Title: Vendor Management Program

Effective Date: 1/2020 Revision Date:

11/20/2019

Vendor
Management

1.0 Overview
Sturgis Bank and Trust Company believes vendor management is a critical component of a successful
Information Security Program, and it takes every component of a program to protect the institution’s
critical information, ability to serve customers, and reputation as a secure institution. Vendor
management provides requirements for initial selection and ongoing management of vendors and service
providers. When selecting third parties for products and/or services it is important to ensure that the most
cost effective, reliable and secure vendor is chosen. Once a vendor’s relationship has been established
with the institution, it is important to monitor the security and performance of the vendor to ensure
originally established expectations are being met.
The Vendor Management Program provides a framework for management to follow while collecting
and evaluating data for vendor selection and management. Sturgis Bank and Trust Company
management uses this framework to make an informed decision from the data collected about third
parties.
2.0 Program
The program consists of controls that provide a framework for management to follow during
vendor selection and management.
2.1 Vendor Protection Profile
Each vendor is evaluated on the following four (4) criteria in order to determine the vendor’s
Protection Profile. The Protection Profile is designed to quickly identify the importance of the
vendor to Sturgis Bank and Trust Company. The four (4) Protection Profile criteria are as follows:
2.1.1 Confidentiality of Information Stored, Transmitted, and
Processed This is one of three values:
1) Customer: Information that can identify customers of the institution
2) Internal: Information that is sensitive to the institution (i.e. financials)
3) Public: information that is not sensitive and is generally available to the
public

2.1.2 Access to Customer Information

The degree to which the vendor has direct access to the institution's customer information.

2.1.3 Availability of vendor

The availability requirement of the vendor to the institution in order to continue normal
business operations. This can be one of three values
1) Mission Critical: Service or support disruptions would result in extreme
impact to the institution
2) Normal: Service or support disruptions would result in moderate impact to
the institution
3) Low: Service or support disruptions would result in minimal impact to the
institution

2.1.4 Assets Associated

The number of IT Assets, systems, or processes associated with a vendor, also known as
vendor concentration.

2.2 Vendor Levels

Significant characteristics of each vendor are used to assign each a vendor level. These levels are used
throughout the Vendor Management Program to provide requirements that must be followed by the
institution in selecting and managing third parties. The requirements of each level vary to allow
flexibility in the vendor Management Program.

2.2.1 Level 1 (Critical)

Level 1 vendors are the most critical vendors to Sturgis Bank and Trust Company. Level 1
vendors represent the vendors that are storing, transmitting, and processing the most
confidential customer information for the Sturgis Bank and Trust Company, as well as the
 vendors that are most critical to performing business operations. Level 1 vendors represent
the most risk to Sturgis Bank and Trust Company and should be reviewed most frequently.

2.2.2 Level 2 (Significant)

Level 2 vendors are vendors that are very important to Sturgis Bank & Trust Company, but
operations will continue if anything happens to this category of vendor. Level 2 vendors represent
the vendors that may store, transmit, and process some confidential customer information for the
Sturgis Bank & Trust Company, but business operations are not reliant 1on this category of vendor.
Level 2 vendors represent significant risk to Sturgis Bank & Trust Company, but may be reviewed
less frequently than Level 1 vendors.

2.2.3 Level 3 (Non-Essential)

Level 3 vendors are important, but less critical to Sturgis Bank & Trust Company. Level 3 vendors do
not typically store, transmit, or process confidential customer information for the Sturgis Bank & Trust
Company, nor are business operations reliant on this category of vendor. Level 3 vendors represent a low
risk to
Sturgis Bank & Trust Company. While Level 3 vendors are important enough to justify regular vendor
management reviews, this category of vendor should be reviewed least frequently.

2.2.5 Classification Level Criteria

2.3 vendor Selection

vendor Selection provides a framework for evaluating the aspects of each vendor in the selection process.
The collection and evaluation of this information for each vendor provides the tools necessary for
management to make informed decisions about third parties to protect the best interests of the institution.
2.3.1 Components

Considerations
The minimum required number of third parties that must be evaluated during the selection process.

Cost Benefit Analysis

This component captures information about the cost of the product or service being
evaluated and captures the associated advantages and disadvantages.

References
This component provides a questionnaire that can be utilized to contact other customers of the
vendor to evaluate and capture information about the product or service.

IT Risk Assessment
This component provides the ability to evaluate and document the level of risk associated with
each product or service being evaluated. It also provides a default list of threats and the possible
controls that can be implemented to mitigate the risk of those threats.

Due Diligence
This component provides a series of questions for evaluating critical aspects of the service or
product, such as information security standa2rds, financial condition, and ability to provide
services or products.
 Contract Review
This component provides questions for evaluating the contract between the vendor and the
institution to ensure the vendor protects the best interests of the institution.

2.3.2 Selection Requirements

The following items associated with each vendor level are the minimum requirements set forth by
Sturgis Bank and Trust Company for the vendor Selection process.

vendor Selection Level 1 Level 2 Level 3 Level None

Considerations 3 2 2 NA
Cost Benefit Analysis NA
References x x NA
IT Risk Assessment x x NA
Due Diligence x x NA
Contract Review x x x NA

2.4 V endor Management

The vendor Management process provides a framework for monitoring and evaluating each vendor to ensure they
are providing an acceptable level of service or products.
2.4.1 Components
The following are the components of the vendor Management process. Each component captures unique
information about the vendor for evaluation and documentation purposes.

Interval
The amount of time that management has determined should be scheduled between review cycles. A
high risk vendor generally requires a smaller review interval than a low risk vendor.

IT Risk Assessment
This component requires management to update all the assets in the Risk Assessment for the vendor
being reviewed and documents that the update has been completed. This is done within our TRAC
system

Due Diligence
This component provides a series of documents for evaluating critical aspects of the service or
product being reviewed. Due diligence documents are items such as information security standards,
financial condition, and SOC2. Additional items could be BCP Test results, incident response program,
list of recent data breaches, etc.

Contract Review
This component provides questions for evaluating the contract between the vendor and the
institution to ensure it protects the best interests of the institution.

2.4.2 Management Requirements

The following items associated with each vendor level are the minimum requirements set forth by
Sturgis Bank and Trust Company for the vendor Management process.

Vendor Management Level 1 Level 2 Level 3 Level None

Interval 12 24 36 NA
IT Risk Assessment x NA
Due Diligence x x NA
Contract Review x NA

3
 2.5 Vendor Documentation 3
During the selection or management of vendor relationships, Sturgis Bank and Trust Company has
identified requirements for the gathering and retention of documentation provided by the third parties.
2.5.1 Documents
Sturgis Bank and Trust Company has identified documentation that must be obtained from each
vendor during the selection or management process. Sturgis Bank and Trust Company shall attempt,
depending on the level of the vendor, to obtain the following documentation from each vendor associated
with the appropriate level.

Vendor Documents Level 1 Level 2 Level 3 Level None

External Audit (SOC2, etc.) Frequency 12 24 36 NA
BCP Reports X X NA
Client Control Considerations X NA
Vendor Financial X NA

2.5.2 Vendor Approval

Documentation collected for selection of a new vendor shall be delivered compiled and reviewed by
the owner of the third-party relationship and presented to the IT Steering Committee for review and
approval.

2.5.3 Documentation Retention

Documentation collected during vendor selection and management must be kept in order to verify that the
selection and management activities have been completed as required by policy and federal regulation. To
assist in these efforts, Sturgis Bank and Trust Company requires that all third-party selection
documentation and reports be kept for 3 years and all third-party management documentation and reports
be kept for 3 years.
In the event Sturgis Bank and Trust Company no longer chooses to continue a relationship with a
vendor, prior selection and management reports must be kept as specified above.
3.0 Approval
To maintain its effectiveness, this vendor Management Program may be modified at any time by the
Information Security Officer with the approval of the IT Steering Committee. The IT Steering Committee shall
also review and approve the vendor Management Program at least annually.

4.0 Contracts
After selecting a vendor, management will ensure that the specific expectations and obligations of both the Bank
and the vendor are outlined in a written contract prior to entering into the arrangement. Board approval will be
obtained prior to entering into any material third-party arrangements. A material arrangement is defined as one
that would cause severe business disruption if the vendor could not fulfill their contractual services to the Bank.
Upon management recommendation and based on the criticality of the service provided by the vendor, appropriate
legal counsel will also review contracts prior to finalization. Any material or significant contract with a vendor
will prohibit assignment, transfer or subcontracting by the vendor of its obligations to another entity, unless and
until the Bank determines that such assignment, transfer, or subcontract would be consistent with the due diligence
standards for selection of third parties.

The level of detail in contract provisions will vary with the scope and risks associated with the vendor
relationship. The following topics will be considered as a contract is structured, with the applicability of each
dependent upon the nature and significance of the vendor relationship.

4
Scope. Contracts will clearly set forth the rights and responsibilities of each party to the contract, including the
following where appropriate based on the services to be provided:
• Timeframe covered by the contract.
• Frequency, format, and specifications of the service or product to be provided.
• Other services to be provided by the vendor, such as software support and maintenance, training of
employees, and customer service.
• Requirement that the vendor comply with all applicable laws, regulations, and regulatory
guidance.
• Authorization for the Bank and the appropriate federal and state regulatory agency to have access to
records of the vendor as are necessary or appropriate to evaluate compliance with laws, rules, and
regulations. Identification of which party will be responsible for delivering any required customer
disclosures.
• Insurance coverage to be maintained by the vendor.
• Terms relating to any use of bank premises, equipment, or employees.
• Permissibility/prohibition of the vendor to subcontract or use another party to meet its obligations with
respect to the contract, and any notice/approval requirements.
• Authorization for the Bank to monitor and periodically review the vendor for compliance with its
agreement.
• Indemnification.
• Accurate and measurable SLA
• Independent validation of security controls
• Statement of confidentiality and security of the Bank’s information
• Contractual notification of any information security or business continuity incidents in a timely manner
• Any exit costs and responsibilities

Contract Term Details

1. Cost/compensation. The contract shall outline the fees to be paid, including any fixed compensation, variable
charges, and any fees to be paid for nonrecurring items or special requests. Other items that should be
addressed, if applicable, are the cost and responsibility for purchasing and maintaining any equipment,
hardware, software, or other item related to the activity. Also, the party responsible for payment of any legal
or audit expenses should be identified.

2. Performance standards. For certain relationships, clearly defined performance standards shall be included to
serve as a basis for measuring the performance of the vendor. Management shall periodically review the
performance measures to ensure consistency with its overall objectives.

3. Reports. The contract should specify the type and frequency of management information reports to be
received from the vendor. Routine reports may include performance reports, audits, financial reports, security
reports, and business resumption testing reports.

4. Right to Audit. In addition to the types and frequency of audit reports that the Bank is entitled to receive from
the vendor, the contract should also specify the Bank’s right to audit the vendor (or engage an independent
auditor) as needed to monitor performance under the contract.

5. Confidentiality and security. The contract should prohibit the vendor and its agents from using or
disclosing the Bank’s information, except as necessary to perform the functions designated by the contract.
Any nonpublic personal information on the Bank’s customers must be handled in a manner consistent with
the Bank’s own privacy policy and in accordance with applicable privacy laws and regulations. Any
breaches in the security and confidentiality of information, including a potential breach resulting from an
unauthorized intrusion, should be required to be fully and promptly disclosed to the Bank.

6. Business resumption and contingency plans. The contract should address the vendor’s responsibility for
continuation of services provided for in the contractual arrangement in the event of an operational failure,
including both man-made and natural disasters. The vendor should have appropriate protections for backing
up information and also maintain disaster recovery and contingency plans with sufficiently detailed
operating procedures. Results of testing of these plans should be provided to the Bank.
5
7. Default and termination. To mitigate risks associated with contract default and/or termination, the contract
should address both issues. The contract should specify what circumstances constitute default, identify
remedies, and allow for a reasonable opportunity to cure a default. Similarly, termination rights should be
identified in the contract, especially for material third- party arrangements and relationships involving rapidly
changing technology or circumstances. Termination rights may be sought for various conditions, such as a
change in control, substantial increase in cost, failure to meet performance standards, failure to fulfill
contractual obligations, inability to prevent violations of law, bankruptcy, company closure, and insolvency.
The contract should state termination and notification requirements, with operating requirements and time
frames to allow for the orderly conversion to another entity without excessive expense. Return of the Bank’s
data, records, and/or other resources should also be addressed.

8. Dispute resolution. The Bank shall consider whether the contract should include a dispute resolution process
for the purpose of resolving problems expeditiously. Continuation of the arrangement between the parties
during the dispute should also be addressed.

9. Ownership and license. The contract will address ownership issues and the vendor’s right to use the Bank’s
property, including data, equipment, software, and intellectual property such as the Bank’s name and logo,
trademark, and other copyrighted material.

10. Indemnification. Indemnification provisions require a vendor to hold the Bank harmless from liability as a
result of negligence by the vendor, and vice versa.

11. Limits on liability. A vendor may wish to contractually limit the amount of liability that it could incur as a
result of the relationship with the Bank. Before entering into such a contract, management of the Bank shall
carefully consider whether the proposed damage limitation is reasonable compared to the amount of loss the
Bank could experience should the vendor fail to adequately perform.