Third-party Management Policy

Updated: 2024-02-10



1. General clauses

1.1. The Third-party Management policy (hereinafter referred to as “the policy”) governs the minimum security requirements of the Everwest group of companies necessary to work with third-party IT service providers. Third-party control involves assessing and managing the risks associated with engaging external parties, such as suppliers, vendors, contractors, and service providers. These external parties may have access to sensitive information, systems, or infrastructure, making them potential sources of security vulnerabilities or breaches.

1.2. The policy objective is to establish requirements for the management of third parties, taking into account the Lithuanian standard LST ISO/IEC 27001:2022 information technologies. Security methods. Information security management systems. Requirements and ensure appropriate access to information resources by third parties while maintaining an adequate level of information security.

2. Management of third parties

2.1. Third-party IT service providers may access Everwest Group information systems (here in after referred to as) only:

3. Unique login ID requirements

3.1. The ID must be created in the format or, such as Sekasoft, Vardenis. Pavardenis.

3.2. If a third-party IT service provider needs to connect to Everwest Enterprise Group’s internal servers through a Terminal Server  using Remote Desktop Protocol, then, after the connection, the provider can only access the Desktop Server screen, all other server functionality and resources being disable and technically blocked.

4. Final clauses.

4.1. Policy management is an integral part of the Everwest Group’s information security policy, administered by the employee responsible for information security management

4.2. The policy should be reviewed at least annually or more frequently if significant changes are observed in the Everwest Group’s risk management system.

4.3. Employees must comply with all the provisions of this policy. Violations may result in disciplinary action, including disabling access to the device.