Supplier & Third-Party Security Policy
Document Number: ISMS-POL-STP-01
Classification: L1 — Policy (Domain)
Version: 0.1.2
Effective Date: February 18, 2026
Author: Lucas Shin — Security Director
Approved By: Richard — CISO
Next Review Date: February 2027
Parent Policy: Information Security Policy (ISMS-POL-ISP-01)
1. Purpose
This policy defines the security requirements for third-party relationships — including SaaS tool providers, collaboration partners, contractors, and cross-tenant entities — to ensure that external parties do not introduce unacceptable risk to Cybercraft information assets.
This policy addresses the supply chain and external access dimension, complementing the internal controls defined in the M365 Workspace & Access Policy (ISMS-POL-M365-01) and personnel controls in the Human Resource Security Policy (ISMS-POL-HR-01).
2. Scope
2.1 Applicable Third Parties
- SaaS tool providers used by Cybercraft for business operations (Notion, Slack, Jira, etc.)
- Level 3 Collaboration Partners — external clients, suppliers, and project-based collaborators with guest access to Cybercraft Teams
- Cross-tenant entities — Techtype and HVT, which share resources and personnel with Cybercraft
- Contractors and subcontractors — external individuals performing work for Cybercraft (also covered by Human Resource Security Policy, ISMS-POL-HR-01)
2.2 Out of Scope
- Cybercraft internal employees (Level 1) — covered by BYOD Security Policy (ISMS-POL-BYOD-01) and HR Security Policy (ISMS-POL-HR-01)
- Microsoft 365 platform configuration — covered by M365 Workspace & Access Policy (ISMS-POL-M365-01)
3. SaaS Tool Security Assessment
3.1 Assessment Requirement
Derived from BYOD Security Policy (ISMS-POL-BYOD-01) Section 7.1:
When a user requires a SaaS tool not available via VPP/managed deployment or not already approved, a security assessment must be conducted before use.
3.2 Assessment Criteria
| Criterion | Minimum Requirement | Evidence |
|---|---|---|
| Authentication | Supports SSO (SAML/OIDC) or MFA | Vendor documentation / settings page |
| Data Residency | Data stored in acceptable jurisdiction (AU, NZ, US, EU) | Vendor privacy policy / data processing agreement |
| Encryption | TLS 1.2+ in transit; encryption at rest | Vendor security page / SOC 2 report |
| Data Export | Ability to export/delete Cybercraft data upon contract termination | Vendor terms of service |
| Compliance | SOC 2, ISO 27001, or equivalent (preferred, not mandatory for low-risk tools) | Vendor compliance page / certificate |
| Data Sharing | No sharing of Cybercraft data with third parties without consent | Vendor privacy policy |
| AI / ML Data Handling | Training opt-out guarantee mandatory. Enterprise/Team Plan or above required for corporate data processing. Explicit prohibition on using customer data for model training required. | Vendor AI policy / Terms of Service / Data Processing Agreement |
3.3 Additional Assessment Criteria for AI Services
For services that include AI capabilities or are generative AI services, the following criteria must be assessed in addition to the baseline criteria in §3.2:
| Criterion | Minimum Requirement |
|---|---|
| Training Data Policy | Contractual commitment that customer input data will not be used for model training |
| Data Retention Period | Input data automatically deleted after session end, or retention period explicitly stated |
| Output Ownership | Intellectual property rights of AI outputs explicitly attributed to the customer |
| Access Path Control | Verify whether access via ADUE Managed Browser (Edge) is supported |
Note: Post-approval operational policies for AI services (account separation, data context isolation, usage restrictions) are defined in the Application & Data Governance Policy (ISMS-POL-ADG-01).
3.4 Assessment Process
| Step | Action | Owner |
|---|---|---|
| 1 | User submits SaaS tool request with business justification and data types involved | End User |
| 2 | Security Director evaluates against assessment criteria (§3.2; §3.3 additionally applied for AI services) | Lucas |
| 3 | Risk classification: High (handles Confidential data or AI with corporate data input), Standard (General data only) | Lucas |
| 4 | High-risk tools: CISO approval required. Standard tools: Security Director may approve. | Lucas / Richard |
| 5 | Approved tool added to Approved SaaS Register with review date. Operational policies applied per Application & Data Governance Policy (ISMS-POL-ADG-01). | Lucas |
3.5 Shadow IT Prevention
- All SaaS tools used for Cybercraft business must be on the Approved SaaS Register
- Use of unapproved SaaS tools to process Cybercraft data constitutes a policy violation
- Managed Edge browser enforcement (via Conditional Access) provides a technical control layer for Premium users — SaaS access is only permitted through managed pathways
- Quarterly SaaS audit to identify shadow IT usage (via Entra ID sign-in logs and Defender for Cloud Apps, where available)
4. External Account and Guest Access Controls
4.1 Guest Account Management
Derived from BYOD Security Policy (ISMS-POL-BYOD-01) Section 2.3 and M365 Workspace & Access Policy (ISMS-POL-M365-01) Section 5:
Level 3 Collaboration Partners are granted Entra ID guest accounts with the following restrictions:
| Control | Restriction |
|---|---|
| Teams access | Dedicated Private Channel per partner/organisation only — no access to other teams or channels |
| Data visibility | Files shared by Team Manager into partner's channel only — cannot see internal data |
| Licence | No Cybercraft licence required (Guest account) |
| Technical controls | No CA, Intune, MAM, or Defender — access controlled by Teams membership and NDA |
| Duration | Guest access reviewed at project completion and at minimum annually |
4.2 Guest Account Lifecycle
| Step | Action | Owner |
|---|---|---|
| 1 | Business owner requests guest access with justification and expected duration | Team Manager |
| 2 | Security Director creates Entra ID guest account and assigns to dedicated Private Channel | Lucas |
| 3 | Guest signs NDA (if not already in place) | Guest / CEO |
| 4 | Quarterly review of all active guest accounts — remove stale accounts | Lucas |
| 5 | On project/engagement completion: disable guest account, remove from channel | Lucas |
5. Cross-Tenant Security (Cybercraft / Techtype / HVT)
Cybercraft operates a multi-tenant architecture with shared personnel across Cybercraft, Techtype, and HVT.
5.1 Trust Model
- Security parity: Cybercraft and HVT maintain equivalent security posture (Strict tier)
- Trust direction: HVT (resource tenant) trusts compliance signals from Cybercraft and Techtype (home tenants)
- Cross-tenant access: Personnel accessing resources in another tenant must be compliant in their home tenant first
- ADUE enforcement: All macOS users are enrolled via Account Driven User Enrollment, ensuring M365 data resides on a managed volume regardless of which tenant's data is accessed
5.2 Cross-Tenant Personnel
| Person | Home Tenant | Resource Tenant(s) | Control |
|---|---|---|---|
| Lucas Shin | Cybercraft (Premium) | HVT (Basic) | Cybercraft compliance enforced → HVT trusts |
| Richard | Cybercraft (Premium) | HVT (Basic) | Cybercraft compliance enforced → HVT trusts |
| Jeff | HVT (Premium) | Cybercraft (Premium) | HVT compliance enforced → Cybercraft trusts |
| Farah | Cybercraft (Premium) | HVT (Premium), Techtype (Basic) | Cybercraft compliance enforced → HVT/Techtype trusts |
| Gage | Techtype (Premium) | HVT (Basic) | Techtype compliance enforced → HVT trusts |
6. Data Sharing Controls
6.1 Principles
- No Confidential data shall be shared with any third party without Security Director approval and, for high-impact data, CISO sign-off
- General data may be shared via Teams (Level 3 dedicated channels) or email, subject to existing NDA and information handling obligations
- External sharing via Teams/SharePoint is an intentional act (requires link creation + recipient email) — functionally equivalent to emailing a file attachment
6.2 Contractual Requirements
All third parties handling Cybercraft data must agree to:
- Confidentiality obligations (NDA or equivalent contractual clause)
- Data return/destruction upon engagement completion
- Incident notification — notify Cybercraft within 48 hours of any suspected breach involving Cybercraft data
- Right to audit — Cybercraft reserves the right to request evidence of security controls (proportionate to risk)
7. Roles and Responsibilities
| Role | Person | Responsibilities |
|---|---|---|
| CEO | Farah | Supplier contract approval, NDA execution authority, business relationship ownership |
| CISO | Richard | Policy approval, high-risk SaaS tool approval, cross-tenant security architecture oversight |
| Security Director | Lucas | SaaS assessment execution, guest account management, cross-tenant compliance monitoring, Approved SaaS Register maintenance |
| Team Manager | Designated per team | Request guest access, manage file sharing within partner channels, report suspicious partner activity |
8. Compliance Mapping
| ISO 27001 Control | Requirement | Covered By |
|---|---|---|
| A.5.19 | Information security in supplier relationships | Section 3 (SaaS assessment) + Section 6 (Data sharing controls) |
| A.5.20 | Addressing information security within supplier agreements | Section 6.2 (Contractual requirements) |
| A.5.21 | Managing information security in the ICT supply chain | Section 5 (Cross-tenant security) + Section 3.2 (Assessment criteria) |
| A.5.22 | Monitoring, review and change management of supplier services | Section 3.4 (Shadow IT prevention) + quarterly SaaS audit |
| A.5.23 | Information security for use of cloud services | Section 3 (SaaS assessment criteria — authentication, encryption, data residency) |
9. Document Control
| Version | Date | Author | Changes |
|---|---|---|---|
| 0.1.0 | 2026-02-18 | Lucas Shin | Initial release — SaaS assessment framework, guest access controls, cross-tenant trust model, data sharing controls. Incorporates third-party elements from BYOD Security Policy. |
| 0.1.1 | 2026-02-20 | Lucas Shin | Added §3.3 Additional Assessment Criteria for AI Services (AI/ML data handling, training opt-out, data retention, output ownership, access path). Separated AI from §3.2 Data Sharing criterion. Added AI risk classification and Application & Data Governance Policy linkage to §3.4 Assessment Process. Renumbered §3.4→§3.5. |
| 0.1.2 | 2026-02-20 | Lucas Shin | L2 policy reordering (renumbered). Updated all cross-reference document numbers to reflect new P-numbering scheme. |
Review Schedule
- Quarterly: Guest account review, Approved SaaS Register update, shadow IT audit
- Annually: Full policy review, cross-tenant trust model reassessment, supplier contract review
- Ad-hoc: Upon new supplier engagement, cross-tenant architecture changes, or security incidents involving third parties
[End of Policy Document]