Vendor Risk Management

The Vendor Risk Management department is responsible for establishing, implementing, managing, and enforcing the enterprise-wide vendor management program designed to identify and mitigate risks to an acceptable level that may result from vendor relationships. The Vendor Risk Management Program defined herein encompasses the following activities:

Procurement

Minimum vendor evaluation and verification requirements are defined within the procurement process. Procurement controls include:

• Due Diligence - Conduct initial review of potential vendors to ensure the provider is capable of maintaining appropriate safeguards, financial stability, and availability required for the proposed services.

• Vendor Classification - Define the classification of the vendor based on the scope of services, criticality, and sensitivity of information needed to perform services.

• Contractual Requirements - Ensure vendor contracts have required contractual clauses that define information security program obligations, ownership of data and rights to obtain control.

Monitoring

Once engaged in a vendor relationship, Flosum performs ongoing targeted monitoring activities. The scope and extent of monitoring activities is dictated by the vendor classification. Monitoring activities are designed to verify vendor obligations are being met, the financial condition is stable, vendor controls are functioning as expected, and no changes have occurred that would negatively impact or change the risk position of the vendor. On an annual basis, the results of detailed control assessments are re-confirmed with each vendor to validate that the classification of the vendor and the vendor's control environment have not changed from the initial assessment.