Advisory Rumble51 (3)

Vendor & Third-Party Risk Management Policy

Effective Date: 30th January 2025

Review Intervals: 6 months or as required
Approved by: Luke McFarland

  1. Purpose

The purpose of this policy is to establish a structured approach for assessing, managing, and monitoring risks associated with third-party vendors, suppliers, contractors, and cloud service providers. This ensures that all third parties comply with security, regulatory, and contractual obligations to protect McFarland Consulting & Advisory’s data, systems, and operations.

  1. Scope

This policy applies to all third-party relationships, including:

  • Suppliers (goods and services)
  • Contractors & Consultants
  • Cloud Service Providers (CSPs)
  • Business Process Outsourcing (BPO) Vendors
  • Any external entity with access to company data or systems
  1. Roles & Responsibilities
Role Responsibility
McFarland Consulting & Advisory (Owner) Oversees policy implementation, compliance, and enforcement.
Procurement & Legal Teams Ensure contracts include security & compliance requirements.
IT & Security Teams Conduct risk assessments, audits, and monitor vendor security controls.
Business Unit Leaders Identify and escalate vendor risks within their departments.
  1. Vendor Risk Management Process

4.1 Due Diligence & Risk Assessment

  • Pre-Engagement Review:
    • Evaluate vendors based on security posture, financial stability, and compliance (e.g., SOC 2, ISO 27001, GDPR).
    • Conduct risk categorization (Low/Medium/High) based on data sensitivity and access levels.
  • Questionnaires & Documentation:
    • Require vendors to complete a Security Assessment Questionnaire (SAQ).
    • Validate certifications, incident response plans, and breach notification processes.

4.2 Contractual Obligations

All contracts must include:

  • Data Protection & Confidentiality: Adherence to applicable laws (e.g., GDPR, CCPA).
  • Security Requirements: Encryption, access controls, and audit rights.
  • Incident Reporting: Mandatory breach notification within [X] hours.
  • Right to Audit: McFarland reserves the right to conduct security audits.
  • Termination Clauses: For non-compliance with security standards.

4.3 Ongoing Monitoring & Audits

  • Annual Reviews: Reassess high-risk vendors annually.
  • Continuous Monitoring: Use automated tools to track vendor security posture.
  • Audits: Conduct periodic audits for critical vendors (e.g., cloud providers).
  1. Compliance & Enforcement
  • Non-Compliance: Vendors failing to meet requirements may face contract termination.
  • Internal Accountability: Employees must report non-compliant vendors to the Security Team.
  1. Policy Review & Updates

This policy will be reviewed annually or as needed to align with regulatory changes and emerging threats.

Approval:
Luke McFarland

© 2025 McFarland Consulting & Advisory

"PIVOT. PERFORM. PROFIT."

All rights reserved.

Site Map -->

Our Disciplines
Our Sectors
Our policies

Contact

Contact Us

Melbourne Australia

+61 491 276 765

Enquiries@McFarland-Consulting.com

 

On TIK TOK | YouTube | Spotify @McFarlandConsulting777