Security Requirements for Suppliers with Access to Sensitive information

These security requirements are mandatory for Suppliers accessing Scout's sensitive systems, data, applications, and working areas.

  1. Non-Disclosure Agreements: Suppliers must have non-disclosure agreements before sharing confidential data.

  2. Background Checks: The supplier must conduct a background check on all employees before granting access to confidential data.

  3. Certifications: The supplier must possess certifications or designations concerning data security and privacy equal to ISO 27001.

  4. Right to Audit: Scout can audit the supplier at any time for due cause.

  5. Disaster Recovery and Business Continuity: The supplier must establish a Disaster Recovery and Business Continuity plan to ensure access to or use of Scout data.

  6. Protection of Data: The supplier must implement protections to prevent unauthorized access, alteration, disclosure, or misuse of confidential information.

  7. Data Destruction: The supplier must wipe all confidential data from systems/servers when they retire and use only encrypted removable media to transfer that information.

  8. Device Encryption: Using an industry-standard algorithm, the supplier must encrypt all devices that process or store confidential data.

  9. Encryption at Rest and In Transit: The supplier must encrypt all data at rest and in transmission.

  10. Documented Security Policies: The supplier must create written security policies, including system hardening and secure configuration standards.

  11. Antivirus: The supplier must install commercial antivirus software on all endpoints and servers, with a minimum daily automatic update of signatures or approved Next Generation antivirus.

  12. Patch Management: The supplier must apply security patches regularly on all endpoints and servers, with critical security patches applied within 48 hours of release.

  13. Intrusion Detection: The supplier must protect all systems accessible via the Internet or storing or transmitting data using an intrusion detection and prevention system.

  14. Vulnerability Management: The supplier must regularly scan all servers and applications for vulnerabilities, including missing patches, outdated software versions, and certificate issues.

  15. Penetration Testing: The supplier must subject internet-facing systems and applications to regular third-party penetration testing to identify and remediate all critical or high-risk vulnerabilities.

  16. Security Incident Response: The supplier must maintain and regularly test an incident response plan for handling security incidents.

  17. Information Security Training and Awareness Program: All persons accessing Scout data must receive training on security policies and procedures and demonstrate ongoing security awareness before accessing Scout data.

  18. Access Control: The supplier must implement role-based access controls for all user permissions, enforcing the principle of least privilege.

  19. User Audit: The supplier must conduct regular audits to ensure that terminated users can no longer access the system and that users who change job roles no longer retain unnecessary permissions.

  20. Log Review: The supplier must have a routine procedure to review system logs for unauthorized access on all systems processing or storing Scout data.

  21. Risk Management: The supplier must conduct regular risk assessments and implement a risk management program with negotiated remediation deadlines for identified gaps.

  22. User IDs and Password Controls: All authorized users must receive a unique username and a strong password, with passwords changed at least every 90 days or immediately if revealed or compromised.

  23. Multi-Factor Authentication: The supplier must protect access over the Internet to systems processing Scout data with Multi-factor authentication, such as a one-time passcode.

  24. Subcontractors: These security requirements also apply to any subcontractor or supplier to the supplier.