I. Glossary

Security Regulation A set of regulations promulgated and enforced by the supervisory national authorities.
Electronic Protected Health Information (ePHI) Individually identifiable health information, including demographic information collected from an individual, that is protected by government law, and related laws and regulations, and is transmitted by, or maintained in, electronic media. ePHI includes information that identifies an individual or might reasonably be used to identify an individual and relates to: an individual’s past, present or future physical or mental health or condition; the provision of health care to an individual; or the past, present or future payment for health care to an individual. Individually identifiable health information includes, but is not limited to, many common identifiers (e.g., name, address, birth date, Social Security Number).
Multifactor Authentication (MFA) An electronic authentication method in which a user is granted access to a website or application only after successfully presenting to an authentication mechanism two or more pieces of evidence which could be something the user and only the user knows, something the user and only the user has, or something the user and only the user is.
Nonpublic Information (NPI) All electronic information that is not publicly available information such as business-related information which unauthorized disclosure, access or use of which would cause a material adverse impact to the operations or security of the business. A combination of any information concerning an individual which because of name, number, personal mark, or other identifier can be used to identify such individual. Any health care information or data, except age or gender, in any form or medium created by or derived from a health care provider or an individual.
Personally Identifiable Information (PII) Any data that is not available to the general public and that could be potentially used to identify a particular person. Examples include full name, mailing address, email address, Social Security number, driver’s license number, bank account number, and passport number.
Penetration Testing Program The practice of testing a computer system, network or web application to find security vulnerabilities that an attacker could exploit. The main objective of penetration testing is to identify security weaknesses, report those weaknesses to management, and remediate the weaknesses in a systematic way.
Risk Assessment A risk assessment is the combined effort of: identifying and analyzing potential events that may negatively impact an organization’s assets, and/or the environment; making judgments based on the likelihood and impact of the negative events; and addressing those events in a systematic way.
Service Level Agreement (SLA) A commitment between a service provider and a client that covers services to be provided and highlights the quality standards that are required of the provider to guarantee client satisfaction.
Third Party Service Provider (TPSP) A person or entity that provides services and maintains, processes or otherwise is permitted access to an organization’s Nonpublic Information through its provision of services to that organization. A third party is not an affiliate of Kelyon.
Vulnerability Management The systematic practice of identifying, classifying, prioritizing, remediating, and mitigating software vulnerabilities.

II. Policy Scope

This Policy establishes requirements by which Kelyon will manage security risks associated with Third Party Service Providers (TPSPs) and all other contracted provider arrangements. The intent is to ensure that the security of Kelyon information and information assets are not reduced when exchanging information with third parties or by the introduction of third party products or services into the Kelyon environment.

This Policy covers all Kelyon TPSPs and all other contracted provider arrangements. All Kelyon employees, including third parties and contractors, are required to comply with this Policy.

 

III. Policy Statement

Risk Management

Kelyon manages and addresses the security risk of TPSPs that may have access to Kelyon’s data or provide products or services to Kelyon. As mitigation measure, specific information security requirements must be included in the agreement with the third party. These agreements shall assure the compliance to all Kelyon policies and regulatory requirements, where applicable.

 

Objectives

  • Kelyon establishes a Risk Assessment process to identify, measure, mitigate, and monitor risks to Kelyon’s data, information systems, and Nonpublic Information (NPI) accessible to, or held by, third parties.
  • Kelyon maintains a current and accurate listing of all TPSPs and conducts a Risk Assessment of current TPSPs periodically and prospective TPSPs when necessary.
  • RGI will inform the management of the risks associated with outsourcing agreements to ensure effective risk management practices.

Third Party Risk Assessment

  • The risk assessment is conducted with the M-TPR-01 Third Party Risk Assessment form to identify the risks of using a TPSP to determine if such third party’s practices could have a negative impact on Kelyon. Elements of a TPSP questionnaire include:
    • financial condition,
    • reputation,
    • security practices,
    • insurance coverage and,
    • critical third parties.
  • Kelyon applies all the applicable mitigation measures to mitigate the risks as far as possible according to the state of art and to decide whether to pursue the relationship with TPSP or qualify the prospective TPSP.

Risk Assessment Criteria

    • For each element to be assessed the risk level is evaluated according to the following criteria:
      • 1: Low
      • 2: Medium
      • 3: High
    • Each hazard situation is evaluated in terms of severity of hazard and the probability of occurrence.
    • Mitigation measure effectiveness is evaluated according to the following criteria:
      • 1: Unsatisfactory
      • 2: Limited
      • 3: Satisfactory
      • 4: Good
      • 5: Very High
    • Risk acceptability criteria are the following:
      • <=1: Acceptable
      • >1 and <=2: As far as possible
      • >2: Unacceptable

Third Party Service Reporting

  • Kelyon will monitor the service, reports, audits, and records provided by a TPSP and review them according to PRQ 7.4A Qualificazione e Monitoraggio Fornitori.
  •  

IV. Policy Approval

Kelyon will review this Policy periodically (at least each 3 years) for accuracy, completeness, and applicability.