Vendor management policy - codemagic-ci-cd/company-handbook GitHub Wiki

Approved by: Martin Remmelgas

Purpose

Describe the actions and behaviors required to ensure that due care is taken to avoid inappropriate risks to Codemagic from any of its vendors.

This document helps in vendor selection, setting contractual expectations, security and compliance requirements, performance monitoring, and contingency planning.

Frequency

Vendors must be evaluated prior to the start of any service.

Procedure

Before vendor selection can start please bring the new vendor you want to take on to the attention of your team lead or management please consider

  1. why you need to use the new vendor
  2. why we cannot continue as is
  3. what is your expectation from new vendor

If there is interest to use the vendor, prior to adopting them in Codemagic we have to follow vendor review process

Security and Compliance requirements

Steps are completed in order

  1. Data classification
    1. Is sensitive data shared? - if no then low risk
      1. Is customer data shared? - high risk
      2. Is personal data shared? - medium risk (except for name and email)
  2. Risk assessment begins If medium or high risk is identified
  3. Review Vendor security controls and identify gaps
    1. Request information if necessary from vendor
  4. Report on Vendor security controls and identify risks
  5. Evaluate and choose
    1. Business owner accepts risks and if so report how to mitigate them
    2. Business owner chooses not to work with vendor
  6. Re-evaluate vendors if necessary
    1. For high risk vendors complete vendor assessment once a year
    2. For medium and low risk vendors complete assessment on material change

Software is inventoried regardless of data classification

Contingency planning

If vendor experiences downtime what is the risk?

  1. Will vendor affect customers if there is an incident?
  2. What will we do if we need to switch vendors?

setting contractual expectations

  1. Holding up our SLA to our customers

We have contractual obligations to our customers regarding service uptime. For business critical vendors it is important to have understanding about how vendor communicates about issues and what is the expected resolution times or uptime guarantees vendor can provide.

Recommended:

  1. uptime guarantee of 99.8% or higher

  2. 24/7 support

  3. account manager

  4. Renewals

Contracts shall not have a clause that says that the contract with vendor is automatically renewed for next term. We have to approve renewals

performance monitoring

Business critical vendors are required to have performance monitoring plan during use.

Use these 4 points to assess new vendors and decide if we can choose a particular vendor and which one to choose.