Vendor Management Policy
WeSalute relies on vendors to perform a range of services, some of which are critical for operations. WeSalute aims to manage its relationship with vendors and minimize the risk associated with engaging third parties to perform services. This policy provides a framework for managing the lifecycle of vendor relationships.
Vendor Risk Assessment
For each potential vendor, conduct an initial risk analysis, assigning the vendor "low", "medium", or "high" rating based on the highest risk level attributable to the contract.
| Low | Medium | High | |
|---|---|---|---|
| Business Impact | Nominal impact, could get along without it. Does not connect to any piece WeSalute infrastructure. | Significant but non-critical business impact. | Mission Critical |
| Customer Facing | No | Indirect | Direct |
| Access | No Access | Access | Access to non-public personally identifiable information (“PII”) (e.g. email content). |
The rating indicates the level of due diligence WeSalute requires for each vendor:
-
Low-risk vendors typically require little analysis
-
Medium-risk vendors should be evaluated to determine the appropriate level of due diligence required
-
High-risk vendors require extensive review
Vendor Assessment Process
Risk assessments should be conducted before doing business with a new vendor and revisited when the relationship with the vendor changes significantly, including contract renewals. All vendors are required to be reassessed quarterly. An assessment of the proposed vendor is initiated when a Vendor Sponsor (anyone at WeSalute looking to do business with a vendor) submits a review request to the CTO. The Vendor Sponsor may wish to sign a mutual Non-Disclosure Agreement (mNDA) with the proposed vendor. The proposed vendor and the Vendor Sponsor should sign the mNDA before the Vendor Sponsor:
-
discloses WeSalute information to determine company/vendor fit
-
accepts a completed Vendor Assessment Questionnaire (VAQ), which contains the vendor's operating information.
The Vendor Sponsor should then submit the mNDA (if applicable), VAQ, and other relevant collateral to the CTO for review via the Company Records in the WeSalute CRM.
The CTO will complete the review in a timely manner and communicate next steps to the Vendor Sponsor. Al reviews should be documented in risk matrix, for security, legal and audit. The documentation becomes of the realm of SystemsOps Vendor Documentation.
When the CTO approves the vendor, the WeSalute Vendor Sponsor may move forward with contract negotiations.
The CTO and LegalOps Team must provide documented approvals to the Vendor Sponsor.
The FinancialOps Team may set the vendor up for payment. The FinancialOps Team will be responsible for ensuring the CTO documented their signoff.
Vendor Assessment Due Diligence
Due diligence entails making a reasonable inquiry into a vendor's ability to meet the requirements for the proposed service. WeSalute first sends the proposed vendor a Vendor Assessment Questionnaire. Once the VAQ is completed, the CTO reviews the responses and either clears the vendor, rejects the vendor, or requests further information.
All due diligence review might include further discussions regarding the following topics:
-
Regulatory: Can the vendor create regulatory risk for WeSalute?
-
Reputation: How might the vendor impact WeSalute's reputation?
-
Financial: Can the vendor impact WeSalute or its customers financially?
-
Access to customer data: To what extent will the vendor handle sensitive WeSalute Data?
-
Operational effectiveness: How might WeSalute be affected if the vendor experiences downtime? If the vendor ceases operations suddenly? Are there other potential vendors that WeSalute could work with in such cases?
-
Compensating controls: Does the vendor offer multi-factor authentication on its service? Can that be enforced such that all WeSalute users must turn on MFA to the use the service?
Vendor Compliance Considerations
If the vendor as a SOC 2, ISO27001/2, or other relevant collateral, it should be collected, reviewed by the CTO, and documented in WeSalute records.
Managing Vendors
Vendor Supervision
Each vendor will be assigned a Vendor Sponsor, a Team Member via Vanta, who will act as a liaison between the vendor and WeSalute.
Vendor List
The CTO and SystemsOps work together to maintain a complete list of all vendors, associated risk ranking, and the Vendor Relationship Manager, and the date of the most recent evaluation.
Vendor Configuration
Multi-factor authentication ("2FA") should be enabled on all accounts for all vendors.
Policy Review, Disciplinary, & Responsibility
Disciplinary Action
Team Members who violate this policy may face disciplinary consequences in proportion to their violation. WeSalute ExecutiveOps will determine how serious a Team Member's offense is and take the appropriate action:
-
For minor violations, Team Members may receive verbal reprimands
-
For more serious violations (e.g. onboarding a vendor without appropriate review and due diligence), Team Members may face severe disciplinary actions up and including termination.
Responsibility
The WeSalute Vendor Sponsor is responsible for ensuring prospective vendors enter the vendor review process.
The CTO is ultimately responsible for ensuring this policy is followed.
This Policy currently does not have the complete required policy footer content standard on WeSalute Policies. This may be intentional by the nature of the content.