ReloQuest Information Security Requirements for Suppliers
Last updated: June 2, 2022
Supplier agrees it has implemented and will maintain throughout the term of the Terms of Service the following technical and organizational measures, controls, and information security practices:
- Information Security Policies
- Policies for Information Security. Supplier’s policies for information security shall be documented by Supplier, approved by Supplier’s management, and communicated to Supplier’s personnel and contractors on a need to know basis.
- Review of the Policies for Information Security. Policies for information security shall be reviewed by Supplier at least annually, or promptly after material changes to the policies occur, to confirm applicability and effectiveness. Supplier shall not make changes to the policies that would materially degrade security obligations without first providing notice to ReloQuest.
- Information Security Reviews. The Supplier’s approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes and procedures for information security) shall be reviewed independently at planned intervals or when significant changes occur.
- Organization of Information Security
- Security Accountability. Supplier shall assign one or more security officers who will be responsible for coordinating and monitoring Supplier’s information security function, policies, and procedures.
- Security Roles and Responsibility. Supplier personnel, contractors and agents who are involved in providing Supplier Services shall be subject to confidentiality agreements with Supplier.
- Risk Management. Appropriate information security risk assessments shall be performed by Supplier as part of an ongoing risk governance program that is established with the objective to recognize risk; to assess the impact of risk; and where risk reducing or mitigation strategies are identified and implemented, to effectively manage the risk with recognition that the threat landscape constantly changes. Upon request, Supplier will meet with ReloQuest at least annually to discuss information security related to the Supplier Service.
- Human Resource Security
- Security Trainning. Appropriate security awareness, education and training shall be provided to all Supplier personnel and contractors.
- Asset Management
- Asset Inventory. Supplier shall maintain an asset inventory of all media and equipment where ReloQuest Data is stored. Access to such media and equipment shall be restricted to authorized personnel of Supplier.
- Asset Handling.
- Supplier shall classify ReloQuest Data so that it is properly identified and access to ReloQuest Data shall be appropriately restricted.
- Supplier shall maintain an acceptable use policy with restrictions on printing ReloQuest Data and procedures for appropriately disposing of printed materials that contain ReloQuest Data when such data is no longer needed to provide the Supplier Service under the Terms of Service.
- Supplier shall maintain an appropriate approval process whereby such approval is provided to personnel, contractors and agents prior to storing ReloQuest Data on portable devices; remotely accessing ReloQuest Data; or processing such data outside of Supplier facilities. If storing ReloQuest Data on portable devices is used, Supplier shall enforce the use of current Industry Standard encryption on the portable device. If remote access is used, Supplier personnel, agents and contractors shall use multi-factor authentication. If mobile devices are used to access or store ReloQuest Data, Supplier personnel, contractors and agents shall use a mobile device management (MDM) solution that enforces encryption, passcode and remote wipe settings to secure ReloQuest Data. Supplier will prohibit the enrollment of mobile devices that have been “jail broken.”
- Access Control. Supplier shall maintain an appropriate access control policy that is designed to restrict access to ReloQuest Data and Supplier assets to authorized personnel, agents and contractors.
- Authorization.
- Supplier shall maintain user account creation and deletion procedures for granting and revoking access to all assets, ReloQuest Data, and all internal applications while providing Supplier Services under the Terms of Service. The Supplier will assign an appropriate authority to approve creation of user accounts or elevated levels of access for existing accounts.
- Supplier shall maintain and update records of personnel who are authorized to access Supplier systems that are involved in providing Supplier Services and review such records at least quarterly.
- Supplier shall ensure the uniqueness of user accounts and passwords for each individual. Individual user accounts must not be shared.
- Supplier shall remove access rights to assets that store ReloQuest Data for personnel, contractors and agents upon termination of their employment, contract or agreement within two (2) business days, or access shall be appropriately adjusted upon change (e.g. change of personnel role).
- Supplier will perform periodic access reviews for system users at least quarterly for all supporting systems requiring access control.
- Least Privilege Access.
- Supplier shall restrict access to Supplier systems involved in providing Supplier Services, to only those individuals who require such access to perform their duties using the principle of least privilege access.
- Administrative and technical support personnel, agents or contractors shall only be permitted to have access to such data when required.
- Authentication.
- Supplier will use current Industry Standard capabilities to identify and authenticate personnel, agents and contractors who attempt to access information systems and assets.
- Supplier shall maintain current Industry Standard practices to deactivate passwords that have been corrupted or disclosed.
- Supplier shall monitor for repeated access attempts to information systems and assets.
- Supplier shall maintain current Industry Standard password protection practices that are designed and in effect to maintain the confidentiality and integrity of passwords generated, assigned, distributed and stored in any form.
- Supplier shall provide an Industry Standards based single sign-on (SSO) capability (SAML, etc.) which will require authentication to access any Supplier web-based application(s) provided as part of the Supplier Services, unless the requirement is explicitly waived by ReloQuest. Details of how the single sign-on integration must be implemented are available from ReloQuest upon request. If SSO is waived, multi-factor authentication is still required for access to Supplier web-based application(s) provided as part of the Supplier Services.
- Supplier shall maintain and enforce a password policy that is aligned to current Industry Standards (e.g. NIST Cyber Security Framework and the Center for Internet Security) and default passwords must be changed before deploying any new asset. In the event that Supplier Services includes the management of ReloQuest or its client infrastructure and environments, account lockout thresholds must be consistent with ReloQuest or its client account lockout standards, whichever is most strict.
- Supplier shall use multi-factor authentication and encrypted sessions for all administrative account access and any remote console access must be securely deployed using approved standards and configuration procedures. In the event that Supplier Services require external connections to ReloQuest or ReloQuest client project dedicated environments, ReloQuest must provide approval of the connections.
- Authorization.
- Cryptography Supplier shall maintain policies and standards regarding the use of cryptographic controls that are implemented to protect ReloQuest Data. Supplier shall implement Industry Standard key management policies and practices designed to protect encryption keys for their entire lifetime.
- Physical and Environmental Security
- Physical Access to Facilities.Supplier shall limit access to facilities (where systems that are involved in providing the Supplier Services are located) to identified personnel, agents and contractors.
- Physical Access to Components.Supplier shall maintain records of incoming and outgoing media containing ReloQuest Data, including the type of media, the authorized sender/recipient, the date and time, the number of media, and the type of data the media contains. Supplier shall ensure that backups (including remote and cloud service backups) are properly protected via physical security or encryption when stored, as well as when they are moved across the network. In the event that backup media of ReloQuest and/or ReloQuest client data is stored / shipped offsite, ReloQuest must provide approval of the storage location.
- Protection from Disruptions. Supplier shall protect equipment from power failures and other disruptions caused by failures in supporting utilities. Telecommunications and network cabling must be protected from interception, interference, and/or damage.
- Secure Disposal or Reuse of Equipment. Supplier shall verify equipment containing storage media, to confirm that all ReloQuest Data has been deleted or securely overwritten using Industry Standard processes, prior to disposal or re-use.
- Clear Desk and Clear Screen Policy. Supplier shall adopt a clear desk policy for papers and removable storage media and a clear screen policy.
- Operations Security
- Operations Policy. Supplier shall maintain appropriate operational and security operating procedures and such procedures shall be made available to all personnel who require them.
- Logging and Monitoring of Events.Supplier shall maintain records of incoming and outgoing media containing ReloQuest Data, including the type of media, the authorized sender/recipient, the date and time, the number of media, and the type of data the media contains. Supplier shall ensure that backups (including remote and cloud service backups) are properly protected via physical security or encryption when stored, as well as when they are moved across the network. In the event that backup media of ReloQuest and/or ReloQuest client data is stored / shipped offsite, ReloQuest must provide approval of the storage location.
- Supplier must enable logging and monitoring on all operating systems, databases, applications, and security and network devices that are involved in providing Supplier Services. Logs must be kept for a minimum of six (6) months or as long as legally required, whichever is longer. Logs must capture the access ID, the authorization granted or denied, the date and time, the relevant activity, and be regularly reviewed. All relevant information processing systems shall synchronize time to a single reference time source.
- Logging capabilities shall be protected from alteration and unauthorized access.
- Protections from Malware. Supplier shall maintain anti-malware controls that are designed to protect systems from malicious software, including malicious software that originates from public networks. Supplier shall maintain software at the then current major release for Supplier owned anti-malware software and provide maintenance and support for new releases and versions of such software.
- Backup. Supplier shall maintain a backup and restoration policy that also protects ReloQuest Data from exposure to ransomware attacks, and shall back up ReloQuest Data, software, and system images in accordance with Supplier policy unless other such requirements are agreed upon. Supplier shall regularly test restoration procedures.
- Control of Software and Utilities. Supplier shall enforce policies and procedures that govern the installation of software and utilities by personnel.
- Change Management. Supplier shall maintain and implement procedures to ensure that only approved and secure versions of code, configurations, systems, utilities and applications will be deployed for use and related to Supplier Services.
- Encryption of Data at Rest. Supplier shall encrypt data at rest, including data at rest in cloud instances and storage buckets, using current Industry Standard encryption solutions or shall provide the capability with instructions to ReloQuest so that ReloQuest may enable further encryption, at ReloQuest’s discretion.
- Communications Security
- Information Transfer and Storage.
- Supplier shall use current Industry Standard encryption, TLS (Transport Layer Security) minimum version 1.2, to encrypt ReloQuest Data that is in transit.
- Supplier shall use TLS, minimum version 1.2, over SMTP (Simple Mail Transfer Protocol) when exchanging emails as a standard practice to encrypt emails in transit.
- Supplier shall implement Domain-based Message Authentication, Reporting and Conformance (DMARC) policy of reject to lower the chance of spoofed or modified emails from valid domains. This is required for email that is sent from Supplier applications.
- In the event that Supplier Services include the management of ReloQuest client email systems, such systems must be configured and implemented to agreed-upon standards.
- Supplier shall utilize a secure collaboration platform that is enabled to restrict access and encrypt communications and ReloQuest Data.
- Supplier shall restrict access through encryption to ReloQuest Data stored on media that is physically transported from Supplier facilities.
- Security of Network Services. Supplier shall ensure that Industry Standard security controls and procedures for all network services and components are implemented whether such services are provided in-house or outsourced. In the event that Supplier Services include the management of network services and components owned by ReloQuest or its client, such services and components must be configured and implemented to agreed-upon standards.
- Intrusion Detection. Supplier shall deploy intrusion detection or intrusion prevention systems to provide continuous surveillance for intercepting and responding to security events as they are identified and update the signature database as soon as new releases become available for commercial distribution.
- Firewalls. Supplier shall have appropriate firewalls in place which will only allow documented and approved ports and services to be used. All other ports will be in a deny all mode.
- Web Filterign. Supplier shall have a Web filtering policy in place to control the content that users can access over the Internet. This includes restricting the use of personal emails and file sharing sites.
- Information Transfer and Storage.
- System Acquisition, Development and Maintenance
- Workstation Encryption. Supplier will require Industry Standard full disk encryption on all workstations and/or laptops used by personnel, contractors and agents where such personnel are accessing or processing ReloQuest Data.
- Application Hardening.
- Supplier will maintain and implement secure application development policies, procedures, and standards that are aligned to Industry Standard practices such as the SANS Top 25 Software Errors and the OWASP Top Ten project. This applies to web application, mobile application, embedded software, and firmware development as appropriate.
- All personnel responsible for secure application design, development, configuration, testing, and deployment will be qualified to perform the Supplier Services and receive appropriate training regarding Supplier’s secure application development practices.
- System Configuration and Hardening.
- Supplier will establish and ensure the use of standard secure configurations of operating systems. Images should represent hardened versions of the underlying operating system and the applications installed on the system. Hardening includes the removal of unnecessary accounts (including service accounts), disabling or removal of unnecessary services, applying patches, closing open and unused network ports, implementing intrusion detection systems and/or intrusion prevention systems, and use of host-based firewalls. These images should be validated on a regular basis to update their security configuration as appropriate.
- Supplier will perform periodic access reviews for system administrators at least quarterly for all supporting systems requiring access control.
- Supplier will implement patching tools and processes for operating systems and applications installed on the system. Supplier shall have a defined process to remediate findings and will ensure that critical and high-risk vulnerabilities are addressed within thirty (30) days. Supplier shall remediate medium risk vulnerabilities within ninety (90) days. When outdated systems can no longer be patched, Supplier will update to the latest version of the operating system and applications installed on the system. If this is not possible, Supplier shall notify ReloQuest so that an appropriate risk assessment can be conducted. Supplier will remove outdated, older, and unused software from the system. In the event that Supplier Services include patch management for operating systems and applications owned by ReloQuest or its client, Supplier shall document and implement an appropriate patching plan that includes agreed-upon remediation service level obligations.
- Supplier will limit administrative privileges to only those personnel who have both the knowledge necessary to administer the operating system and a business need to modify the configuration of the underlying operating system.
- Infrastructure Vulnerability Scanning. Supplier shall use Industry Standard and up-to-date products to scan its internal and external environment (e.g. servers, network devices, etc.) related to Supplier Services on a monthly basis. Supplier shall have a defined process to remediate findings and will ensure that critical and high-risk vulnerabilities are remediated within thirty (30) days. Supplier shall remediate medium risk vulnerabilities within ninety (90) days. Supplier will provide a summary of the vulnerability scanning results including any open remediation points upon request. In the event that Supplier Services include infrastructure vulnerability management for infrastructure owned by ReloQuest or its client, Supplier shall document and implement an infrastructure scanning and vulnerability remediation plan that is to be approved by ReloQuest.
- Application Vulnerability Assessment. Supplier will perform an application security vulnerability assessment prior to any new release. The test must cover all web application vulnerabilities defined by the Open Web Application Security Project (OWASP) or those listed in the SANS Top 25 Software Errors or its successor current at the time of the test. Supplier will ensure all high-risk vulnerabilities are remediated prior to release. Supplier will provide a summary of the vulnerability assessment results including any open remediation points upon request. Supplier shall have a defined process to remediate findings and will ensure that critical and high-risk vulnerabilities are addressed within thirty (30) days. Supplier shall remediate medium risk vulnerabilities within ninety (90) days. This applies to web application, mobile application, embedded software, and firmware development as appropriate to the Terms of Service. In the event that Supplier Services include application vulnerability management for applications owned by ReloQuest or its client, Supplier shall document and implement an application vulnerability assessment and remediation plan that is to be approved by ReloQuest.
- Penetration Tests and Security Evaluations of Websites. Supplier shall use an established Industry Standard program to perform external and internal penetration tests and security evaluations of all systems and websites involved in providing Supplier Services prior to use and on a recurring basis no less frequently than once in a twelve (12)-month period by an industry recognized independent third party. Supplier shall have a defined process to remediate findings and will ensure that any critical and high-risk vulnerabilities are addressed within thirty (30) days. Supplier shall remediate medium risk vulnerabilities within ninety (90) days.
- Supplier shall provide a summary of the penetration test and security evaluation, including any open remediation points, to ReloQuest upon request.
- Supplier shall maintain separate environments for production and non-production systems and developers should not have unmonitored access to production environments.
- Supplier Relationships
- Where other third-party applications or services must be engaged by Supplier, Supplier’s contract with any third-party must clearly state security requirements consistent with the security requirements of this Information Security Schedule which will be applied to the third party. In addition, service level agreements with the third party must be clearly defined.
- Any external third-party or resources gaining access to systems must be covered by a signed agreement containing confidentiality language consistent with the confidentiality and security requirements of the Terms of Service.
- Supplier will perform quality control and security management oversight of outsourced software development.
- Information Security Incident Management
- Incident Response Process
- Supplier shall maintain a record of Security Incidents noting the description of the Security Incident, the applicable time periods, the impact, the person reporting and to whom the Security Incident was reported, and the procedures to remediate the incident.
- In the event of a Security Incident identified by Supplier, ReloQuest, or other third party, Supplier shall (a) promptly investigate the Security Incident; (b) promptly provide ReloQuest with all relevant detailed information as reasonably requested by ReloQuest about the Security Incident; and (c) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident.
- The Supplier shall track disclosures of ReloQuest Data, including what type of data was disclosed, to whom, and the time of the disclosure.
- Incident Response Process
- Compliance
- Legal and Contractual Requirements.
- Provisions regarding compliance with laws, intellectual property and data privacy are set forth in the Terms of Service.
- Legal and Contractual Requirements.