The purpose of this policy document is to set out the minimum information security requirements expected of third parties who intend to carry out any work for or on behalf of Darling Solutions Ltd. The overall objective is to maintain confidentiality, integrity, availability and privacy of Darling Solutions Ltd information in order to protect information assets for business, contractual, regulatory and legal reasons.
1.1.1 The scope of this standard includes any third party that will have access to Darling Solutions Ltd information either on-site or through remote access. This policy also applies to all temporary staff and third parties employed directly and indirectly by the subcontractors.
1.1.2 Any data that can be classified as Personal Data must be processed in compliance with the Data Protection Act 1998 and Darling Solutions data protection and information security policies.
1.2. Ownership and Responsibilities
1.2.1 This policy is owned and maintained by Darling Solutions Ltd and can be amended with or without notice from time to time at Darling Solutions Ltd’s discretion. Third parties will not be expected to comply with any changes to this document until they have been provided with such changes in writing and a reasonable period (not to exceed 120 days) to comply with such changes. This policy will be comprehensively reviewed by Darling Solutions Ltd and updated at least once a year.
1.2.2 Any queries or feedback related to this policy should be directed to firstname.lastname@example.org.
1.3. Information Security Assessments
1.3.1 Third parties who fall within the above scope may be subject to compliance review against this Policy and will be required to complete an assessment form. A review will be undertaken to highlight potential risks and Third Parties will be required to mitigate those risks before commencing any works.
2. Information Security Policy
2.1 The Third Party shall at all times maintain a management approved corporate Information Security Policy defining responsibilities and setting out the Third Party’s approach to information security. The Information Security Policies should follow Information Security programs that are based on the ISO 27001 or other similar frameworks e.g. PCI DSS, NIST etc.
2.2 The Third Party shall agree to provide Darling Solutions Ltd with copies of their security policies on request and evidence of compliance with any of the standards demonstrated by the Third Party e.g. ISO 27001, CSTAR, PCI DSS etc.
2.3 The Third Party shall at all times maintain the above mentioned framework along with policies covering all requirements set out in this Policy document along with industry best-practice. All security policies must be communicated to all staff responsible for handling Darling Solutions Ltd information.
2.4 A dedicated Information Security role should be defined and assigned to an individual in the company and these details communicated to Darling Solutions Ltd. This individual will act as the primary contact for all Information Security matters.
3. Processes and Procedures
3.1 All processes for managing the security of Darling Solutions Ltd must be assessed on an annual basis and communicated to Darling Solutions Ltd if any changes are made. The Third Party shall not process or otherwise make use of Darling Solutions Ltd information or access the System for any purpose other than that which is directly required for the supply of agreed Services.
3.2 The Third Party shall only perform such Services in accordance with the contract and shall not dispose of any Darling Solutions Ltd information without the prior written approval from Darling Solutions Ltd.
3.3 The Third Party shall establish and at all times maintain safeguards against the accidental or deliberate or unauthorised disclosure, access, manipulation, alteration and against any destruction, corruption of, damage, loss or misuse of Darling Solutions Ltd information in possession of the Third Party or any sub-contractors or the Third Party.
3.4 The Third Party shall ensure they sign a non-disclosure agreement relating to Darling Solutions Ltd information before they are given access to it.
4. Human Resources Security
4.1. Roles and responsibilities
4.1.1 The Third Party shall ensure that information security roles and responsibilities of all Third Party employees (and subcontractors) are clearly define and documented.
4.1.2 The Third Party shall have a comprehensive disciplinary policy, code of conduct & work rules directive in force to protect the interests and security of Darling Solutions Ltd personnel and Darling Solutions Ltd information.
4.2.1 The Third Party shall ensure that background checks such criminal record checks and credit checks are conducted at the Third Party’s cost and within a reasonable time period and in any event shall be completed prior to such Third Party or Subcontractor personnel commencing provision of the Services.
4.3. Employment References
4.3.1 The Third Party shall ensure that a written policy exists and is followed for pre-employment screening and that the screening and that the screening status and results for all Third Party personnel are fully collated and kept on record. Darling Solutions Ltd may request evidence of the screening status (or a confirmation statement) be made available on request for audit and compliance purposes.
4.4. Contractual Agreements
4.4.1 The Third Party shall ensure that all personnel enter into a written contract of employment under which they agree to adhere to all Third Party policies, rules and procedures including all information protection policies.
4.6. Training and Awareness
4.5.1 The Third Party shall hold structured briefings with respect to security awareness and knowledge focusing on the risks resulting from poor information security, and legal and regulatory requirements to protect information.
5. Compliance and Asset Management
5.1. Security Reviews
5.1.1 The Third Party shall conduct annual security reviews of the Subcontractors where those Subcontractors have access to Darling Solutions Ltd information or be able to demonstrate supplier has appropriate security controls and processes in place, and maintain detailed audits to include any security risks if supplier is reviewed along with recommendations and remedial actions.
5.1.2 The Third Party shall conduct security reviews in accordance with the requirements set out in this Policy document.
5.2. Information Classification
5.2.1 The Third Party shall ensure that Darling Solutions Ltd information is classified in terms of its value, legal requirements, sensitivity and criticality. The Third Party shall also ensure that an appropriate set of procedures for information labelling and handling is developed and implemented in accordance with the classification scheme adopted by the Third Party, and that such procedures are reviewed as a result of any significant business changes.
5.3. Asset inventory
5.3.1 All information assets used to process Darling Solutions Ltd information must be recorded in a maintained inventory. The Third Party shall ensure that any media used to record, store or process Darling Solutions Ltd information as part of the Services, including hard copies of documents, laptops, portable storage devices and magnetic media are securely handled, transported and encrypted and that their use is authorised.
5.4. Data Privacy
5.4.1 The Third Party shall at all times ensure that it maintains and abides by an appropriate Data Protection Policy to safeguard Darling Solutions Ltd information in accordance with the terms of the contract and the Data Protection Act 1998 (and any amendment thereto to or replacement thereof) and any other applicable statute, regulation or industry code.
5.4.2 Where any Darling Solutions Ltd information is intended to be transferred, stored or processed outside of the UK, EU or EEA, the Third Party shall first obtain permission in writing from Darling Solutions Ltd before doing so and provide full details of the locations, security arrangements and what information is to be transferred, stored or processed.
5.4.3 The Third Party shall ensure that appropriate retention and secure deletion/destruction policies and procedures are in place for all Darling Solutions Ltd information held. Darling Solutions Ltd may require a copy of the policies and procedures.
5.4.4 The Third Party shall transfer/exchange Darling Solutions Ltd information via secure channels which are encrypted and further shall inform Darling Solutions Ltd in writing of the encryption solution used to transfer/exchange Darling Solutions Ltd information and the contents of the Darling Solutions Ltd information in advance of any transfer or exchange.
5.4.5 The Third Party shall ensure that it adopts a policy to protect against the risk of using mobile computer, teleworking activities and communication facilities where these are used to deliver Services to Darling Solutions Ltd.
5.4.6 The Third Party shall notify Darling Solutions Ltd immediately in the event of data loss or data breach detailing severity of the exposure. This will handled as part of the incident management process (7.1) and a full report to be communicated to both parties.
5.4.7 The Third Party shall not make unauthorised copies of Darling Solutions Ltd information
6. Network Security Management
6.1 The Third Party shall maintain the appropriate confidentiality, integrity and availability of Darling Solutions Ltd information by:
- Utilising secure network architecture and operations;
- Ensuring that networks carrying Darling Solutions Ltd information are designed, built, monitored and managed according to industry standards, best practices and frameworks e.g. ISO 27001, OWASP ITIL etc. to prevent unauthorised access to Darling Solutions Ltd information
6.2 The Third Party shall ensure that utility programs capable of overriding system and application controls shall be restricted and tightly controlled.
6.3 The Third Party shall ensure that regular penetration testing is carried out and use equipment approved, owned and secured by the Third Party to access Darling Solutions Ltd information.
6.4 The Third Party shall maintain systems security measures to guard against the accidental, deliberate unauthorised disclosure, access, manipulation, alteration, destruction, corruption of information through processing errors, damage or loss or misuse of Darling Solutions Ltd information. As a minimum, these measures shall include software which:
- Requires all uses of the systems to enter a username or identification number and a password prior to gaining access to the Darling Solutions Ltd information or Systems.
6.5 The Third Party shall ensure that it adopts a policy to protect against the risk of using mobile computing, teleworking activities and communication facilities where these are used to deliver Services to Darling Solutions Ltd.
6.6 The Third Party shall have an established, documented and regularly reviewed formal procedure for the provision and limitation of access to Darling Solutions Ltd information so that access is limited to those personnel that need access to such information or systems to carry out the according to the contractual agreements.
6.7 The Third Party shall have a system-enforced password and user account policy that meets or exceeds Darling Solutions password policy (minimum 8 characters, must contain uppercase, lowercase, numeric and special characters). This shall include procedures to be followed when personnel leave their workstation (automated system lock) and a process to control and manage user accounts upon completion of employment or an individual’s short-term contract or change in role.
6.8 The Third Party must not share any credentials issued to them to any other Third Parties without the express permission of Darling Solutions Ltd.
6.9 The Third Party shall maintain changes to Darling Solutions Ltd information and Systems in accordance with Darling Solutions change management processes. Wherever possible records should be kept of changes made for auditing and security purposes.
7. Incident Management
7.1. Policy and Procedure
7.1.1 The Third Party shall at all times maintain a security incident response procedure.
7.1.2 The Third Party shall require all Third Party personnel to report any observed or suspected security weaknesses in Systems or Services to the Third Party. The Third Party shall inform Darling Solutions Ltd immediately about any such weaknesses of which it becomes aware.
7.2. Contact details
7.2.1. All incidents must be reported to email@example.com.
8. Related policy documents
- Darling Solutions – Third Party Assessment Form
9. Appendix 1 – Definitions
“Darling Solutions Ltd Information” means any information or data owned, processed or produced by Darling Solutions Ltd or Darling Solutions end customers data.
“Third Party” applies to contractors, temporary staff or anyone else that has or intend to have access to Darling Solutions Ltd information or the System
“System” means (in whole or part) the servers, networks and/or software used in the provision of the services to either Darling Solutions Ltd or its customers. Any data stored on, transmitted through or accessed from the System shall be deemed to form part of the System
“Services” means the services provided by the third party to Darling Solutions Ltd as set out in the supplier’s legal agreement.
“Subcontractor” means contractor appointed by the third party in accordance with the agreement to provide all or part of the services.