TP Information Security Policy
|
POLICY: THIRD-PARTY VENDOR INFORMATION SECURITY POLICY |
POLICY NUMBER: 10.179 |
|
SECTION: IT SECURITY |
DEPARTMENT: IT SECURITY |
This policy defines the specific information security requirements to implement the Third-Party information security program and applicable policies. To be effective, information security must involve the participation and support of every Medcor Third-Party who deals with information and information systems.
This policy applies to all Medcor Third Parties with access to Medcor information, networks, or computer systems.
Definition
A third-party refers to any individual, organization, or entity that is not directly involved in a primary relationship, transaction, or agreement but may still play a role or be affected by it.
Policy
Management Support for Information Security
Critical Business Function – Information and information systems are necessary for the performance of just about every essential activity at Medcor. If there were to be a serious security problem with this information or these information systems, Medcor could suffer serious consequences including lost customers, reduced revenues, and degraded reputation. As a result, information security must continue to be a critical part of the Medcor business environment.
Information Security Program
Information Security Program – Third-parties must implement a comprehensive, written information security program that will secure information assets in a manner commensurate with each asset’s value as established by risk assessment and mitigation measures. The information security program must be updated and re-approved by management annually or whenever there is a material change in the organization or infrastructure.
Information Security Policies – Written acceptable use and information security policies and procedures must be implemented and enforced to assure the security, privacy, reliability, integrity, and availability of information assets.
Risk Assessments – The information security program must be updated, as appropriate, based on the results of the third party’s risk assessment.
Vendor Management – Third-parties must implement a vendor management program to evaluate the security controls of their vendors. The program must include the evaluation of security controls for new and existing vendors.
Asset Management
Asset Ownership – All production information assets possessed by or used by a third-party must have a designated owner with ownership responsibilities clearly documented.
Asset Inventory – The third-party must prepare an annual inventory of production information systems detailing all existing production hardware, software, and virtual assets.
Information Classification and Handling
Consistent Information Handling – Third-parties that collect information on behalf of Medcor must protect such information in a manner commensurate with its sensitivity and criticality. Security measures must be employed regardless of the media on which information is stored, the systems that
process it, or the methods by which it is moved. Information must be protected in a manner that is consistent with its classification, no matter what its stage in the life cycle from origination to destruction.
Access to Systems
Remote Access – All remote access to Medcor systems as well as remote access to third-party networks must use standard remote access systems that uses token or certificate-based authentication (i.e. VPN) with industry supported encryption standards. Remote access method must use Multi-Factor (MFA) authentication and be granted only to those users who have a demonstrable business need for such access. Permission to remote access must be approved and routinely reviewed. An annual VPN rule review must be conducted to ensure rules are reviewed.
Authentication – All accounts must use standard authentication methods (i.e. Active Directory, SSO – Single Sign-On, etc.).
Personal E-mail – Use of personal e-mail systems (i.e. Google, Yahoo, and Microsoft etc.) must not be used where Medcor sensitive data is stored.
System Security
Web Application Firewall – All public facing systems (web applications, e-mail server, etc.) must be protected by a web application firewall.
Security Software – All computers that are under the control of a third-party must be protected with the following security software:
Endpoint Security – All computer systems must use endpoint security to stop malware, viruses, malicious operations, intrusions, ransomware, etc.
E-mail Security – All e-mail systems must use e-mail security to stop spam, viruses, malware, and phishing attempts.
Web Security – All computer systems must use web security to stop malicious activities from websites.
System Hardening – All third-party systems must use industry hardening standards for securing the systems prior to deployment.
Personal Computer Systems – If a third-party uses personal computer systems to access systems the third-party must implement equivalent or greater security measures as it would for the third-party owned computer systems. Examples of security measures include the following:
All connected personal computers have adequate security protection such as up to date anti-virus software.
All connected personal computers have the latest software updates installed.
Personal routers and other devices on the network are password protected.
Personal routers have WPA2 enabled for Wi-Fi.
Personal routers and other devices must have the latest updates installed.
Personal devices must meet the third-party’s minimum device requirements in order to be used.
Personal devices that access the third-party’s systems are required to have mobile device management software installed.
Information Access Control
Need to Know – Access to Medcor sensitive information may only be provided and disclosed to third-party employees with a need to know such information for legitimate business purposes. Prior to access, appropriate agreements must be in place that specifies what Medcor information may be accessed.
Access Approval – Third-parties that collect information on behalf of Medcor must adopt an access request and owner approval process. When employees change job duties, including termination, transfer, promotion and leave of absence, the third-party must make changes accordingly. The privileges granted to all employees must be periodically reviewed by the information owners and custodians to ensure that only those with a current need to know presently have access. Employees that do not perform administrative functions must have their access restricted (ex. removal of local admin permissions) on their computers.
Role-Based Access – Employees with access to Medcor information or Medcor information collected on behalf of Medcor must have role-based privileges enabled to limit access based on role.
User Access Review – Employees with access to Medcor information or Medcor information collected on behalf of Medcor must have their accounts reviewed at minimum on a quarterly basis to ensure access is required and is appropriate.
User IDs and Passwords – To implement the need-to-know process, third-parties must require that each employee accessing multi-user information systems have a unique user ID and a private password. These user IDs must be employed to restrict system privileges based on job duties, project responsibilities, and other business activities. Each employee is personally responsible for the usage of their user ID and password. Separate accounts should be used for privileged accounts. An account removal process must be used and each employee that no longer requires access must have access removed within 24 hours. If the third-party employees have access to Medcor systems, Medcor must be informed immediately so that access can be removed. Default passwords must be removed and replaced with the third-party’s password standard.
User Authentication – All production information system user IDs must have a linked password or a stronger mechanism such as a dynamic password token, to ensure that only the authorized user is able to utilize the user ID. Users are responsible for all activity that takes place with their user ID and password or other authentication mechanism.
Password Requirements – All third-parties must have a password policy that includes the following:
Minimum of 12 characters in length.
Use of both upper-case and lower-case letters.
Must be a Non-Dictionary word.
Inclusion of one or more numbers or special characters.
Passwords must not include account names or parts of the employee’s full name.
Password must be changed every 90 days.
Passwords must not contain personal information such as birthdates, SSN numbers, etc.
The same password must not be used on multiple systems, websites, etc.
Passwords must never be shared with anyone else.
Passwords must not be easily guessed.
Passwords must not be stored in plain sight.
Passwords must not be stored in browsers.
Passwords must not be stored in files on third-party computers.
Passwords must only be reused within the time specified by the system.
Passwords must never be sent to anyone through unsecured means such as e-mail.
Invalid password attempts beyond the maximum amount specified by the system will lock the account.
All first-time temporary passwords must follow the same password requirements and be changed upon first login.
The third-party must have an incident response procedure for reporting compromised passwords.
Use of generic or shared accounts is prohibited. Accounts must only be unique to the user.
Multi-Factor Authentication is required to be enabled for all systems that support it.
Use of 20-character passwords for privileged accounts (i.e. administrator, service accounts).
Special administrator accounts are required to use their assigned special administrator accounts to login to servers and systems.
Service accounts must not have interactive login enabled.
Personnel Security
Background Checks – Background checks must be performed on all third-party employees with access to Medcor information, networks, or computer systems.
Security Training – All new and existing third-party employees and contractors must complete an approved Security and Data Privacy awareness course on new hire and at minimum on an annual basis. Training must cover these topics: Business e-mail compromise, Social Engineering, Protecting PHI and PII, Information Security Program, Mobile Device Protection, Virus, Malware, and Ransomware, Phishing, Physical Security. All employees must also review and acknowledge all third-party policies on an annual basis. Third-parties must have a program in place to address training for security violations identified for each employee. Third-parties must have a phishing testing program in place to routinely test employees’ awareness to phishing. All developers employed by the third-party must complete an approved developer security awareness course on an annual basis.
Travel
Foreign Transport of Sensitive Information – Whenever Confidential information is carried by an employee into a foreign country, the information must either be stored in some inaccessible form, such as an encrypted external storage media, or must always remain in the employee’s possession. Employees must not take sensitive Medcor information into another country unless permission has been obtained from the third-party.
Checked Luggage – Employees in the possession of portable devices (i.e. laptops, cell phones, personal digital assistants, etc.) and other transportable devices containing sensitive information must not check these portable devices in airline luggage systems. These portable devices must remain in the possession of the traveler as hand luggage.
Special Laptops for International Travel – All employees traveling with sensitive information must only use special “travel” laptops issued by the third-party. These special devices are stripped of all non-essential information and must employ both full-disk encryption and multi-factor authentication.
Inspection of Machines for International Travel – All employees returning from overseas travel must have their laptops and other portable devices inspected by the third-party before connecting to the third-party network. This inspection is required to check for malicious software or other security vulnerabilities that may have been introduced during inspection by authorities.
Agreements
Agreements – Depending on the business relationship with Medcor, third parties will be required to sign applicable agreements Non-Disclosure (NDA),Business Associate Agreement (BAA), Data Access Agreement, etc. Information released to third-parties must be limited to the topics directly related to the involved project or business relationship, and the disclosure must be approved in advance by the involved information owner and Medcor’s Legal department.
Third-Party Security Requirements – Third-parties with access to Medcor sensitive information must secure its own systems so that they are equal or greater than the security requirements of Medcor. Medcor reserves the right to audit the security of third-party systems. Medcor also reserves the right to immediately terminate the business relationship with all third-parties not meeting such requirements.
Physical Security
Physical Security to Control Information Access – Access to every office, data center, and other third-party work area containing sensitive information must be physically restricted to those individuals with a need to know. When not in use, sensitive information must always be protected from unauthorized disclosure. When left in an unattended room, sensitive information in paper form must be locked away in appropriate containers. Each third-party location should always be locked and secured when a third-party employee is not present.
Access Control – All third-party employees and others who the third-party assigns access must have access controls in place for areas containing sensitive information. Employees must be identified using an identification system. Access control for employees and third parties must be removed when access is no longer required.
Tailgating – Third-parties must routinely educate employees regarding tailgating.
Visitors/Guests – Third-parties must have visitor management policy and procedures.
Clear/Clean Desk and Screen – Third-parties must have a clear/clean desk and screen policies and procedures.
Teleworker Locations – If the third-party uses Teleworker locations it is the responsibility of the employee to keep their location secured, third-party assets secured, and third-party computer equipment always locked. If locked cabinets are in the location, it is the responsibility of the employee to make sure those cabinets are securely locked when the location is unoccupied. Third-party assigned equipment includes but is not limited to Laptops, All-In-One or Computers, Cell Phones, Tablets, External Hard Drives, Memory Sticks, VPN Appliances, Data Internet Cards are not permitted to be used by anyone other than third-party employees.
Power Redundancy/Backup – The use of uninterruptible power supplies should be used to at the third-party’s locations to protect the systems in the event of a short-term power outage or interruption. The uninterruptible power supplies should be routinely tested, and alerts are sent when these devices are activated.
Generators – The use of generators should be installed at the third-party’s locations and used to power the locations in the event of a long-term power outage or interruption. The generators should be routinely tested, maintained, and alerts are sent when these devices are activated.
Fire Suppression – The use of fire suppression systems should be used at the third-party’s locations. The fire suppression systems should be routinely tested and maintained.
Security Reviews – Periodic physical security reviews should be conducted at the third-party to ensure employees are following the correct physical security procedures as well as making sure physical security controls are working effectively.
Removal of Data and Equipment – Processes and procedures must be in place at the third-party for the removal of data and/or equipment out of critical infrastructure areas.
Network Security
Firewalls Required – All connections between third-party internal networks and the Internet or any other publicly accessible computer network must include an approved firewall or related access control system. The privileges permitted through this firewall or related access control system must be based on business needs and must be defined in an access control standard issued by the third-party. By default all firewalls must be set to deny all ports. All firewalls must have a review conducted annually. An annual firewall rule review must be conducted to ensure rules are reviewed.
Internal Network Connections – All third-party computers that store sensitive information, and that are permanently or intermittently connected to internal computer networks must have a password-based access control system. Regardless of the network connections, all stand-
alone computers handling sensitive information must also employ an approved password-based access control system. All systems that contain sensitive data collected on behalf of Medcor must be stored on a separate protected network.
Session Security – All third-party employees working with all other types of computers must employ the screen lock passwords that are provided with operating systems, so that after a period of no activity the screen will lock until the correct password is again entered. Employees must lock their computers whenever they leave their computers for extended periods of time. Employees must logoff multi-user systems when they have completed their work to terminate that user’s session.
External Network Connections – When using third-party computers, employees must not establish connections with external networks including Internet service providers unless these connections have been approved by the third-party.
Third-Party Connection Approval – Third-party computers or networks may be connected to vendor computers or networks only after the third-party has determined that the combined systems will be following the third-party’s security requirements.
Circumventing Controls – The third-party must have policies in place that address attempts to hack or circumvent by using the third-party systems or external systems on any third-party system or resource is prohibited. This includes but is not limited to running vulnerability scanning systems, password-hacking, exploiting vulnerabilities, installing malware or viruses, use of malicious code, or circumventing access permissions or resources.
Shadow IT – The third-party must have policies in place that prohibit the setting up of IT devices, software, and services which are outside the ownership or control of the third-party. All IT devices, software, and services must be approved by the third-party prior to their use.
Encryption
Encryption – Medcor Sensitive information (which includes Medcor Confidential Information) that is sent over a public computer network like the Internet must use encryption methods to protect it. All third-party systems must use encryption in storage, transit, and at rest. All databases that contain Medcor sensitive data must use AES 256-Bit Data Encryption. Medcor sensitive information must not be shared via unencrypted methods such as e-mail and file sharing systems. Medcor sensitive information must be shared using secure methods that use encryption.
Virus and Malware Prevention
AntiVirus and Anti-Malware Systems – AntiVirus and Anti-Malware systems approved by the third-party must be in place on all computers with operating systems susceptible to malicious operations, on all firewalls with external network connections, and on all e-mail servers. All files coming from external sources must be checked before execution or usage. If encryption or data compression has been used, these processes must be reversed before the antivirus and anti-malware checking process takes place. Employees must not turn off or disable the antivirus and anti-malware systems.
Application and Systems Development
System Development – If the third-party develops software for Medcor the third-party must have a documented System Development Life Cycle that includes security. The third-party must follow security standards such as OWASP. This methodology must ensure that the software will be adequately documented and tested before it is used for critical Medcor information. The System Development Life Cycle also must ensure that production systems include adequate control measures. The third-party must perform periodic risk assessments of production systems to determine whether the controls employed are adequate. All developers must adhere to the third-party company policies, standards, procedures, testing, training, and documentation.
Access Control – All production systems must have an access control system to restrict who can access the system and restrict the privileges available to these users. A designated access control administrator who is not a regular user on the system must be assigned for all production systems. A review of each user’s access must be conducted on a routine basis, and appropriate changes must be completed and documented for each user.
Product, Development, and Test Environments – There must be a separation between the production, development, and test environments. Where these distinctions have been established, development and test staff must not be permitted to have access to production systems. All production software testing must proceed with sanitized information where Confidential or Sensitive information is replaced with test data. All security fixes provided by software vendors must go through the systems development methodology testing process and must be promptly installed. Developers must not be given access to production information. All data used in the testing environment must not contain production data collected on behalf of Medcor.
Change Management – A formal and documented change control process must be used to restrict and approve changes to production systems. All application program-based access paths other than the approved user access paths must be deleted or disabled before software is moved into production.
Testing – All third-party developed software must be security tested prior to production. All discovered vulnerabilities must be remediated prior to release to production. All third-party
developed software must be penetration tested at minimum on an annual basis. All vulnerabilities discovered during the penetration must be remediated.
Change Control
Unauthorized Installation or Use of Software – The third-party must restrict systems to only the intended approved use of the system. The third-party must restrict the installation or use of new or upgraded operating systems or software on computers and other systems used to process Medcor information.
Audit Logging
Production Application System Logs – All third-party computer systems must include logs that record, at a minimum, user session activity including user IDs, logon date and time, logoff date and time, as well as applications invoked, changes to critical application system files, changes to the privileges of users, and system start-ups and shut-downs.
Business Continuity Plan Development
Business Contingency Plans Preparation – The third-party must prepare, periodically update, and regularly test a business recovery plan that specifies how alternative facilities (offices, computers, telephones, etc.) will be provided so employees can continue operations in the event of a business interruption.
Computer Incident Response
Computer Emergency Response Plans – The third-party must prepare, periodically update, and regularly test emergency response plans that provide for the continued operation of critical computer and communication systems in the event of an interruption or degradation of service.
Mandatory Reporting – The third-party must have a process for reporting security incidents that might jeopardize the third-party or Medcor information or Medcor information systems. The third-party must report all confirmed data breaches to compliance@medcor.com.
Data Loss Prevention
Data Loss Prevention – The third-party must use Data Loss Prevention to protect it from data loss. Systems may include but are not limited to detection and prevention of e-mail and file sharing systems.
Security Testing
Penetration Testing – The third-party must conduct at minimum annual penetration testing of external network, internal network, and web applications. The third-party must remediate all findings discovered in the penetration test. If Critical or High vulnerabilities are identified, Medcor must be notified of a remediation time frame for those vulnerabilities. At the request of Medcor a penetration testing attestation letter may be requested.
Vulnerability Scanning – The third-party must conduct at minimum quarterly internal and external vulnerability scanning on its systems. Vulnerabilities identified must be remediated.
Patch Management
Patch Management – The third-party must use a patch management system to routinely patch its systems. Patching should include all endpoint systems, servers, and network devices.
Change Management
Change Management – The third-party must have a formal Change Management process. The Change Management process should include all Information Technology infrastructure systems and applications.
Mobile Devices
Mobile Security – The third-party must use mobile security to protect all mobile devices used at the third-party.
Data Storage
Storage Location – If the third-party is collecting data on behalf of Medcor the third-party must store data in a U.S. location.
Data Location Change – If the third-party is collecting data on behalf of Medcor and decides to move the data to a different location, the third-party must notify Medcor of the new location and receive Medcor’s approval prior to the movement of the data.
Audit Reports
Independent Third-Party security audit – The third-party must conduct at minimum annual independent third-party audits (i.e. SOC 2, ISO). At the request of Medcor an independent third-party audit report may be requested. If an independent third-party audit is not available Medcor may request the completion of a security questionnaire.
Security Violations
Security Violation Policy and Procedure – The third-party must have a security violation policy and procedure that addresses security policy violations.
Data Retention and Disposal
Retention – The third-party must contact Medcor prior to disposing any data collected on behalf of Medcor. If Medcor requests data, the third-party must provide data in a format that is acceptable to Medcor.
Disposal – Prior to destruction of any Medcor data, Medcor must be notified. All third-party’s electronics that may have contained data collected on behalf of Medcor and are determined no longer fit for this purpose must be sanitized using NIST SP 800-88 Rev. 1 or equivalent standards for data destruction.
Termination of Agreement
Notwithstanding anything to the contrary in the Agreement, Medcor may terminate the business relationship with the third-party if Medcor determines (as a result of a Security Incident, results of a third-party security assessment, results of a SOC 2 report, etc.) that the third-party has failed to meet Medcor’s security requirements in this policy or that the third-party will not make changes to accommodate any security requirements.
|
Owner |
Title |
Date |
Signature |
|
Anthony Vivardo |
Executive Director of Security and IT Operations |
09/2025 |
|
|
Approved By |
Title |
Date |
Signature |
|
Tim Sahouri |
Chief Information Officer |
09/2025 |
|
|
Version |
Description |
Revision Date |
Review Date |
Reviewer/Approver Name |
|
1.0 |
Draft Version |
06/07/2021 |
06/07/2021 |
Anthony Vivardo |
|
2.0 |
Final Version |
06/07/2021 |
06/07/2021 |
Anthony Vivardo |
|
2.1 |
Revisions to sections: Password Requirements Personnel Security Computer Incident Response Termination of Agreement |
06/01/2022 |
06/01/2022 |
Anthony Vivardo |
|
2.2 |
Revisions to sections: Policy (name changed from 10.179-Third-Party Information Security Policy to 10.179-Third-Party Vendor Information Security Policy) Access to Systems Information Access Control Personnel Security Computer Incident Response Network Security Application and Systems Development Data Retention and Disposal |
06/01/2023 |
06/01/2023 |
Anthony Vivardo |
|
2.3 |
Revisions to sections: Information Security Program Information Access Control Personnel Security Physical Security Change Control Security Testing |
05/30/2024 |
05/30/2024 |
Anthony Vivardo |
|
3.0 |
Policy Refresh |
09/2025 |
05/2025-08/2025 |
Anthony Vivardo |