// №
// REQUIREMENT
// DESCRIPTION
01
Non-Disclosure AgreementsCONTRACTUAL
Suppliers must have non-disclosure agreements in place before sharing confidential data.
02
Background ChecksPEOPLE
The supplier must conduct a background check on all employees before granting access to confidential data.
03
CertificationsEQUIVALENCE
The supplier must possess certifications or designations concerning data security and privacy equal to ISO 27001.
04
Right to AuditGOVERNANCE
Scout can audit the supplier at any time for due cause.
05
Disaster Recovery & Business ContinuityRESILIENCE
The supplier must establish a Disaster Recovery and Business Continuity plan to ensure access to or use of Scout data.
06
Protection of DataCONTROLS
The supplier must implement protections to prevent unauthorized access, alteration, disclosure, or misuse of confidential information.
07
Data DestructionCONTROLS
The supplier must wipe all confidential data from systems and servers when they retire, and use only encrypted removable media to transfer that information.
08
Device EncryptionCONTROLS
Using an industry-standard algorithm, the supplier must encrypt all devices that process or store confidential data.
09
Encryption at Rest & In TransitCONTROLS
The supplier must encrypt all data at rest and in transmission.
10
Documented Security PoliciesGOVERNANCE
The supplier must create written security policies, including system-hardening and secure-configuration standards.
11
AntivirusCONTROLS
The supplier must install commercial antivirus software on all endpoints and servers, with at minimum daily automatic signature updates — or an approved Next-Generation antivirus equivalent.
12
Patch ManagementSLA · 48H
The supplier must apply security patches regularly on all endpoints and servers. Critical security patches must be applied within 48 hours of release.
13
Intrusion DetectionCONTROLS
The supplier must protect all systems accessible via the Internet, or storing or transmitting data, using an intrusion detection and prevention system.
14
Vulnerability ManagementCONTROLS
The supplier must regularly scan all servers and applications for vulnerabilities, including missing patches, outdated software versions, and certificate issues.
15
Penetration TestingTHIRD-PARTY
The supplier must subject internet-facing systems and applications to regular third-party penetration testing, and remediate all critical or high-risk vulnerabilities.
16
Security Incident ResponseRESILIENCE
The supplier must maintain and regularly test an incident response plan for handling security incidents.
17
Security Training & AwarenessPEOPLE
All persons accessing Scout data must receive training on security policies and procedures, and demonstrate ongoing security awareness, before accessing Scout data.
18
Access ControlLEAST-PRIVILEGE
The supplier must implement role-based access controls for all user permissions, enforcing the principle of least privilege.
19
User AuditGOVERNANCE
The supplier must conduct regular audits to ensure terminated users can no longer access the system, and that users who change job roles no longer retain unnecessary permissions.
20
Log ReviewGOVERNANCE
The supplier must have a routine procedure to review system logs for unauthorized access on all systems processing or storing Scout data.
21
Risk ManagementGOVERNANCE
The supplier must conduct regular risk assessments and implement a risk management program with negotiated remediation deadlines for identified gaps.
22
User IDs & Password ControlsROTATE · 90D
All authorized users must receive a unique username and a strong password. Passwords must be changed at least every 90 days, or immediately if revealed or compromised.
23
Multi-Factor AuthenticationREQUIRED
The supplier must protect access over the Internet to systems processing Scout data with multi-factor authentication, such as a one-time passcode.
24
SubcontractorsFLOW-DOWN
These security requirements also apply to any subcontractor or supplier-to-the-supplier.