Supplier Information Security Requirements
Effective Date: 10/18/2021
All Suppliers with whom Minitab, LLC, or a Minitab, LLC Affiliate (collectively “Minitab”), shares Minitab Data in support of Minitab business operations, are expected to comply with Minitab’s Supplier Information Security Requirements.
“Minitab Data” is: Personally Identifiable Information and/or Personal Health Information of any employee, customer, or vendor of Minitab, or any other information provided to Supplier from Minitab including but not limited to corporate and financial data, that, if disclosed to unauthorized parties, could result in a negative impact to an employee, customer, or vendor of Minitab, or Minitab’s business operations and interests.
1.1 INFORMATION SECURITY POLICY
1.1.1 Supplier shall have documented information security policies in place to ensure the confidentiality, integrity, and availability of Supplier and Minitab Data.
1.1.2 Supplier shall have a formal policy and supporting practices for classifying information within its organization.
1.1.3 Supplier shall review its information security policies annually to ensure the policies address new threats. Supplier’s review shall reasonably foresee internal or external risks to the security, confidentiality, and integrity of electronic, paper and other records containing Minitab Data and, where necessary, evaluate and improve the effectiveness of its safeguards for limiting identified risks.
1.2 INFORMATION SECURITY ORGANIZATION
1.2.1 Supplier shall designate an individual responsible for information security within its organization and have defined information security roles and responsibilities throughout the organization. Supplier shall provide the name and contact information of its designated individual upon request.
1.2.2 Supplier shall ensure non-disclosure agreements are in place with any contractor, subcontractor, and other related parties who have access to Supplier’s internal networks and/or will store, process or transmit Minitab Data.
1.2.3 Supplier shall conduct assessments of its contractors, subcontractors and other related parties before sharing Minitab Data with them, establishing a network-to-network connection between their network and the Supplier’s internal network, or having them host a website or web application containing Minitab Data.
1.2.4 Supplier shall be responsible for ensuring applicable security requirements are included in contracts with, and are met by, all Supplier contractors, subcontractors and other related parties who have access to, or will store, process or transmit Minitab Data or will host a website containing Minitab Data.
1.3 ASSET MANAGEMENT
1.3.1 Supplier shall maintain an inventory of its hardware and software assets that documents the identification, ownership, usage, location and configuration for each item that stores, process, or transmits Minitab Data.
1.3.2 Supplier shall maintain documentation and other records of baseline system and security configurations, including configuration changes for all hardware and software system components that stores, process, or transmits Minitab Data.
1.3.3 Supplier shall have formal policies and practices for performing risk assessments of its software, systems and facilities that stores, process, or transmits Minitab Data.
1.3.4 Supplier shall have controls in place to ensure that its employees, contractors and other users abide by acceptable use and other policies to ensure compliance with this Minitab Supplier Information Security Requirements as well as Supplier's own requirements.
1.4 REQUIRED NOTICE
1.4.1 Supplier shall report to Minitab without undue delay, and within the period specified by applicable law, any actual or suspected breach, incident, or other unauthorized disclosure of Minitab Data.
1.5 CONFIDENTIAL INFORMATION
1.5.1 Supplier agrees to the obligation to keep confidential information and trade secrets after agreement expiration. Cybersecurity document storage guidelines are covered in the policy document stored in Logic Manager: Procedure for Document and Record Control.
1.5.2 Minitab shall retain the right to access information stored or processed by the supplier/partner.
1.5.3 Minitab retains the right to audit or monitor the use of confidential information and to monitor agreement execution at the supplier s/partner s facility, and whether the audits may be carried out by the third parties; specifying the rights of auditors.
1.5.4 Actions required by the supplier after agreement expiration (return, destruction or erasure of confidential information, return of equipment, etc.) to ensure the protection of confidential information and to ensure business continuity in the organization as addressed in the policy stored in Logic Manager: Data Destruction and Records Disposal.
1.5.5 Minitab retains the right to ensuring access to reports by internal and external auditors, and to other reports related to business operations of suppliers/partners, which could be for the organization in the case of breach or cybersecurity incident or failure to certify/recertify with a reporting agency or within a framework such as ISO, NIST or SOC.