To ensure protection of the organization’s data and assets that are shared with, accessible to, or managed by suppliers, including external parties or third-party organizations such as service providers, vendors, and customers, and to maintain an agreed level of information security and service delivery in line with supplier agreements.
This document outlines the due diligence journey a third-party has to complete at Sourcegraph, including a baseline of security controls that Sourcegraph expects partners and other third-party companies to meet when interacting with Sourcegraph data.
All data and information systems/services owned or used by Sourcegraph that are business critical and/or process, store, or transmit Sourcegraph data. This policy applies to all employees of Sourcegraph and to all external parties, including but not limited to Sourcegraph consultants, contractors, business partners, vendors, suppliers, partners, outsourced service providers, and other third-party entities with access to Sourcegraph data, systems, networks, or system resources.
Sourcegraph categorizes all of its third-parties as follows:
- Software: this can be SaaS or non-SaaS products
- Services: Consulting services; any company that is commissioned to perform knowledge enhancing project-based work for Sourcegraph. Examples of this include any work that concludes with a report issued to the company, product development work, training development, sales & marketing projects and regulatory consulting work.
- Temporary contractors: Individuals that have been contracted for a limited amount of time to enhance/assist/deliver project base work (distinction made as access level to data will be different to a ‘Service’ engagement)
The contract type/financing mechanism for any of the above mentioned categories should follow the Sourcegraph Procurement Policy.
Information security requirements for mitigating the risks associated with supplier’s access to the Sourcegraph’s assets shall be agreed with the supplier and documented.
For all service providers who may access Sourcegraph sensitive data, systems, or networks, proper due diligence shall be performed prior to provisioning access or engaging in processing activities.
Relevant information security requirements shall be established and agreed with each supplier that may access, process, store, or transmit sensitive data, or provide physical or virtual IT infrastructure components for Sourcegraph.
For all service providers who may access Sourcegraph production systems, or who may impact the security of the Sourcegraph production environment, written agreements shall be maintained that include the service provider’s acknowledgment of their responsibilities for the confidentiality of company and customer data, and any commitments regarding the integrity, availability, and/or privacy controls that they manage in order to meet the standards and requirements that Sourcegraph has established in accordance with Sourcegraph’s information security program or any relevant framework.
Sourcegraph will consider and assess risk associated with suppliers and the technology supply chain. Where warranted, agreements with suppliers shall include requirements to address the relevant information security risks associated with information and communications technology services and the product supply chain.
Sourcegraph shall regularly monitor, review, and audit supplier service delivery. Supplier security and service delivery performance shall be reviewed at least annually for all high risk third-parties.
Changes to the provision of services by suppliers, including changes to agreements, services, technology, policies, procedures, or controls, shall be managed, taking account of the criticality of the business information, systems, and processes involved. Sourcegraph shall assess the risk of any material changes made by suppliers and make appropriate modifications to agreements and services accordingly.
Upon termination Sourcegraph ensures preparations and a process are in place to efficiently terminate a third-party relationship and transfer the activities either in-house or to another third party provider. Off-boarding due diligence is also conducted to ensure that all the relevant checks with IT, Security and Compliance are covered prior to termination and all data has been retained/disposed of according to Sourcegraph’s Data Management Policy. Finance and Legal will review any contract extensions or renewals and ensure that these are signed by the relevant parties.
Sourcegraph will ensure that potential risks posed by sharing sensitive data are identified, documented and addressed according to this policy. The purpose of a partner and third-party security policy is to ensure that partnerships and services achieve their business plan aims and objectives, and are consistent with Sourcegraph’s requirements for information security.
Sourcegraph shall not share or transmit sensitive data to a third-party without first performing a third-party risk assessment and due diligence including fully executing a written contract, statement of work or service agreement which describes expected service levels and any specific information security requirements.
Risk management plays an integral part in the governance and management of the organization at a strategic and operational level. Therefore, Sourcegraph performs a risk assessment for each third party as part of their onboarding process. A risk rating ( high, medium or low) is assigned to each third-party and dedicates the frequency of due diligence reviews for that third party. All high risk third parties are subject to an annual due diligence check in regards to performance and security standards.
Sourcegraph will perform due diligence checks on third-parties to identify, assess, manage and control the risks related to third party relationships prior to engaging in processing activities. Several internal stakeholder groups will be involved in this review/evaluate stage of the third party.
Sourcegraph uses two factors to determine which due diligence checks need to be performed: data classification of data shared with the third party and materiality (i.e. cost of contract).
Approval of third-party onboarding can only be provided if all due diligence reviews are approved.
Sourcegraph’s Vendor Reviewer Guide Process captures the due diligence triage matrix as well as provides more details on the due diligence activities by each reviewer.
All third-parties must maintain reasonable organizational and technical controls as assessed by Sourcegraph.
Assessment of third-parties which receive, process, or store sensitive data shall consider the following controls as applicable based on the service provided and the sensitivity of data stored, processed or exchanged.
Third-parties maintain information security policies supported by their executive management, which are regularly reviewed.
Third-parties maintain programs that assess, evaluate, and manage information and technology risks.
Third-parties implement commercially reasonable practices and procedures designed, as appropriate, to maintain operations security. Protections may include:
- Technical testing
- Protection against malicious software
- Network protection and management
- Technical vulnerability management
- Logging and monitoring
- Incident response
- Business continuity planning
Third-parties maintain a technical access control program.
Third-parties maintain a secure development program consistent with industry software and systems development best practices including risk assessment, formal change management, code standards, code review and testing.
If third-parties are storing or processing seitive data, their physical and environmental security controls should be in accordance with industry best-practices.
Third-parties maintain human resource policies and processes which include criminal background checks for any employees or contractors who access Sourcegraph sensitive information.
Sourcegraph shall consider all applicable regulations and laws when evaluating suppliers and third parties who will access, store, process or transmit Sourcegraph sensitive data. Third-party assessments should consider the following criteria:
- Protection of customer data, organizational records, and records retention and disposition
- Privacy of Personally Identifiable Information (PII)
Requests for an exception to this Policy must be submitted to the Compliance Manager for approval.
Sourcegraph will measure and verify compliance to this policy through various methods, including but not limited to, business tool reports, and both internal and external audits.
Any known violations of this policy should be reported to firstname.lastname@example.org. Failure to follow this policy can result in disciplinary action, up to and including termination.
|1.0||20-||Diego Comas||First Version|
|1.1||26-||Dora Neumeier||Addition of links to handbook process page; added section on risk management and due diligence|