The organization establishes third-party contracts to align interests, ensure location restrictions for information processing and storage, and protect systems and data. The program involves regular identification, review, and documentation of confidentiality agreements, non-disclosure agreements (NDAs), and other contracts, as well as defining personnel security requirements, roles, and responsibilities for third-party providers.

The organization has implemented a third-party management policy that outlines the processes for identifying, addressing, monitoring, and reporting risks associated with collaborations involving third-party organizations.

A comprehensive program for managing third-party service providers is in place, ensuring vendors meet the organization’s cybersecurity and privacy requirements. This includes conducting due diligence procedures, establishing contractual provisions, and implementing ongoing monitoring and oversight to ensure compliance with security standards and privacy policies.

The organization conducts third-party risk assessments to evaluate and manage risks associated with engaging third-party vendors or suppliers. This includes a review of the compliance reports of critical suppliers on an annual basis to identify and address shared roles and responsibilities.