Third Party Management Policy

The ComponentSource Group (referred to as "ComponentSource", "we", "us", "our") is made up of numerous individual companies, consisting of:

  • ComponentSource Holding Corporation, Atlanta, USA;
  • ComponentSource, Inc., Atlanta, USA;
  • ComponentSource Limited, United Kingdom;
  • ComponentSource Software Europe Limited, Republic of Ireland and The Netherlands;
  • ComponentSource KK, Japan

Purpose

To ensure protection of the organization's data and assets that are shared with, accessible to, or managed by suppliers, including external parties or third-party organizations such as service providers, vendors, and customers, and to maintain an agreed level of information security and service delivery in line with supplier agreements.

This document outlines a baseline of security controls that ComponentSource expects partners and other third-party companies to meet when interacting with ComponentSource Confidential data.

Scope

All data and information systems owned or used by ComponentSource that are business critical and/or process, store, or transmit Confidential data. This policy applies to all employees of ComponentSource and to all external parties, including but not limited to ComponentSource consultants, contractors, business partners, vendors, suppliers, partners, outsourced service providers, and other third-party entities with access to ComponentSource data, systems, networks, or system resources.

General Requirements

  1. Information security requirements for mitigating the risks associated with supplier's access to the organization's assets shall be agreed with the supplier and documented.
  2. For all service providers who may access ComponentSource Confidential data, systems, or networks, proper due diligence shall be performed prior to provisioning access or engaging in processing activities. Information shall be maintained regarding which regulatory or certification requirements are managed by or impacted by each service provider, and which are managed by ComponentSource as required. Applicable regulatory or certification requirements may include ISO 27001, SOC 2, PCI DSS, CCPA, GDPR or other frameworks, compliance standards, or regulations.

Addressing Security in Agreements

  1. Relevant information security requirements shall be established and agreed upon with each supplier that may access, process, store, transmit, or impact the security of Confidential data and systems, or provide physical or virtual IT infrastructure components for ComponentSource.
  2. For all service providers who may access ComponentSource production systems, or who may impact the security of the ComponentSource production environment, written agreements shall be maintained that include the service provider's acknowledgment of their responsibilities for the confidentiality of company and customer data, and any commitments regarding the integrity, availability, and/or privacy controls that they manage in order to meet the standards and requirements that ComponentSource has established in accordance with ComponentSource's information security program or any relevant framework.

Technology Supply Chain

ComponentSource will consider and assess risk associated with suppliers and the technology supply chain. Where warranted, agreements with suppliers shall include requirements to address the relevant information security risks associated with information and communications technology services and the product supply chain.

Monitoring & Review of Third-party Services

ComponentSource shall regularly monitor and review supplier service delivery. Supplier security and service delivery performance shall be reviewed at least annually.

Management of Changes to Third-party Services

Changes to the provision of services by suppliers, including changes to agreements, services, technology, policies, procedures, or controls, shall be managed, taking account of the criticality of the business information, systems, and processes involved. ComponentSource shall assess the risk of any material changes made by suppliers and make appropriate modifications to agreements and services accordingly.

Third-party risk management

  1. ComponentSource will ensure that potential risks posed by sharing Confidential data or providing access to company systems are identified, documented and addressed according to this policy. Risk management plays an integral part in the governance and management of the organization at a strategic and operational level. The purpose of a partner and third- party security policy is to ensure that partnerships and services achieve their business plan aims and objectives, and are consistent with ComponentSource's requirements for information security.

Information Security for Use of Cloud Services

This section outlines the fundamental parameters for managing and mitigating risks related to cloud service usage.

  1. Responsibilities and Risk Management
    1. Roles and responsibilities related to the use and management of cloud services can be found in the Roles and Responsibilities Policy.
    2. Information security risks associated with cloud services use shall be managed in accordance with this policy and the Risk Management Policy.
  2. Security Requirements and Control
    The company shall be responsible for all customer controls as defined in cloud service providers' responsibility matrices.
  3. Service Selection and Usage Scope
    Reviews of cloud service agreements for inherently high risk providers shall be performed annually to ensure they align with company requirements.
  4. Incident Management
    Information security incidents related to cloud services managed in accordance with the Incident Response Plan.
  5. Service Review and Exit Strategy
    Risks related to exit and vendor lock-in should be evaluated prior to the acquisition as part of the vendor security assessment.
  6. Provider and Customer Agreement
    1. Agreements with cloud service providers will specify protections for ComponentSource's data and service availability, even though they might be predefined and non-negotiable.
    2. Where possible, ComponentSource will seek advance notification from providers concerning substantive changes in service delivery, including changes in technical infrastructure, data storage location, or usage of sub-contractors.
  7. Ongoing Management and Assurance
    Information regarding how to obtain and utilize information security capabilities provided by the cloud service provider should be assessed as part of the vendor review at time of acquisition.
  8. Third-party Security Standards
    1. All third-parties must maintain reasonable organizational and technical controls as assessed by ComponentSource.
    2. Assessment of third-parties which receive, process, or store Confidential data or access ComponentSource's resources shall consider the following controls as applicable based on the service provided and the sensitivity of data stored, processed or exchanged.
  9. Information Security Policy
    Third-parties maintain information security policies supported by their executive management, which are regularly reviewed.
  10. Risk Assessment & Treatment
    Third-parties maintain programs that assess, evaluate, and manage information and technology risks.
  11. Operations Security
    Third-parties implement commercially reasonable practices and procedures designed, as appropriate, to maintain operations security. Protections may include:
    • Technical testing
    • Protection against malicious software
    • Network protection and management
    • Technical vulnerability management
    • Logging and monitoring
    • Incident response
    • Business continuity planning
  12. Access Control
    Third-parties maintain a technical access control program.
  13. Secure System Development
    Third-parties maintain a secure development program consistent with industry software and systems development best practices including risk assessment, formal change management, code standards, code review and testing.
  14. Physical & Environmental Security
    If third-parties are storing or processing confidential data, their physical and environmental security controls should meet the requirements of the ComponentSource CIO.
  15. Human Resources
    Third-parties maintain human resource policies and processes which may include criminal background checks for any employees or contractors who access ComponentSource confidential information.
  16. Compliance & Legal
    ComponentSource shall consider all applicable regulations and laws when evaluating suppliers and third parties who will access, store, process or transmit ComponentSource confidential data. Third-party assessments should consider the following criteria:
    • Protection of customer data, organizational records, and records retention and disposition
    • Privacy of Personally Identifiable Information (PII)

Exceptions

Requests for an exception to this Policy must be submitted to dpm@componentsource.com for approval.

Violations & Enforcement

Any known violations of this policy should be reported to group-compliance@componentsource.com. Violations of this policy can result in immediate withdrawal or suspension of system and network privileges and/or disciplinary action in accordance with company procedures up to and including termination of employment.

CSTPMP 11/2024