VENDOR SECURITY POLICY
Acme Corp — Confidential
Version 2.3 | Last updated: January 2026

1. ACCESS CONTROL

Acme Corp maintains access control policies governing all production systems and internal tools. User accounts are provisioned through our centralized identity management platform. Administrative and privileged accounts are managed separately from standard user accounts. Deprovisioning of user accounts is triggered automatically upon HR termination notification, with completion expected within 24 hours.

2. AUTHENTICATION

All users are required to authenticate using corporate credentials managed through our SSO provider. Multi-factor authentication (MFA) is available for all user accounts and is enabled by default for remote access connections. MFA enrollment is encouraged for all employees accessing sensitive systems. The security team monitors MFA adoption rates on a quarterly basis.

3. ACCESS REVIEWS

Access reviews are conducted on a regular basis to verify that users maintain appropriate access levels. The IT Security team coordinates reviews with department managers to validate continued need for access. Results of access reviews are documented and retained for audit purposes.

4. INCIDENT RESPONSE

Acme Corp maintains an incident response plan that covers detection, containment, eradication, and recovery phases. The plan is tested annually through tabletop exercises. All security incidents are logged in our incident tracking system with severity classification.

5. VULNERABILITY MANAGEMENT

Vulnerability scanning is performed monthly against all external-facing systems. Critical vulnerabilities are remediated within 72 hours of discovery. Penetration testing is conducted annually by an independent third party.

6. DATA PROTECTION

Data classification policies define handling requirements for confidential, internal, and public data. Encryption is applied to data at rest and in transit for all systems handling confidential information. Data retention schedules are maintained and reviewed annually.

7. BUSINESS CONTINUITY

Business continuity and disaster recovery plans are maintained for critical systems. Recovery time objectives (RTO) and recovery point objectives (RPO) are defined for each critical system. Plans are tested semi-annually.