Manager).Tomas Honzak (Chief Information Security Officer).Sian Story (General Counsel) and Beth Colombo (Senior Legal Counsel). | Policy implementation and update of Legal MCA templates. |
2.1 | 2024/06/10 | Raquel Bermúdez Sánchez (Security & Compliance Project Manager). | Updated Infosec email in sections 2.2, 3.3, and 5.0 from infosec@Vendavo.com to security@Vendavo.com. |