Supplier Management Policy

GENERAL SUMMARY

The purpose of this policy is to establish procedures and controls for Altair Global (Altair) when using Third Party Service Providers (Suppliers). It also includes our procedures for completing assessments of our Supplier’s capabilities, performance, system(s) security, controls, minimum goals, and outlines our contractual requirements.

The use of Suppliers is an essential element in Altair’s service delivery model and creates the need for management oversight and continuous monitoring of their capabilities and performance.

All key Suppliers are vetted to ensure compliance with Altair’s security standards and have the capabilities to follow our policies, procedures and practices.

1. Scope

This policy applies to all of the system resources owned, operated, maintained, and controlled by Altair.  Below are definitions for the main groups involved;

• Third-Parties: Entities providing outsourcing services to Altair and / or customers on behalf of Altair. Also known as Third Party Service Providers, Organizations, Suppliers, and any variant.
• Users: Individuals with access rights granted by Altair to various system resources.

2. Purpose

Compliance with this policy ensures the safety and the security for Altair’s system resources when dealing with third-parties.

3. Elements of Risk

The use of Suppliers increases risk to our service delivery system(s).  Therefore, each Supplier is assessed for honesty, integrity, compliance with laws, and Altair’s Supplier Management policies and procedures.  Below are the areas and some examples.  Other red flags may appear:

• Compliance Risk – Violations:
  • Ensure that the Supplier is meeting its own obligations with its own customer contracts as well as obeying the country and the state laws.
  • Verify that the Supplier is in compliance with its own policies, procedures, and processes which should focus on the business as well as information security, regulatory mandates, and internal operation issues.
  • Obtain an annual compliance statement / attestation that the Supplier complies with all applicable laws and ethical obligations.
• Country Risk – Stability:
  • Review the country in which the Supplier is located for economic, political, social and other relevant events to ensure the geographic landscape is stable.
  • Determine if the Supplier is a financially viability company in a stable political environment.
• Credit Risk – Financial Condition:
  • Review their financial statements and/or other financial information, including public records to ensure that the Supplier is financially stable.
  • In particular, liquidation should not be any concern in the near future which is defined as a minimum of 12 months.
• Information Technology – Security:

Verify that the Supplier is utilizing secure and stable hardware/software.

• Review the Supplier’s policies, processes, and procedures for workforce security.

• Operational Risk – Operational Internal Controls:
  • Review both the personal and relevant policies, procedures, practices and processes.
  • Determine if they are satisfactory or if they are failure prone.
• Reputation Risk – Public Perception and Opinion:
  • Determine if the public perception/opinion is positive or negative.
  • While the potential reasons are myriad, pay particular attention to:
    • Data breaches resulting in the loss of sensitive and confidential consumer information.
    • Unethical business practices.
  • Strategic Risk – Alignment with Altair’s Business Initiatives:
    • Assess the Supplier’s strategic initiatives to ensure its short term and long term initiatives are compatible with Altair.
    • Validate that the Supplier is offering services which have an acceptable return on investment.
  • Transaction Risk – Failure to Deliver:
    • Validate that the Supplier has operational efficiency and effective product delivery – namely all promises are kept, not broken.
    • Ensure the strength for these controls:
    • Verify that these situation do not occur:
      • Information Theft.
      • Unauthorized Transactions.

4. Due Diligence – Current and Prospective Suppliers

Shown are the specific items to consider when evaluating Suppliers – note that other items are possible:

• Obtain – From the Supplier:
  • All contractual documents and other supporting documentation. Examples are:
    • Audited Financial Statements.
    • Legal Correspondence.
  • All regulatory compliance and operational audits. Examples are:
    • PCI DSS.
    • SSAE SOC 1 | SOC 2 | SOC 3
  • Identify, Review, and Assess – Done by Altair:
    • Security Difficulties. Examples are:
      • Cybersecurity Attacks.
      • Data Security Breaches.
    • How Sensitive and Confidential Information is Handled:

Storing.

• Processing.
• Transmitting
• Also consider the above with derived data.

• All Relevant Policies. Procedures, and Practices:
  • Business Continuity.
  • Business Specific.
  • Disaster Recovery (BCDRP)
  • Incident Response.
  • Information Security.
  • Operational.
  • Security Awareness.
• Review the Supplier’s Industry Reputation – Done by Altair:
  • Alignment of Vision, Strategies, and Overall Goals.
  • Experience and Overall Business “Know-How”.
  • Knowledge of Senior Management and All Other Relevant Personal.
  • Past, Present, or Expected Legal Issues, Constraints, Concerns.
  • Reputation – Industry and General Public.
• Validate these additional items – Done by Altair:
  • All Relevant Technology Platforms (Hardware and Software).
  • Insurance Coverage.
  • Operational Capacity and Scalability.
  • Organizational-Wide System of Internal Controls.
  • Underwriting Criteria.
  • Any Other Measures Deemed Necessary.
  • Note: if the evaluated third-party also has third-party outsourcing organizations, then perform the same evaluations on them.  As appropriate, follow the third-party chain until everything is vetted.

5. Contractual Documentation

To ensure Altair’s protection, the formal contract is written by Altair and covers the below shown points.

• Identifies from all relevant parties:
  • Expectations.
  • Obligations
  • Responsibilities.
  • Roles.
• Approved by the Senior Vice President, Global Supplier Partnerships or a member of the Executive Leadership Team.
• Provides detailed information:
  • The operational, the performance, and the other necessary baseline standards for services to be performed.

• The reporting metrics such as the daily, the weekly, and the monthly reports.
• The fees paid along with other financial considerations.
• The regulatory compliance audits and mandates. Examples are:
  • Annual Financial Statement Audits.
  • Annual Operational and Security Assessments such as SOC 1 SSAE 16, SOC 2 | SOC 3 AT 101, PCI DSS, etc.
• The information security protection measures regarding the safety and the security for sensitive and the confidential information such as Personally Identifiable Information (PII) and any other variants.

• Legal Department Responsibilities:
  • Review all issues. Examples are:
    • Continuation of Services.
    • Default.
    • Indemnification.
    • Intellectual Property.
    • Resolution Measures.
  • Legal Attention Ensures:
    • A comprehensive and appropriate review was undertaken.
    • All of the issues, the constraints, and the concerns were addressed.

6. Management Oversight and Continuous Monitoring

Once the contracts are signed and the third-party work relationships are functioning, Altair Global performs these tasks to ensure strong working relationships.

• Continuously monitors – Annual Assessments:
  • Compliance.
  • Country.
  • Credit.
  • Information Technology.
  • Operational.
  • Reputation.
  • Strategic.
  • Transaction.
• Reviews Supplier performance:
  • Work with senior management to ensure continual alignment with Altair’s long-term strategic vision.
  • Verify that the on-going and respective policies, the procedures, and the practices provide strong working relationships.
  • Obtain performance metrics to ensure accurate and efficient operations.
  • Cost Containment:

Ensure competitive price bids by announcing requests for proposals (RFPs).

• Identify automatic renewals and automated binding agreements 90 to 180 days in advance.
• Utilize fair and equitable leverage points.

• Routinely gages information security to ensure that all Suppliers:
  • Adhere to I.T. best practices.
  • Have well-documented formalized policies and procedures in place.
  • If possible, Altair performs physical site inspections.

7. Additional Supporting Information and Documentation
   • Altair Global Cybersecurity Supplier Assessment.
   • Altair Global Procurement Policy.
   • Altair Global Schedule of Authorizations.

Altair Global Cybersecurity Assessment Policy and Guidelines.

Document Owner and Approval

The President and Chief Operating Officer is the owner of this document and is responsible for ensuring that this procedure is reviewed in line with the review requirements of all company policies.

A current version of this document is available to all members of staff on the corporate intranet.

This policy was approved by the Executive Leadership Team on 12/07/2017 and is issued on a version controlled basis under his/her signature.