Third-party Management Policy
Updated: 2024-02-10
THIRD-PARTY MANAGEMENT POLICY
Content:
- 1. General clauses.
- 2. Management of third parties.
- 3. Unique login ID requirements.
- 4. Final clauses
1. General clauses
1.1. The Third-party Management policy (hereinafter referred to as “the policy”) governs the minimum security requirements of the Everwest group of companies necessary to work with third-party IT service providers. Third-party control involves assessing and managing the risks associated with engaging external parties, such as suppliers, vendors, contractors, and service providers. These external parties may have access to sensitive information, systems, or infrastructure, making them potential sources of security vulnerabilities or breaches.
1.2. The policy objective is to establish requirements for the management of third parties, taking into account the Lithuanian standard LST ISO/IEC 27001:2022 information technologies. Security methods. Information security management systems. Requirements and ensure appropriate access to information resources by third parties while maintaining an adequate level of information security.
2. Management of third parties
2.1. Third-party IT service providers may access Everwest Group information systems (here in after referred to as) only:
- By signing a service contract and a confidentiality agreement, including the responsibility of both parties for the work of the as, data and their modification;
- Third-party IT service providers are responsible for all actions and consequences resulting from access granted to them to the Everwest group IS and other IT resources;
- Third party IT service providers are responsible for preventing unauthorized users from accessing the as, other IT resources.
- Third-party IT service providers are responsible for providing workstations from which they initiate virtual private network (“VPN”) access to Everwest Group IS and other IT resources with an antivirus program with an up-to-date virus database (virus database), a firewall, and secure protocols and/or passwords. The Everwest Group of undertakings shall ensure that personal data contained in portable computers, if used outside the internal data network of the controller, are protected by safeguards appropriate to the risks posed by the processing, such as encryption of portable computers and other necessary means;
- By signing a VPN access agreement whereby the Everwest Group of companies transmits a VPN software link with configuration and unique login identifier (“ID”) to a third-party IT service provider. The password is sent to the recipient by another alternative means.
3. Unique login ID requirements
3.1. The ID must be created in the format or, such as Sekasoft, Vardenis. Pavardenis.
3.2. If a third-party IT service provider needs to connect to Everwest Enterprise Group’s internal servers through a Terminal Server using Remote Desktop Protocol, then, after the connection, the provider can only access the Desktop Server screen, all other server functionality and resources being disable and technically blocked.
4. Final clauses.
4.1. Policy management is an integral part of the Everwest Group’s information security policy, administered by the employee responsible for information security management
4.2. The policy should be reviewed at least annually or more frequently if significant changes are observed in the Everwest Group’s risk management system.
4.3. Employees must comply with all the provisions of this policy. Violations may result in disciplinary action, including disabling access to the device.