CBM-PLAN-0044 - CyberMyte Supplier Policies and Procedures
PUBLIC
Summary
This policy outlines the lifecycle of CyberMyte supplier engagement—from research and onboarding to continuous monitoring and breach remediation. It includes mandatory security requirements for vendors, subcontractors, contractors (1099), and service providers.
Purpose
To define the expectations, controls, and security requirements that CyberMyte imposes on all suppliers, minimizing risks to systems, data, and operations. This includes how suppliers are selected, evaluated, onboarded, and monitored through the Odoo Supplier Management workflow.
Scope
Applies to all suppliers, service providers, and third-party partners who:
- Provide goods or services impacting product/service quality
- Access, process, or transmit sensitive CyberMyte data
- Have logical or physical access to CyberMyte systems
- Provide SaaS or managed services integrated with CyMyCloud
Supplier Lifecycle Procedures
1. Supplier Research
CyberMyte conducts the following research before supplier onboarding:
- Interview via video or phone call
- Proposal Review – must include itemized pricing and engagement terms
- Public Analysis – search reviews, social media presence, and complaint history
- OSS Preference – open-source solutions are prioritized when actively maintained
- Sales Quote Validation – for licensed software, negotiate through sales reps
- All research is logged in Odoo Supplier Records and must be completed before entry into Gusto or procurement systems.
2. Supplier Evaluation
Suppliers must complete the CyberMyte Supplier Qualification Form before contract execution. Based on the evaluation, suppliers are classified as:
Classification | Description |
Approved | May be used freely for goods/services |
Provisional | Can be used with corrective actions in place |
Not Approved | Cannot be used |
Does Not Apply | No impact on CyberMyte deliverables or data |
3. Supplier Responsibilities
- Complete the Supplier Information Security Questionnaire truthfully
- Undergo biennial reassessment, or earlier if a significant product/service change occurs
- Notify CyberMyte of invalidated information or considerable security incidents
Ongoing Supplier Performance Monitoring
CyberMyte uses Odoo to monitor and rate suppliers quarterly across:
Metric | Description |
Availability | Outage frequency, SLA adherence (esp. for SaaS) |
Cost | Cost increases, OSS alternatives, pricing stability |
Security | Any known vulnerabilities, past security incidents |
Responsiveness | Customer support speed and quality |
Quality | Product/service quality as judged by internal users |
Information Security Requirements for Suppliers
A. Remote Access
- Must submit an Account Request Form per user
- A CyberMyte AUP must be signed before account provisioning
- Termination requests must be submitted within one business day of separation
B. Data Protection
Suppliers must:
- Prevent unauthorized access to CyberMyte systems/data
- Detect and report breaches quickly
- Use FIPS 140-2 or 140-3 compliant encryption
- Follow least privilege access control and enforce unique credentials
C. Password Management
- Passwords must be encrypted, rotated, and never reused
-
Login systems must:
- Lock after failed attempts
- Terminate after 5 minutes of inactivity
- Prohibit password transmission in plaintext
- Maintain 1-year audit logs
D. Physical Security (Hosting/Facility Suppliers)
Suppliers must meet the following standards:
- Facility access requires photo ID, keycard, or biometrics
- Mantrap entrance controls, locked server cabinets
- 24/7 camera monitoring (retention ≥ 30 days)
- ISO 27001-equivalent certification
- No data on removable media without security controls
E. Malicious Code & Network Security
- Detect and mitigate unauthorized code
- Enforce perimeter security, firewall segmentation, DoS protection
- Maintain logical separation of CyberMyte data
- Maintain procedures to prevent third-party backchannel access
Incident Management Requirements
If an incident involves CyberMyte data:
- Report within 6 hours to security@cybermyte.io
- Include root cause and affected data scope
-
If the supplier is at fault, reimburse CyberMyte for:
- Notification, toll-free hotline, identity monitoring, legal expenses
- Submit a remediation plan within 7 days if unable to resolve within 14
- A complete written RCA must be provided within five business days
Odoo Integration
- Supplier onboarding and evaluations are conducted through Odoo Supplier Records
- All questionnaires, performance reviews, incidents, and re-evaluations are attached to each supplier profile
- Quarterly reviews are part of the Supplier Compliance Dashboard
Related Policies
This plan references the following:
- CBM-PLAN-0001 – Access Control Plan
- CBM-PLAN-0002 – Personnel Security and Awareness Training
- CBM-PLAN-0005 – Audit and Accountability Plan
- CBM-PLAN-0010 – Maintenance Plan
- CBM-PLAN-0035 – Record Control Plan
- CBM-PLAN-0056 – Risk Assessment Plan
- CBM-PLAN-0038 – Incident Response Plan
Enforcement
Non-compliance with this policy may result in:
- Immediate revocation of system access
- Downgrade to Provisional or Not Approved status
- Contract suspension or termination
- Civil or criminal penalties for data mishandling
Version History
Date | Document Version | Notes |
July 22, 2025 | 2.0 | Fully updated to reflect current supplier lifecycle, compliance requirements, and communication via Odoo |
| December 2, 2024 | 1.4 | I moved to Odoo and updated Grammar throughout. |
| January 26, 2024 | 1.3 | Added the Supplier Research section to this policy. |
| September 29, 2023 | 1.2 | Updated the supplier responsibilities and performance measures |
| July 31, 2023 | 1.1 | Updated the "Remote Access to Information Systems." |
| March 3, 2022 | 1.0 | Initial |
PUBLIC
