I. Glossary

Term Definition
Security Regulation A set of regulations promulgated and enforced by the supervisory national authorities.
Electronic Protected Health Information (ePHI) Individually identifiable health information, including demographic information collected from an individual, that is protected by government law, and related laws and regulations, and is transmitted by, or maintained in, electronic media.  ePHI includes information that identifies an individual or might reasonably be used to identify an individual and relates to: an individual’s past, present or future physical or mental health or condition; the provision of health care to an individual; or the past, present or future payment for health care to an individual.  Individually identifiable health information includes, but is not limited to, many common identifiers (e.g., name, address, birth date, Social Security Number).
Multifactor Authentication (MFA) An electronic authentication method in which a user is granted access to a website or application only after successfully presenting to an authentication mechanism two or more pieces of evidence which could be something the user and only the user knows, something the user and only the user has, or something the user and only the user is.
Nonpublic Information (NPI)

All electronic information that is not publicly available information such as business-related information which unauthorized disclosure,

access or use of which would cause a material adverse impact to the operations or security of the business. A combination of any information concerning an individual which because of name, number, personal mark, or other identifier can be used to identify such individual. Any health care information or data, except age or gender, in any form or medium created by or derived from a health care provider or an individual.

Personally Identifiable Information

(PII)

 Any data that is not available to the general public and that could be potentially used to identify a particular person.  Examples include full name, mailing address, email address, Social Security number, driver’s license number, bank account number, and passport number.
Penetration Testing Program The practice of testing a computer system, network or web application to find security vulnerabilities that an attacker could exploit. The main objective of penetration testing is to identify security weaknesses, report those weaknesses to management, and remediate the weaknesses in a systematic way.
Risk Assessment A risk assessment is the combined effort of: identifying and analyzing potential events that may negatively impact an organization’s assets, and/or the environment; making judgments based on the likelihood and impact of the negative events; and addressing those events in a systematic way.
Service Level Agreement (SLA) A commitment between a service provider and a client that covers services to be provided and highlights the quality standards that are required of the provider to guarantee client satisfaction.
Third Party Service Provider (TPSP) A person or entity that provides services and maintains, processes or otherwise is permitted access to an organization’s Nonpublic Information through its provision of services to that organization.  A third party is not an affiliate of Kelyon.
Vulnerability Management The systematic practice of identifying, classifying, prioritizing, remediating, and mitigating software vulnerabilities.

 

II. Policy Scope

This Policy shall establish requirements by which Kelyon will manage security risks associated with Third Party Service Providers (TPSPs) and all other contracted provider arrangements. The intent is to ensure that the security of Kelyon information and information assets are not reduced when exchanging information with third parties or by the introduction of third party products or services into the Kelyon environment.

This Policy covers all Kelyon TPSPs and all other contracted provider arrangements. All Kelyon employees, including third parties and contractors, are required to comply with this Policy.

 

III. Policy Statement

Risk Management

Kelyon shall manage and address the security risk of TPSPs that may have access to Kelyon’s data or provide products or services to Kelyon.

 

Objectives

    • Kelyon will establish a Risk Assessment process to identify, measure, mitigate, and monitor risks to Kelyon’s data, information systems, and Nonpublic Information (NPI) accessible to, or held by, third parties.
    • Kelyon will establish a due diligence process for prospective TPSPs, which addresses, at a minimum, a TPSP’s:
      • financial condition,
      • reputation,
      • security practices,
      • insurance coverage,
      • critical third parties, and
      • strategic partners.
    • Kelyon will perform a periodic review of adherence to Service Level Agreements (SLAs), security measures, and contractual and regulatory requirements.
    • Kelyon will maintain a current and accurate listing of all TPSPs and conduct a Risk Assessment of each one periodically.
    • RGI will inform the management of the risks associated with outsourcing agreements to ensure effective risk management practices.

 

Third Party Risk Assessment

    • Kelyon, during the process of qualification of a TPSP, will establish a checklist or questionnaire to identify the risks of using a TPSP to determine if such third party’s practices could have a negative impact on Kelyon. Elements of a TPSP questionnaire should include the TPSP’s:
      • Need to access NPI, Personally Identifiable Information (PII), or Electronic Health Information (ePHI)
      • Need to access financial or confidential data
      • Need to access Kelyon’s internal network
      • Need of vulnerability and penetration testing program
      • Need of security insurance or other related insurance
      • Involvement in any recent cyberattack or data breach
      • Compliance with applicable government laws and regulations
    • Kelyon will review the checklist or questionnaire to evaluate and mitigate risks if possible and to decide whether to pursue the relationship with the third party.
    • Kelyon will conduct further due diligence to analyze whether the TPSP meets Kelyon’s needs and regulatory requirements.

 

Third Party Review

    • Kelyon will have a review program to ensure TPSPs are delivering the quantity and quality of services expected and/or agreed upon.
    • Kelyon will monitor the key aspects of its relationships with third parties, including the security controls and financial strength of each third party, and the impact of any external events on its relationships with third parties.

 

Third Party Tracking

    • To increase monitoring effectiveness, Kelyon periodically will rank TPSP relationships according to risk to determine which service providers require closer monitoring.
    • Relationships with third parties that Kelyon has determined to be higher risk will receive more stringent monitoring of their performance.

 

Third Party Service Reporting

    • Kelyon will monitor the service, reports, audits, and records provided by a TPSP and review them.

 

IV. Policy Approval

Kelyon will review this Policy periodically (at least each 3 years) for accuracy, completeness, and applicability.