Skip to content

Third party vendor review policy

Vihanti reviews vendor security practices before contracting, and on a regular basis, to ensure vendors properly handle Vihanti’s customer data, confidential data, and other data.

Scope

This policy only applies to vendors or contractors handling Vihanti or its customers’ data.

Schedule

Vendors’ security practices should be initially evaluated as part of their contract review, and while still in use, on an annual basis.

Contractors must read and acknowledge Vihanti’s security policies as part of their onboarding. Contractors must complete Vihanti’s information security training as part of their onboarding and thereafter, while still under contract, on an annual basis.

Vendor assessment

As part of vendor evaluation and contracting, vendors’ security practices should be reviewed to ensure they sufficiently protect Vihanti’s and its customers’ data.

The requirements for a vendor may change based on the risk classification of the assets they are handling (see the Information classification policy), such as sensitive data, or access to production resources; and may change during a contract if a vendor’s scope or responsibilities change.

Vihanti will:

  1. Ask vendors for their SOC 2 type II or type I report for an overview of their current security practices. If a SOC 2 report does not exist or where insufficient information is provided, Vihanti will ask the vendor to complete the VSAQ.
  2. Review the vendor’s responses and compare these to Vihanti’s security policies to identify any gaps where the vendor may have weaker policies.
  3. For each notable gap or where insufficient information is provided, Vihanti can: ask the vendor to make a change or provide additional information, implement a mitigating control, or accept the risk. These should be documented in the risk register.

Vihanti will document vendor information, to help in case of a potential incident. This information includes:

  • Vendor name, i.e. Which vendor?
  • Vendor contact information, i.e. How do we contact the vendor? List different contacts for billing, support, and/or security where they apply.
  • Type of data shared, i.e. What types of data from Vihanti does the vendor collect or otherwise have access to?
  • Terms of Service for services provided by the vendor
  • Security report or questionnaire shared by the vendor