- handbook
- Company
- Company
- Board
- Communications
- Decision making
- Guides
- KPIs and OKRs
- principles
- Remote Work
- Security
- Asset Management Policy
- Business Continuity & Disaster Recovery Policy
- Data Management Policy
- Information Security Roles and Responsibilities
- Operations Security Policy
- Risk Management Policy
- Third-Party Risk Management Policy
- Human Resources Security Policy
- Access Control Policy
- Incident Response Plan
- Cryptography Policy
- Information Security Policy and Acceptable Use Policy
- Secure Development Policy
- strategy
- values
- Operations
- Product
- Feedback
- Metrics
- Node-RED Dashboard
- personas
- Pricing Principles
- Principles
- Product Categories
- Responsibilities
- Strategy
- Versioning
- Customer department
- Customer
- Hubspot
- Marketing
- How we work
- Marketing
- Video
- Boiler Plate Descriptions
- Marketing - Website
- Customer Stories
- Webinars
- Social Media
- blog
- Sales
- Engineering & Design Practices
- Design
- Engineering
- contributing
- Front End
- Packaging Guidelines
- Platform Ops
- Project Management
- Releases
- Security Policy
- tools
- Internal Operations
- People Ops
# Third-Party Risk Management Policy
| Policy owner | Effective date |
|---|---|
| @ZJvandeWeg | 2023-06-01 |
# Purpose
To ensure protection of the organization's data and assets that are shared with, accessible to, or managed by suppliers, including external parties or third-party organizations such as service providers, vendors, and customers, and to maintain an agreed level of information security and service delivery in line with supplier agreements.
# Scope
All data and information systems owned or used by FlowFuse that are business critical and/or process, store, or transmit data classified as Confidential or Critical.
# Policy
A list of approved vendors/partners must be maintained and reviewed annually. This list will be linked from the Vendor section of the handbook.
Approval from management must be in place before onboarding any new vendor or contractor that impacts FlowFuse production systems. Additionally, all changes to existing contract agreements must be reviewed and approved before implementation.
For any technology solution that needs to be integrated with FlowFuse production environment or operations, a review should be held to understand and approve the risk. Periodic compliance assessment and SLA review may be required.
FlowFuse Customers or Partners should not be allowed access outside of their own environment, meaning they cannot access, modify, or delete any data belonging to other third parties.
Additional vendor agreements should be obtained as required by applicable regulatory compliance requirements.
# Exceptions
Requests for an exception to this policy must be submitted via email to the CEO or CTO for approval.
# Violations & Enforcement
Any known violations of this policy should be reported to the CEO or CTO. Violations of this policy can result in immediate withdrawal or suspension of system access and/or disciplinary action in accordance with company procedures up to and including termination of employment.
Policy derived from JupiterOne/security-policy-templates (CC BY-SA 4 license) and Vanta