Transcript of interview with Vendor Partner

Vendor Management

Compliance

Risk Management

Auditor: I’d like to discuss how security considerations are handled in your relationship with our organisation. Could you describe the policies and controls your organisation has in place?

Vendor: Absolutely. We maintain comprehensive information security policies and technical controls aligned to standards like ISO 27001. This includes access controls, encryption, vulnerability management, risk assessments and more.

Auditor: Great to hear. And how are our security requirements incorporated into the services or products you provide?

Vendor: We review all contracted security terms to ensure compliance. Your CISO is provided validation of our controls via assessment reports and certifications. We also accommodate any audits or risk reviews.

Auditor: Excellent. How is important security-related communication handled between our organisations?

Vendor: We have regular status updates on programs, issues, and initiatives. Any critical vulnerabilities or incidents would be reported to your security team based on the contractual notification requirements.

Auditor: That covers the key points. To summarise - you have the appropriate internal security posture, align to our policies contractually, and maintain open communication channels for risk management. Is that correct?

Vendor: Yes, that accurately represents our security relationship. We take our clients’ requirements very seriously and aim to enable their programs through our information security capabilities and practices.

Auditor: What training and awareness exists for your employees on adhering to client security policies and handling sensitive data?

Vendor: Annual security training is mandatory for all employees. Those dealing with customer data receive additional training on data handling, privacy and confidentiality.

Auditor: How do you perform background checks on your personnel prior to assigning them to our account?

Vendor: Standard background checks include criminal history, employment verification and education confirmation. We can accommodate other screening based on your policies and data sensitivity.

Auditor: What access controls do you have around the systems, applications or devices specific to our environment?

Vendor: Access is granted based on least privilege principles and business needs. We implement controls like MFA, activity monitoring, and privileged access management on your assets.

Auditor: Could you describe the secure development practices that go into the software or applications provided to us?

Vendor: We follow standardised SDLC processes including security reviews, static/dynamic analysis, vulnerability testing etc. Security is built into designs and threat modeling occurs.

Auditor: Finally, what periodic reporting can you provide to demonstrate ongoing compliance?

Vendor: We can provide artifacts like risk assessments, security reports, audit results, and remediation status on a recurring basis contractually.