Securing Our Ecosystem and Third-party Risk Management

SAI360’s supplier risk management and assessment requirements comply with ISO 27001 and are published in our Information Security Management System (ISMS).

This includes policies relating to pre-contract supplier due diligence and ongoing monitoring of existing supplier relationships. SAI360 has instituted a risk-based approach to performing due diligence on perspective suppliers. The assessments include evaluation of the third party’s controls relevant to the security and data protection of the services provided and the overall environment in which the services are provided from.

Information security requirements will vary according to the type of contractual relationship that exists with each supplier. The selection of controls is based upon a comprehensive risk assessment taking into account information security requirements, the product or service to be supplied, its criticality to the organization, and the capabilities of the supplier.

SAI360 has implemented ‘SAI360 GRC Vendor Risk’ Software as a Service (SaaS) as our assessment tool. All suppliers are assessed prior to production use and annually thereafter.

SAI360’s general legal counsel carries out the legal review process for contracts entered into by SAI360. Where applicable, information security conducts risk assessments of vendors that process SAI360 data (including customer data) and/or have access to SAI360 systems. Additionally, Information Security works with the general legal counsel to determine and negotiate with the applicable vendor appropriate contractual protections related to information security.