For security, compliance, and ethical reasons, Catalyst is dedicated to maintaining firm control of its vendor relationships.
This policy will govern goods or services provided to Catalyst by a vendor, and the relationship that Catalyst maintains with those vendors.
Business Owners of vendors are responsible for maintaining Catalyst's relationship with the vendor and the controls for the risk that relationship poses to Catalyst. Business Owners should recognize when the nature of vendor relationships change and submit "new risks" accordingly.
- Appropriate vendors will have an assigned Business Owner who is responsible for ensuring proper controls, supply chain consideration, and oversight are in place for the vendor.
- Catalyst will maintain a vendor database according to the following criteria: access, service type, importance, and risk score.
- Vendors categorized as "Critical" should have a designated backup vendor.
- All vendors not categorized as "Supplier-Only" should have a Non-Disclosure Agreement with Catalyst.
- If a vendor intends to subcontract any portion of the services that Catalyst uses, it should be a qualified and accepted risk.
- New vendors will undergo a "New Risk" evaluation as defined by the Risk Management Policy.
- The SCC must qualify new vendors unless they are medium or low importance supply-only vendors. The SCC reserves the right to require a BOS committee vote on any new vendor.
- All new vendors of Catalyst will undergo a "New Risk" evaluation as defined by the Risk Management Policy.
- The Security and Compliance Committee should qualify new vendors unless they are medium or low importance supply-only vendors. The SCC reserves the right to require a Business Operations and Strategy committee vote on any new vendor.
- High risk vendors should be re-evaluated if the conditions of their business change and/or annually.
- If the risk score changes from the previous assessment, a vendor should be re-submitted for qualification and approval as defined by the Risk Management policy.
Violations of the policy will be met with corrective action with the possibility of disciplinary action up to, and including, termination of access to Catalyst facilities and systems, or other actions as defined in the contract with the Vendor.
There are no exceptions to this policy.
Owner: Security and Compliance Committee
$Date: 2019-01-14 07:48:21 -0700 (Mon, 14 Jan 2019) $
$Revision: 473301 $