Eskohl Consulting (EC) is committed to securing its information assets by ensuring that all third-party vendors and service providers adhere to the highest security and compliance standards. This policy establishes a structured approach to evaluating, managing, and monitoring third-party risks.
The purpose of this policy is to outline security, compliance, and risk management expectations for all third parties that access, store, process, or transmit EC data. This policy applies to:
- Vendors, suppliers, and contractors who provide services to EC.
- Cloud service providers and SaaS solutions used in EC operations.
- Any third party with direct or indirect access to customer or corporate data.
- External partners handling personally identifiable information (PII).
Compliance with this policy is mandatory, and all third parties must adhere to these requirements before engagement and throughout the duration of their relationship with EC.
All third parties must undergo a risk assessment before onboarding. The assessment evaluates:
- The type of data accessed, processed, or stored.
- Security controls, including encryption, access controls, and network segmentation.
- Regulatory compliance (GDPR, CCPA, etc.).
EC reserves the right to reject or terminate vendor relationships if security risks exceed acceptable thresholds.
Risk assessments are conducted annually or after significant changes for all vendors.
All vendor agreements must include:
- Data Protection Clauses ensuring compliance with applicable regulations and standards.
- Right to Audit Clause allowing EC to assess security controls.
- Incident Notification Clause, requiring vendors to report data breaches within 24 hours.
Vendors must provide annual proof of compliance, including SOC 2 Type II reports, ISO 27001 certification, etc.
Vendors handling Confidential or Restricted data must implement:
- Encryption at rest and in transit (AES-256, TLS 1.3).
- Role-Based Access Control (RBAC) to enforce least privilege.
- Multi-Factor Authentication (MFA) for all access to EC systems.
Access to EC networks, databases, or applications is reviewed quarterly or after significant change and revoked when no longer required.
Third-party remote access is monitored, logged, and subject to review every six months.
Vendors must have an established Incident Response Plan (IRP) that aligns with EC’s response framework.
- Security incidents must be reported within 24 hours to the IT Compliance Team.
- Vendors must fully cooperate with forensic investigations and remediation efforts.
- A post-incident report must be submitted within five business days outlining the cause, impact, and mitigation measures.
EC reserves the right to audit third-party vendors annually or at any time in response to security concerns.
- Vendors with physical or logical access to sensitive systems may be subject to penetration testing and security assessments.
- High-risk vendors undergo continuous monitoring through security logs, SIEM alerts, and compliance reports.
Upon contract termination, vendors must:
- Securely delete or return all EC data within five business days.
- Revoke all access credentials to EC systems.
- Provide written confirmation of data destruction, aligned with NIST 800-88 guidelines.
Offboarding procedures are verified within 30 days of contract termination.
- CEO (Sharaden Cole): Provides executive oversight and ensures alignment with business objectives.
- IT Compliance Team: Conducts risk assessments, vendor audits, and ensures security compliance.
- Procurement Team: Ensures security clauses are included in contracts.
- Third-Party Vendors: Comply with all EC security policies and regulatory requirements.
This policy ensures adherence to:
- GDPR & CCPA: Protection of customer personal data.
- NIST 800-88: Media Sanitization.
This policy is reviewed annually or when significant regulatory or operational changes occur.
Audit logs and vendor risk reports are maintained for at least three years.
Non-compliance with this policy may result in contract termination or legal penalties. Vendors failing to meet security standards may be subject to suspension or remediation plans.
Approved By: Sharaden Cole, CEO
Effective Date: 1/25/2025
Last Reviewed: 1/25/2025