This document outlines the procedures for XIMNET MALAYSIA SDN BHD (the "Company") to manage its relationships with third-party service providers (TPSPs). TPSPs include any external company providing services that involve access to the Company's data, systems, or facilities.
Selection Process
- Prior to engaging a TPSP, the Company will clearly define the required services and the data involved in the project. This ensures alignment between the TPSP's capabilities and the Company's specific needs.
- To mitigate potential risks, the Company will conduct thorough due diligence on potential TPSPs. This may include background checks, assessments of financial stability, and evaluations of their security practices.
- To solicit proposals from qualified TPSPs, the Company may issue a Request for Proposal (RFP) detailing project requirements, evaluation criteria, and the Company's security expectations. This ensures a standardized selection process and allows for a fair comparison of potential partners.
- Following the evaluation of proposals, the Company will negotiate contracts with chosen TPSPs. These contracts will formally document the terms of the engagement, including service delivery timelines, security obligations, data ownership rights, and clear termination clauses in case of non-compliance or performance issues.
Onboarding and Risk Assessment
- Once a TPSP is selected, the Company will conduct a security risk assessment to identify any potential vulnerabilities associated with the engagement. This proactive approach helps mitigate risks before they materialize.
- To ensure all TPSPs are aware of the Company's security protocols, they will be onboarded with security awareness training. Additionally, access controls will be implemented to restrict access to Company data and systems based on the principle of least privilege.
- Establishing clear communication channels and designating points of contact for both the Company and the TPSP is essential for fostering a collaborative and efficient working relationship.
Service Management
- To ensure consistent service quality, a service level agreement (SLA) will be established for each TPSP engagement. The SLA will outline performance expectations, communication protocols for reporting issues and updates, and dispute resolution procedures should any disagreements arise.
- The Company will conduct regular performance reviews to monitor the TPSP's adherence to agreed-upon service levels and security protocols. This ongoing monitoring helps ensure the engagement remains aligned with the Company's requirements.
- To maintain a comprehensive overview of all outsourced services, the Company will create and maintain an inventory of all TPSP engagements. This inventory will include details of the services provided, access privileges granted, and relevant contract information.
Security and Data Protection
- The Company recognizes the importance of data security and will include data security clauses in all TPSP contracts. These clauses will require TPSPs to comply with all relevant data protection regulations and implement appropriate security safeguards to protect the Company's data.
- To govern data sharing practices, the Company will establish data sharing agreements with TPSPs. These agreements will clearly define data ownership, restrictions on data usage, and secure data transfer protocols to ensure the confidentiality and integrity of the Company's information.
- Whenever possible, the Company may conduct periodic security audits of TPSPs to assess the effectiveness of their ongoing security posture. This additional layer of oversight helps mitigate potential security risks.
Monitoring and Termination
- The Company will continuously monitor TPSP activity for any suspicious behavior or security incidents. This proactive monitoring allows for early detection and intervention in case of potential threats.
- In the event of a security incident involving a TPSP, the Company has established procedures for responding to and containing the incident. These procedures will ensure a swift and coordinated response to minimize potential damage.
- The Company acknowledges that there may be situations where termination of a TPSP engagement is necessary. Clear termination clauses will be included in all contracts, outlining the process for ending the relationship due to performance issues or security breaches.
Review and Update
The Company acknowledges that the regulatory landscape and industry best practices are subject