Nothing Special   »   [go: up one dir, main page]
Scribd Logo
Upload

Welcome to Scribd!

  • 16 views

    Vendor and Cloud Security

    Uploaded by

    Clyde Ben Balete
    This document outlines Mallinckrodt's policy for managing risk related to vendors accessing company systems and information assets, including those stored in external cloud solutions. It assigns responsibilities for risk assessment and approval of cloud solutions to various roles. The policy requires vendors and cloud providers to implement security controls and make internal control reports available. It also mandates security provisions be included in contracts and prohibits personal cloud services for company data. Exceptions require approval based on a risk assessment.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    Vendor and Cloud Security

    Uploaded by

    Clyde Ben Balete
    16 views4 pages
    This document outlines Mallinckrodt's policy for managing risk related to vendors accessing company systems and information assets, including those stored in external cloud solutions. It assigns responsibilities for risk assessment and approval of cloud solutions to various roles. The policy requires vendors and cloud providers to implement security controls and make internal control reports available. It also mandates security provisions be included in contracts and prohibits personal cloud services for company data. Exceptions require approval based on a risk assessment.

    Original Description:

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    This document outlines Mallinckrodt's policy for managing risk related to vendors accessing company systems and information assets, including those stored in external cloud solutions. It assigns responsibilities for risk assessment and approval of cloud solutions to various roles. The policy requires vendors and cloud providers to implement security controls and make internal control reports available. It also mandates security provisions be included in contracts and prohibits personal cloud services for company data. Exceptions require approval based on a risk assessment.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    16 views4 pages

    Vendor and Cloud Security

    Uploaded by

    Clyde Ben Balete
    This document outlines Mallinckrodt's policy for managing risk related to vendors accessing company systems and information assets, including those stored in external cloud solutions. It assigns responsibilities for risk assessment and approval of cloud solutions to various roles. The policy requires vendors and cloud providers to implement security controls and make internal control reports available. It also mandates security provisions be included in contracts and prohibits personal cloud services for company data. Exceptions require approval based on a risk assessment.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 4

    MALLINCKRODT

    Doc Title: Vendor and Cloud Security

    1. Purpose
    1.1. The purpose of this policy is to outline the requirements related to managing the risk of
    vendors accessing Company systems and information assets. This includes information
    that is processed or stored in external cloud solutions.

    2. Scope
    2.1. Vendors and other third parties that have access to Company systems and information
    assets and Cloud-based solutions including Software-as-a-Service (SaaS), Platform-as-a-
    Service (PaaS) or Infrastructure-as-a-Service (IaaS) or third party hosting providers that
    store, maintain or process Company information or systems.

    3. References
    3.1. POLICY-0302 Enterprise Cyber Security Policy - Global
    3.2. POLICY-0301 Business Continuity and Disaster Recovery
    3.3. POLICY-0312 Acceptable Use of Technology

    4. Definitions
    4.1. Cloud Computing – includes software applications, data storage, computing systems,
    networking systems, telephony, or other systems provided as a service by a non-Company
    entity.

    5. Responsibilities
    5.1. The Chief Digital & Information Officer (CD&IO) – ownership of this policy.
    5.2. Business Insights & Technology Solutions (BI&TS) Leadership – responsible for approving
    requests for access to cloud-based solutions.
    5.3. Cybersecurity organization – responsible for conducting risk assessment of vendors, other
    third parties and cloud providers.
    5.4. Information Risk Committee – responsible for approval of this policy and for approval of any
    exceptions to this policy.

    6. Policy
    6.1. Vendor and Cloud Provider Controls
    6.1.1. Vendors and Cloud Providers are expected to implement industry standard security
    controls to mitigate risks that could impact the confidentiality, integrity, or availability of
    company information.
    6.1.2. Vendors and Cloud Providers shall have a process for ensuring and demonstrating that
    appropriate levels of security controls have been implemented.
    6.1.3. Vendors and Cloud Providers shall have evidence available for audit that demonstrates
    the effectiveness of the information security program including policies, procedures,
    training, preventive and detective controls and security awareness programs.

    6.2. Risk Assessment


    6.2.1. The Company shall have a risk assessment process in place to assess the risk associated
    with Vendors, third parties and cloud solution providers to verify that appropriate
    safeguards are in place to protect Company information.

    Page 1 of 2

    CONFIDENTIAL AND PROPRIETARY Doc #:POLICY-0304 Rev:6 Vault:CLT-IT Effective Release Date:17 Jan 2022 Valid as of:18 Jan 2022
    MALLINCKRODT
    Doc Title: Vendor and Cloud Security

    6.2.2. Internal Controls Assurance reports shall be made available for review as part of the risk
    assessment process. The Company shall have the ability to follow up on any control
    deficiencies or areas that require additional information or assurance.

    6.3. Contracts
    6.3.1. Contracts for vendors, third parties and cloud solution providers shall include appropriate
    security addendum language.
    6.3.2. Contracts shall have a right to audit clause that allows the Company to conduct annual
    audits.
    6.3.3. All security, privacy and other BI&TS Leadership requirements shall be appropriately
    addressed by the vendor, third party or Cloud Computing vendor prior to business use.
    6.3.4. In the event of a breach that impacts Company Information, vendors, third parties and
    cloud providers shall notify BI&TS Leadership without delay but no later than 72 hours
    after having become aware of the breach.

    6.4. Personal Cloud Solutions


    6.4.1. The use of personal cloud services/accounts is prohibited for the storage, processing, or
    exchange of company-related communications or company-owned data.

    6.5. Exceptions to this policy –


    6.5.1. Shall be granted based on a risk assessment with mitigating controls that represents a low
    risk to the Company. Based on the associated risk of the solution, review and approval by
    the Information Risk Committee may be necessary.

    7. Attachments

    7.1. None

    8. Revision History

    Revision No. Change Description


    6  Updated title for POLICY-0301 to Business Continuity and Disaster
    Recovery in Reference Section

    Page 2 of 2

    CONFIDENTIAL AND PROPRIETARY Doc #:POLICY-0304 Rev:6 Vault:CLT-IT Effective Release Date:17 Jan 2022 Valid as of:18 Jan 2022
    MALLINCKRODT
    Doc Title: Vendor and Cloud Security

    Signature Manifest
    Document Number: POLICY-0304 Revision: 6
    Title: Vendor and Cloud Security
    All dates and times are in UTC.

    impacts for POLICY-0301 title update

    DCC Review

    Name/Signature Title Date Meaning/Reason


    Jane Parikh (JANE.PARIKH) Sr. Manager, EQMS 13 Jan 2022, 07:33:14 PM Approved

    Collaboration

    Name/Signature Title Date Meaning/Reason


    Kimberly Valente
    Document Control Specialist 14 Jan 2022, 01:21:44 PM Complete
    (KIMBERLY.VALENTE)

    Doc Control Review

    Name/Signature Title Date Meaning/Reason


    Michelle Cameron
    14 Jan 2022, 07:30:24 PM Complete
    (MICHELLE.CAMERON)

    Approval

    Name/Signature Title Date Meaning/Reason


    Kimberly Valente
    Document Control Specialist 14 Jan 2022, 08:38:15 PM Approved
    (KIMBERLY.VALENTE)

    Final QA Approval

    Name/Signature Title Date Meaning/Reason


    Jane Parikh (JANE.PARIKH) Sr. Manager, EQMS 17 Jan 2022, 02:18:27 PM Approved

    Training

    Name/Signature Title Date Meaning/Reason


    Veronica Hansen
    LMS Specialist 17 Jan 2022, 02:52:16 PM Approved
    (VERONICA.HANSEN)

    Set Dates

    Name/Signature Title Date Meaning/Reason


    Michelle Cameron
    17 Jan 2022, 04:06:13 PM Approved
    (MICHELLE.CAMERON)

    Notification

    Name/Signature Title Date Meaning/Reason

    CONFIDENTIAL AND PROPRIETARY Doc #:POLICY-0304 Rev:6 Vault:CLT-IT Effective Release Date:17 Jan 2022 Valid as of:18 Jan 2022
    MALLINCKRODT
    Doc Title: Vendor and Cloud Security

    Kimberly Valente Document Control Specialist 17 Jan 2022, 04:06:13 PM Email Sent
    (KIMBERLY.VALENTE)

    CONFIDENTIAL AND PROPRIETARY Doc #:POLICY-0304 Rev:6 Vault:CLT-IT Effective Release Date:17 Jan 2022 Valid as of:18 Jan 2022

    You might also like