Third Party Risk Management

Last updated: 11 December 2024

Introduction

Aspose Pty Ltd (Aspose) is a market-leading software development company that offers award-winning APIs for creating, editing, converting, and rendering various file formats such as Office, OpenOffice, PDF, Images, ZIP, CAD, XPS, EPS, and PSD. Our APIs support multiple platforms, including .NET, Java, C++, Python, PHP, Xamarin, and Android, along with reporting solutions for Microsoft SharePoint and rendering extensions for SQL Server Reporting Services and JasperReports.

Aspose is trusted by thousands of companies for its commitment to secure, reliable, and high-performing products. Through effective third-party risk management, Aspose ensures that its partnerships and vendor relationships uphold the highest standards of security, compliance, and operational integrity.

1. Purpose

Aspose Pty Ltd recognizes the critical role third-party relationships play in the development, delivery, and support of its self-hosted software products. This Third Party Risk Management (TPRM) policy establishes a structured approach to managing risks associated with these relationships, ensuring product security, operational resilience, and scalability.

2. Scope

This policy applies to all third-party relationships and service providers that interact with Aspose’s products, development processes, or infrastructure. It includes vendors, contractors, and suppliers whose services may impact Aspose’s data, applications, operational continuity, or regulatory compliance.

3. Roles and Responsibilities

To ensure effective third-party risk management across Aspose’s operations, clear roles and responsibilities are assigned to various stakeholders:

3.1 Risk Management Team

  • Lead the implementation and maintenance of the TPRM framework.
  • Conduct regular risk assessments of third-party vendors and service providers.
  • Develop and update vendor risk classification criteria.
  • Coordinate with other teams to ensure comprehensive risk evaluation.

3.2 Procurement Team

  • Oversee vendor selection and onboarding processes.
  • Ensure vendors meet security and compliance requirements before engagement.
  • Maintain documentation of vendor assessments and approvals.
  • Coordinate contract reviews with Legal and Compliance teams.
  • Review vendor contracts and agreements for compliance with regulatory requirements.
  • Advise on legal implications of vendor relationships.
  • Monitor changes in regulations affecting third-party relationships.
  • Ensure vendor agreements include appropriate security and privacy clauses.

3.4 Product Management Team

  • Evaluate technical compatibility of third-party components.
  • Assess impact of vendor solutions on product security and performance.
  • Monitor vendor performance against service level agreements.
  • Coordinate with Development teams on vendor integration requirements.

3.5 IT Infrastructure and Security Team

  • Conduct security assessments of vendor systems and processes.
  • Monitor vendor security incidents and vulnerabilities.
  • Review vendor security practices and compliance.
  • Provide input on security requirements for vendor selection.

3.6 Executive Management

  • Approve policies and ensure alignment with business objectives and regulatory requirements where appropriate.
  • Allocate resources for implementing and maintaining robust risk management measures.

4. Core TPRM Framework

The following framework defines Aspose’s approach to managing third-party risks:

Critical Relationships

  • Identify all third-party components, including libraries, platforms, tools, and integrations, that directly or indirectly impact Aspose’s software lifecycle.

Risk-Based Classification

Classify vendors into tiers based on their impact on product security, compliance, and performance:

  • High Risk: Vendors supplying core components essential to Aspose’s operations or customer-facing products.
  • Medium Risk: Vendors with significant but not critical roles in the software lifecycle.
  • Low Risk: Vendors with minimal involvement in Aspose’s core activities.

Contractual Requirements

Where possible and practical, require third-party providers to:

  • Adhere to security, continuity, and quality standards.
  • Commit to periodic reporting and compliance checks.
  • Notify Aspose of any security incidents or operational disruptions promptly.

5. Risk Assessment and Due Diligence

Evaluation Process

Conduct initial and periodic risk assessments for all vendors, considering:

  • Security and Privacy Risks: Evaluate cybersecurity practices, data protection protocols, and compliance with relevant laws.
  • Operational Risks: Assess reliability, scalability, and potential disruptions in service.
  • Regulatory and Legal Risks: Verify compliance with applicable regulations.

Due Diligence Tools

Where possible, and where available, Aspose will use standardized templates to gather and document:

  • Vendor policies and security frameworks.
  • Financial stability and historical performance data.
  • Incident response and business continuity plans.

Risk Categorization

Classify vendors into high, medium, or low risk based on their potential impact on Aspose’s operations.

Approval and Documentation

Findings are reviewed by the Aspose Business Team and approved by the Board of Directors before vendor engagement. All assessments are archived for future reference.

6. Vendor Selection Criteria

Aspose assesses vendors against the following criteria:

  1. Security Practices: Demonstrated ability to safeguard sensitive data and systems.
  2. Operational Reliability: Proven track record of uptime and performance.
  3. Technical Compatibility: Seamless integration with Aspose’s platforms (e.g., .NET, Java, Python).
  4. Incident Response: Well-defined and tested response plans for addressing disruptions.
  5. Business Continuity: Robust strategies to ensure uninterrupted services.
  6. Regulatory Compliance: Adherence to global and local data protection and operational standards.
  7. Environmental and Social Responsibility: Preference for vendors demonstrating ethical and sustainable practices.

7. Monitoring and Reporting

  • Ongoing Monitoring: Continuous monitoring of security, performance, and compliance for third-party vendors, including periodic reviews and automated scans.
  • Vulnerability Audits: Regular audits, utilizing SonarQube, are performed on all Aspose products, especially after significant updates or changes.
  • Performance Reviews: Reviews based on metrics like uptime and support quality to ensure service consistency.
  • Annual Risk Reports: Management receives annual reports summarizing monitoring outcomes, vulnerabilities, and incidents.
  • Compliance Checkpoints: Regular checks are performed for compliance with specific regulations, with re-evaluation when regulations are updated.

8. Incident Response and Escalation

Incident Response Process

  • Detection: Automated systems alert stakeholders to potential incidents.
  • Containment: Collaborate with vendors to isolate the issue and mitigate its impact.
  • Root Cause Analysis: Conduct a detailed investigation to identify causes and recommend preventive measures.
  • Recovery: Implement fixes and restore functionality promptly

Post-Incident Activities

  • Review incidents to improve internal and vendor processes.
  • Update risk assessments and TPRM policies to reflect lessons learned.

9. Operational Resilience and Business Continuity

Vendor Dependency Management

  • Identify critical vendor dependencies and develop contingency plans, including:
  • Backup vendors.
  • Redundancy measures for high-risk services.

Continuity Measures

Ensure vendors conduct regular testing of their continuity strategies and provide documentation.

Resilience Testing

Periodically test fallback solutions to confirm operational readiness.

10. Documentation and Centralized Records

Maintain a secure repository for all TPRM-related documentation, including:

  • Vendor risk assessments.
  • Contracts and performance reviews.
  • Incident reports and mitigation actions.

Aspose is committed to complying with all applicable legal, regulatory, and industry requirements related to this policy. Where specific regulations or standards apply, Aspose will ensure alignment to protect customer data, meet business obligations, and maintain operational integrity.

11.1. Compliance Principles

  • Adherence: Aspose follows all relevant legal and regulatory requirements applicable to its operations and systems.
  • Alignment with Standards: While Aspose may not hold formal certifications, it aligns its practices with recognized industry frameworks and best practices to ensure compliance.

11.2. Ongoing Compliance Monitoring

Aspose regularly reviews its internal processes, policies, and product offerings to ensure ongoing compliance with relevant laws and industry standards.

Compliance audits and reviews are conducted periodically to ensure the effectiveness of security and privacy controls.

12. Employee Training and Security Awareness

Aspose places a strong emphasis on ensuring that all employees understand their roles and responsibilities in managing third-party risks. Through continuous training and awareness programs, employees are equipped to evaluate, monitor, and mitigate risks associated with third-party relationships.

12.1. TPRM Training Programs

  • Onboarding Training: All new employees receive training on the fundamentals of third-party risk management, including vendor classification, risk assessment processes, and reporting procedures.
  • Ongoing Security Awareness: Regular training sessions and updates are conducted to ensure employees remain informed about changes in third-party risk processes, regulatory requirements, and emerging vendor-related threats.

12.2. Role-Specific Training

Employees with roles directly involved in third-party risk management receive tailored training, including:

  • Risk Specialists: Training on risk assessment methodologies, vendor due diligence, and monitoring tools.
  • Procurement and Product Teams: Training on vendor selection criteria, contract requirements, and risk-based vendor classification.
  • Compliance and Legal Teams: Guidance on regulatory obligations, data protection requirements, and contractual risk management.

12.3. TPRM Aware Culture

Aspose fosters a culture of accountability and risk awareness by:

  • Regular communications and updates from senior management on the importance of managing third-party risks.
  • Encouraging employees to report third-party concerns or incidents through established, confidential reporting channels.
  • Sharing periodic briefings and updates on vendor risks, best practices, and lessons learned from incidents or assessments.

12.4. Continuous Improvement

Aspose actively seeks feedback on training and awareness programs to ensure they remain relevant and effective. Post-Incident Debriefing: Following third-party-related incidents, teams participate in debriefing sessions to analyze root causes, evaluate vendor management processes, and identify improvements to employee training or procedures.

13. Policy Compliance and Enforcement

To ensure the integrity and effectiveness of third-party risk management, compliance with this policy is mandatory for all employees, teams, and stakeholders involved in vendor selection, onboarding, and monitoring.

13.1. TPRM Policy Compliance

Mandatory Adherence: All personnel must adhere to the Third Party Risk Management Policy, including risk assessments, due diligence, and ongoing monitoring requirements.

Policy Acknowledgment: Employees must acknowledge their responsibilities regarding third-party risk management during onboarding and whenever significant updates to the policy occur.

Periodic Reviews and Updates: This policy will be reviewed periodically to align with evolving risks, regulatory changes, and business needs. Updates will be communicated to relevant stakeholders.

13.2. Monitoring and Auditing

Vendor Audits: Periodic audits and assessments will verify vendor compliance with contractual obligations and security requirements.

Automated Monitoring: Automated and manual monitoring processes ensure vendor performance, security, and compliance remain consistent throughout the relationship.

Risk Reviews: Teams are encouraged to conduct self-assessments to identify and address gaps in vendor risk management processes.

13.3. Non-Compliance Consequences

Violation of Policy: Non-compliance with the TPRM Policy or failure to follow risk management procedures will result in disciplinary action, including but not limited to:

  • Corrective Actions: Retraining, formal warnings, or enhanced oversight of vendor processes.
  • Vendor Review: Re-evaluation of third-party relationships, including termination of vendor agreements where necessary.
  • Access Restrictions: Restrictions on vendor access to Aspose’s systems, data, or products where risks are identified.
  • Termination: Repeated or significant non-compliance may lead to employee termination or vendor disengagement.

13.4. Accountability and Enforcement

Incident Management: Third-party-related incidents will be managed in line with Aspose’s incident response processes, including containment, root cause analysis, and corrective measures.

Disciplinary Process: The enforcement process will be overseen by HR, Compliance, and Risk Management teams to ensure appropriate actions are taken.

Escalation Procedures: Serious non-compliance or incidents may be escalated to senior management or external authorities, depending on the severity and impact of the breach.

13.5. Continuous Improvement

Feedback Loop: Aspose encourages feedback from employees, stakeholders, and vendor evaluations to continuously enhance the Third Party Risk Management Policy. Regular reviews help identify gaps, improve processes, and address emerging risks related to third-party relationships.

Training and Awareness: Non-compliance due to a lack of understanding or awareness will be addressed through targeted training programs and updated communication channels. This ensures all employees and relevant stakeholders are fully aware of their responsibilities in managing third-party risks.

14. Periodic Review and Policy Updates

Periodic Review: This Information Security Policy will be reviewed periodically or as required to adapt to new security standards, emerging threats, and Aspose’s evolving business needs.

Policy Updates: Any updates to the policy will be communicated to all employees and relevant stakeholders to ensure continuous alignment with best practices in information security.

15. Approval

This Third Party Risk Management Policy was approved by the Board of Directors of Aspose Pty Ltd on 2024.12.01.