Vendor and Cloud Security
Vendor and Cloud Security
Vendor and Cloud Security
1. Purpose
1.1. The purpose of this policy is to outline the requirements related to managing the risk of
vendors accessing Company systems and information assets. This includes information
that is processed or stored in external cloud solutions.
2. Scope
2.1. Vendors and other third parties that have access to Company systems and information
assets and Cloud-based solutions including Software-as-a-Service (SaaS), Platform-as-a-
Service (PaaS) or Infrastructure-as-a-Service (IaaS) or third party hosting providers that
store, maintain or process Company information or systems.
3. References
3.1. POLICY-0302 Enterprise Cyber Security Policy - Global
3.2. POLICY-0301 Business Continuity and Disaster Recovery
3.3. POLICY-0312 Acceptable Use of Technology
4. Definitions
4.1. Cloud Computing – includes software applications, data storage, computing systems,
networking systems, telephony, or other systems provided as a service by a non-Company
entity.
5. Responsibilities
5.1. The Chief Digital & Information Officer (CD&IO) – ownership of this policy.
5.2. Business Insights & Technology Solutions (BI&TS) Leadership – responsible for approving
requests for access to cloud-based solutions.
5.3. Cybersecurity organization – responsible for conducting risk assessment of vendors, other
third parties and cloud providers.
5.4. Information Risk Committee – responsible for approval of this policy and for approval of any
exceptions to this policy.
6. Policy
6.1. Vendor and Cloud Provider Controls
6.1.1. Vendors and Cloud Providers are expected to implement industry standard security
controls to mitigate risks that could impact the confidentiality, integrity, or availability of
company information.
6.1.2. Vendors and Cloud Providers shall have a process for ensuring and demonstrating that
appropriate levels of security controls have been implemented.
6.1.3. Vendors and Cloud Providers shall have evidence available for audit that demonstrates
the effectiveness of the information security program including policies, procedures,
training, preventive and detective controls and security awareness programs.
Page 1 of 2
CONFIDENTIAL AND PROPRIETARY Doc #:POLICY-0304 Rev:6 Vault:CLT-IT Effective Release Date:17 Jan 2022 Valid as of:18 Jan 2022
MALLINCKRODT
Doc Title: Vendor and Cloud Security
6.2.2. Internal Controls Assurance reports shall be made available for review as part of the risk
assessment process. The Company shall have the ability to follow up on any control
deficiencies or areas that require additional information or assurance.
6.3. Contracts
6.3.1. Contracts for vendors, third parties and cloud solution providers shall include appropriate
security addendum language.
6.3.2. Contracts shall have a right to audit clause that allows the Company to conduct annual
audits.
6.3.3. All security, privacy and other BI&TS Leadership requirements shall be appropriately
addressed by the vendor, third party or Cloud Computing vendor prior to business use.
6.3.4. In the event of a breach that impacts Company Information, vendors, third parties and
cloud providers shall notify BI&TS Leadership without delay but no later than 72 hours
after having become aware of the breach.
7. Attachments
7.1. None
8. Revision History
Page 2 of 2
CONFIDENTIAL AND PROPRIETARY Doc #:POLICY-0304 Rev:6 Vault:CLT-IT Effective Release Date:17 Jan 2022 Valid as of:18 Jan 2022
MALLINCKRODT
Doc Title: Vendor and Cloud Security
Signature Manifest
Document Number: POLICY-0304 Revision: 6
Title: Vendor and Cloud Security
All dates and times are in UTC.
DCC Review
Collaboration
Approval
Final QA Approval
Training
Set Dates
Notification
CONFIDENTIAL AND PROPRIETARY Doc #:POLICY-0304 Rev:6 Vault:CLT-IT Effective Release Date:17 Jan 2022 Valid as of:18 Jan 2022
MALLINCKRODT
Doc Title: Vendor and Cloud Security
Kimberly Valente Document Control Specialist 17 Jan 2022, 04:06:13 PM Email Sent
(KIMBERLY.VALENTE)
CONFIDENTIAL AND PROPRIETARY Doc #:POLICY-0304 Rev:6 Vault:CLT-IT Effective Release Date:17 Jan 2022 Valid as of:18 Jan 2022