Supplier Policies
  • Sign in

    • CBM-PLAN-0044 - CyberMyte Supplier Policies and Procedures

    🗒️Overview

    Authors

    Yvonne D Rivera

    Date ​ ​ ​ ​ ​ ​ Document Version ​ ​ ​ Notes

    September 29, 20231.2Updated the supplier responsibilities and performance measures
    July 31, 20231.1Updated the "Remote Access to Information Systems"
    March 3, 20221.0Initial
    January 26, 20241.3Added the Supplier Research section to this policy.

    December 2, 2024

    1.4

    I moved to Odoo and updated Grammar throughout.

    Purpose:

    CyberMyte uses many suppliers who provide services and goods, including outsourced services, contract employees, and vendors. Effectively managing these suppliers is essential to ensuring the security of CyberMyte's information. This policy describes control requirements for suppliers and criteria for determining supplier risk to information security. It also defines the procedures used to evaluate and monitor our suppliers.

    Scope:

    This procedure applies to all suppliers that provide products or services that affect product/service quality for CyberMyte. This policy applies to all CyberMyte suppliers who may contact, process, access, hold, or transmit protected information. The intention is that both new and existing suppliers included in this scope will be required to comply with this policy. It is intended that existing suppliers will be assessed on a prioritized basis, dealing with the most critical first and ultimately completing an assessment of all suppliers. New suppliers will be required to comply with the terms of this policy. Vendors, subcontractors, and 1099s are part of the scope of this policy.

    đź“ť Policies

    It is CyberMyte's policy that this policy is known and understood to facilitate practical risk assessment and mitigation. Therefore, all suppliers will undergo assessment using the approved Supplier Information Security Questionnaire. Suppliers will be informed of existing CyberMyte security policies and procedures applicable to their services. Regardless of the specific access privileges that may be assigned, all suppliers must comply with the requirements of the Information Classification Policy and the Information Labeling and Handling Policy found in the IMS Plan.

    đź“ť Procedures

    Supplier Research

    When there is a need for a supplier, service, or product, we do extensive research before making any purchases to ensure we find what we need feature or service-wise.Criteria for proceeding forward with evaluation:

    1. Supplier/Service
      1. All suppliers are interviewed by phone or video before signing or agreeing to work together.
      2. Suppliers must provide a proposal with a monthly or by-project pricing plan.
      3. Public internet research on interviewed suppliers that include:
        1. Reviews
        2. Feedback
        3. Social Media
      4. After completing research, suppliers must be evaluated before being onboarded into Gusto as suppliers or service providers.
    2. Product
      1. Research open-source solutions (OSS) for all products
        1. Verify OSS projects are not abandoned by ensuring they have been updated within a year.
      2. Licensed software will be researched before purchase
        1. Connection with a sales rep is required to ensure we get the lowest possible purchase price.
        2. Quotes must be provided before purchase and only after supplier evaluation.

    Supplier Evaluation

    Before purchasing any products or services, suppliers must be evaluated using the Supplier Qualification Form to determine the supplier’s ability to meet requirements. CyberMyte evaluates the information provided, including any audits conducted, and based on the type of supplier, qualification status, and type of product/service provided and assigns one of the following classifications to the supplier:

    • Does Not Apply—The Supplier does not provide products and services directly impacting the quality of CyberMyte's products/services.
    • Approved—Products/Services may be purchased from this supplier.
    • Provisional—Products/Services may be purchased from this supplier. This provisional classification is for those whose performance needs improvement and whose Corrective Actions have been issued.
    • Not Approved—Products/Services may not be purchased from this supplier.

    Supplier Responsibilities

    1. Answers the Supplier Information Security Questionnaire truthfully and accurately.
    2. After a significant change to your product/service or every two years, participate in a reassessment.
    3. Complete a new Supplier Information Security Questionnaire if the current responses have become invalidated after the change or two years.

    CyberMyte employees can complete the qualification form on behalf of the supplier if they don't complete it on their own.

    On-going Supplier Performance Monitoring

    Performance MeasureDescription
    AvailabilitySuppliers are monitored on their availability to CyberMyte or CyMyCloud. This is especially critical for SaaS solutions and services that provide customer support. We are looking to see how many outages the suppliers have.
    CostSuppliers' costs are evaluated, such as whether they continue to rise. Are there cheaper solutions? Is it an open-source product? All Open-Source suppliers are given a 5 for cost. The more expensive, the higher the cost evaluation.
    Security IssuesAre there any known security issues with the supplier? Did we find flaws? Are they industry-compliant?
    ResponsivenessSuppliers should be responsive to questions, concerns, comments, etc...if we are unsuccessful or successful in communicating, this is monitored. This is also related to customer support response time and completion time.
    Quality of ServiceIs the product/service of good quality as determined by the CyberMyte employee using the service? Are we happy with the supplier overall? Are we getting what we want from the supplier?

    Suppliers who fail to meet one or both performance measures and implement practical corrective actions may be downgraded to Provisional or Not Approved status. CyberMyte is responsible for compiling and maintaining a list of suppliers and their current status.

    Existing Suppliers

    Suppliers are labeled as approved if they are already suppliers and their performance is above board, and provisional if they are assessed as needing improvement.

    đź“ť Information Security Procedures

    Remote Access to Information Systems

    After you have signed the CyberMyte Acceptable Use Policy, you will receive the credentials to access our resources. To access CyberMyte resources, you must fill out an Account Request Form. An account request form must be submitted for each individual. Suppliers must submit another account request form within one (1) day of a supplier account needing termination.

    Protecting Information

    We are very serious about the security and protection of our company information. As a supplier, we must know that you feel the same way. One way is by letting us know you have security measures to protect our Company's information. These are precisely what I am looking for:

    • Your product prevents unauthorized access to CyberMyte information.
    • You reduce the risk of misuse of CyberMyte's systems or information.
    • You can detect security breaches and enable quick incident handling to protect against access to CyberMyte's information.

    Data Encryption

    Your product needs encryption compliant with Federal Information Processing Standard (FIPS) 140-3. Encryption is imperative for protecting information transmitted to a removal device or the public internet.

    You need to prohibit the transfer of CyberMyte’s protected information to supplier mobile or removable devices where no security measures are in place.

    Access Control

    Account Management

    Limit access to CyberMyte information to those authorized using "least privilege." Sharing credentials is unauthorized. All members of the Suppliers team must have their usernames and passwords.

    Password Management

    You will all need to change your password for our system upon your initial login. Passwords will be encrypted at rest; password verification methods will be executed using encrypted messaging. You must immediately revoke the password if you suspect unauthorized access to a user account. Passwords are managed as follows:

    • Each user account is associated with only one password.
    • Users may create and change their passwords.
    • Automatically enforcing complex passwords.
    • Passwords are required to be reset immediately upon the first login.
    • The systems implement periodic password changes.
    • Reuse of previous passwords is automatically prevented.
    • Passwords do not display on the screen during entry.
    • Passwords are only entered over encrypted links.

    Login procedures implemented on all business applications and customer-facing applications are implemented as follows:

    • No help messages are available that would aid in an unauthorized login attempt.
    • Log-in information is validated only on completion of all login inputs.
    • The user is locked out after a set number of unsuccessful login attempts.
    • Passwords are not displayed during entry (unless the user enables “display password”).
    • Passwords are not transmitted in clear text.
    • Inactive/uncompleted login attempts terminate inactive sessions 5 minutes of inactivity.
    • Logs for network access are maintained for at least a year.

    Physical Security

    Depending on the type of services you provide, one of the following controls will be required:

    General

    You are doing your due diligence in protecting CyberMyte's information by physically securing against unauthorized access, including, but not limited to, using appropriate physical safeguards such as electronic ID card access to any areas of the supplier’s information system(s).

    Suppliers of a Hosting facility

    Must meet standards defined in ISO/IEC 27001 or equivalent industry standards agreed in writing following a security risk assessment undertaken by CyberMyte or an independent third party.

    • CyberMyte's information that is processed, accessed, held, or transmitted by you will be physically stored with the following security controls:
      • You have an authorized access control list requiring a photo ID check to access your facility or data floor;
      • Biometric, key card access and mantrap access are monitored, leading to your facility or data floor;
      • You provide locked server cabinets;
      • There is 24x7 indoor and outdoor surveillance camera monitoring, with video being saved for at least 30 days;
      • There is a 24x7 physical intrusion monitoring alarm system;
      • There are no windows present on the data floor.

    Malicious Code

    You must do your due diligence to detect, prevent, mitigate, and protect against introducing unauthorized code into your information systems in real time.

    Network Security

    To make sure that your network is secure, follow these high-level guidelines:

    • Your network perimeter is protected by a firewall solution, including port, protocol, and IP address restrictions that limit inbound/outbound protocols to the minimum required and ensure all inbound traffic is routed to specific and authorized destinations;
    • Monitor TCP protocol communications at the packet level to distinguish legitimate packets for different types of connections. It would be best to reject packets that do not match a known connection state, e.g., stateful inspection.
    • Make sure you have redundant connections in place to ensure there are no single points of failure;
    • Monitor network packets to identify and alert upon or prevent known patterns that are associated with security vulnerabilities or denial of service;
    • Maintain and enforce security procedures in operating the network;
    • Maintain and implement operational and security procedures that prevent the provision of network connectivity to third parties;
    • It would help if you had perimeter management controls to ensure that perimeter systems are configured to be resistant to resource exhaustion (denial of service attacks);
    • Keep CyberMyte's information logically separated from all others.

    Information Security Incident Management

    You need to have procedures for managing suspected and actual security events, incidents, and cybercrime attacks and provide customers with the full details of any incident management procedure upon request.

    What to do if there is an incident:

    1. Please email us at incident@cybermyte.io about the incident.
      1. We would appreciate it if you did so within six(6) hours of identifying an actual or potential security breach involving the organization’s protected information or information systems.
    2. Provide us with information as to the cause of the breach/incident and if it was due to the fault of the supplier, reimburse CyberMyte for all reasonable costs we may incur in connection with remediation efforts, including expenses incurred in connection with:
      • The development and delivery of legal notices as required by applicable laws and as reasonably directed by the organization where not required by applicable laws
      • The establishment of toll-free telephone numbers where affected persons may receive information relating to the data breach/incident
      • The provision of credit monitoring/repair and identity restoration for affected persons for one (1) year following the announcement or disclosure of the breach/incident or following notice to the affected persons, whichever is later, or such more extended period as required by applicable laws
      • Resolve any breach/incident resulting from unauthorized access, including identification of disclosure, alteration, or loss of our protected information.
    3. Within five (5) days of a compromise, you shall provide us with a root cause analysis and written notice with confirmed receipt of such unauthorized access or modifications. The notification should summarize the impact of the unauthorized access or modification upon CyberMyte.
    4. Remediate any breach/incident within fourteen (14) days of the compromise.
    5. Suppose you cannot remediate the breach/incident within fourteen (14) days. In that case, you must submit and obtain our written consent to a remediation plan within seven (7) days of the breach/incident.