Third Party Supplier Policy

Purpose and Scope

This policy outlines RSO Consulting’s approach to managing relationships with third-party suppliers, ensuring that suppliers meet our security, compliance, and operational standards. It applies to all vendors, contractors, and service providers who handle company data or participate in business-critical activities.

Supplier Evaluation and Due Diligence

Before engagement, all suppliers undergo a risk assessment to evaluate their ability to meet RSO Consulting’s security, compliance, and operational requirements. Key factors include:

  • Security certifications (e.g., SOC, ISO 27001) and compliance standards (e.g., GDPR, CCPA).
  • Financial stability and reputation.
  • Data protection and privacy measures.
  • Business continuity and disaster recovery plans.

Contractual Requirements

All third-party agreements must include:

  • Confidentiality and Data Protection: Clauses requiring suppliers to protect RSO Consulting data in alignment with our privacy and security standards.
  • Compliance Obligations: Specifications that suppliers must comply with relevant laws, regulations, and industry standards.
  • Audit Rights: Allowing RSO Consulting to audit the supplier’s security and compliance practices if necessary.

Ongoing Monitoring and Review

RSO Consulting periodically reviews third-party suppliers to ensure continued compliance with our standards:

  • Annual Reviews: Suppliers handling sensitive data or critical operations are reassessed annually to verify adherence to security and compliance requirements.
  • Performance Tracking: Continuous monitoring of supplier performance and incident response capabilities.
  • Risk Reassessment: Any significant change in the supplier’s operations, such as mergers or service expansions, triggers a risk reassessment.

Incident Management and Reporting

Suppliers are required to report any security incidents, breaches, or data loss events that may impact RSO Consulting’s data or services within a specified timeframe. RSO Consulting works with suppliers to address and remediate incidents swiftly.

Termination and Offboarding

Upon termination of the supplier relationship, RSO Consulting ensures:

  • Data Retrieval: All RSO data is securely returned or deleted as per the data retention policies.
  • Access Revocation: Supplier access to RSO Consulting’s systems and data is promptly revoked.

Policy Review and Updates

The Third Party Supplier Policy is reviewed annually and updated as necessary to ensure alignment with RSO Consulting’s business needs and evolving regulatory standards.