Information Security Policy for Service Provider Relationships¶
| Owner | Classification | Review Date | Status |
|---|---|---|---|
| CDO Office | Internal | April 2027 | Active |
|
---|---
Document Type| Policy
Document #| SP-ISSPR-017
Owner| Chief Executive Officer
Classification| Confidential (Class 2 — Private Data)
Version| V1.2
Issue Date| 04/09/2025
Review Cycle| Annual (reviewed in 3rd week of year)
Authorised By| Yassir Pasha
Document Information¶
| Field | Details |
|---|---|
| Document # | SP-ISSPR-017 |
| Document Title | Information Security Policy for Service Provider Relationships |
| Version | V1.2 |
| Confidentiality Level | Class 2 (Private Data / Confidential) |
| Date Created | 23/03/2021 |
| Issue Date | 04/09/2025 |
| Document Owner | Chief Executive Officer |
| Author(s) | Simpaisa |
| Purpose | To ensure that all service provider relationships protect the organisation's information assets by requiring appropriate security controls, risk management, and compliance with information security requirements |
| Authorised By | Yassir Pasha |
Reviewed By Steering Committee¶
| Name | Role |
|---|---|
| Yassir Pasha | Chief Executive Officer |
| Kamil Shaikh | Chief Operating Officer |
| Osama Hashmi | Chief Financial Officer |
| Bachir Njeim | Chief Strategy and Operations Officer |
| Saqlain Raza | Acting Chief Technology Office |
| Rizwan Zafar | Chief Product Officer |
| Ahsan Hussain | Payment Channel Partnerships |
| Danish Abdul Hameed | Chief Information Security Officer |
| Shahroze Khan | Head of International Merchant Sales and Strategic Alliances |
| Noor Ali | Country Head Pakistan |
| Shoukat Bizinjo | Global Head of Regulatory Affairs · Regulatory |
Change Control¶
| Version | Date of Issue | Author(s) | Brief Description of Changes | Approved By |
|---|---|---|---|---|
| V1.0 | 28/04/2021 | Rizwan Zafar | Initial release | Salim Karim |
| V1.1 | 07/02/2022 | Rizwan Zafar | Annual review | Salim Karim |
| V1.2 | 02/02/2023 | Rizwan Zafar | Annual review | Salim Karim |
| V1.2 | 27/09/2024 | Syed Zubair Ahmed | Annual review | Yassir Pasha |
| V1.2 | 04/09/2025 | Simpaisa | Annual review | Yassir Pasha |
1 Introduction¶
Simpaisa and its core business exists in a wider economic environment in which effective relationships with service providers are critical to its continued success. However, recent information security breaches have shown that sometimes a third-party service provider can represent a significant weakness in the defences of our information assets.
It is very important therefore that our relationships with service providers are based on a clear understanding of our expectations and requirements in information security, in particular around the storing, processing and transmitting of Cardholder Data (CHD). These requirements must be documented and agreed in a way that leaves no doubt about the importance we place on the maintenance of effective controls to reduce risk.
It is up to Simpaisa to demonstrate to our stakeholders that the choices we make regarding service providers are done with due diligence and that the ongoing monitoring and review of the service supplied is performed in an effective way.
The purpose of this document is to set out the organisation's information security policy in the area of service provider relationships. This document will be reviewed in the 3rd week of each year to check its relevance.
The following documents are relevant to this policy:
- Agreement for the Security of Cardholder Data
2 Information Security Policy for Service Provider Relationships¶
2.1 General Provisions¶
In general, information security requirements will vary according to the type of contractual relationship that exists with each service provider, and the goods or services delivered.
However, the following will generally apply:
-
The information security requirements and controls must be formally documented in a contractual agreement which may be part of, or an addendum to, the main commercial contract.
-
Separate Non-Disclosure Agreements must be used where a more specific level of control over confidentiality is required.
-
Appropriate due diligence must be exercised in the selection and approval of new service providers before contracts are agreed.
-
The information security provisions in place at existing service providers (where due diligence was not undertaken as part of initial selection) must be clearly understood and improved where necessary.
-
Remote access by service providers must be via approved methods that comply with our information security policies.
-
Access to Simpaisa information must be limited where possible according to clear business need.
-
Basic information security principles such as least privilege, separation of duties and defence in depth must be applied.
-
The service provider will be expected to exercise adequate control over the information security policies and procedures used within sub-contractors who play a part in the supply chain of delivery of goods or services to Simpaisa.
-
Simpaisa will have the right to audit the information security practices of the service provider and, where appropriate, sub-contractors.
-
Incident management and contingency arrangements must be put in place based on the results of a risk assessment.
-
Awareness training will be carried out by both parties to the agreement, based on the defined processes and procedures.
-
Where card payment processing occurs, the service provider must be actively PCI DSS compliant.
The selection of required controls must be based upon a comprehensive risk assessment considering information security requirements, the product or service to be supplied, its criticality to the organisation and the capabilities of the service provider.
2.2 Cloud Services¶
Cloud service providers (CSPs) must be clearly recognised as such so that the risks associated with the CSP's access to and management of Simpaisa cloud data may be managed appropriately.
When acting as a CSP, Simpaisa will clearly set out the relevant information security measures it will implement as part of the agreement. Simpaisa will also ensure that information security objectives are set for third parties who provide components of the cloud service to customers and that they carry out adequate risk assessment in order to achieve an acceptable level of security.
2.3 Due Diligence¶
Before contracting with a service provider, it is incumbent upon Simpaisa to exercise due diligence in reaching as full an understanding as possible of the information security approach and controls the company has in place.
This is particularly important where cloud computing services are involved, as legal considerations regarding the location and storage of personal data must be considered.
2.4 Addressing Security Within Service Provider Agreements¶
Once a potential service provider has been subject to a positive due diligence assessment, the information security requirements of Simpaisa must be reflected within the written contractual agreement that is entered into. This agreement must take into account the classification of any information that is to be processed by the service provider (including any required mapping between Simpaisa classifications and those in use within the service provider), legal and regulatory requirements and any additional information security controls that are required.
For cloud service contracts, information security roles and responsibilities must be clearly defined in areas such as backups, incident management, vulnerability assessment and cryptographic controls.
A template, Simpaisa Protect Cardholder Data Service Provider Agreement, may be used as a starting point.
Appropriate legal advice must be obtained to ensure that contractual documentation is valid within the country or countries in which it is to be applied.
2.5 Evaluation of Existing Service Providers¶
For those service providers that were not subject to an information security due diligence assessment prior to an agreement being made, an evaluation process must be subsequently undertaken in order to identify any required improvements.
2.6 Monitoring and Review of Service Provider Services¶
In order to focus resources on the areas of greatest need, service providers will be categorised based on an assessment of their value to the organisation.
Each service provider will be placed into one of the following four categories:
-
Commodity
-
Operational
-
Tactical
-
Strategic
The recommended frequency of service provider review meetings between Simpaisa and each service provider will be determined by the service provider's category according to the following table:
| Service Provider Category | Recommended Meeting Frequency |
|---|---|
| Commodity | None |
| Operational | On contract renewal |
| Tactical | Annually |
| Strategic | Monthly/Quarterly |
Each service provider will have a designated contract manager within Simpaisa who is responsible for arranging, chairing and documenting the meetings.
The performance of strategic service providers will be monitored on a regular basis in line with the recommended meeting frequency. This will take the form of a combination of service provider reports against the contract and internally produced reports.
Where possible, a frequent cross-check will be made between the service provider reports and those created internally in order to make sure the two present a consistent picture of service provider performance. Both sets of reports will be reviewed at service provider meetings and any required actions agreed.
2.7 Managing Changes to Service Provider Services¶
2.7.1 Changes Within Contract¶
Changes to services delivered by service providers will be subject to the Simpaisa change management process. This process includes the requirement to assess any information security implications of changes so that the effectiveness of controls is maintained.
2.7.2 Contractual Disputes¶
In the event of a contractual dispute, the following initial guidelines must be followed:
-
The Chief Executive Officer (CEO), Chief Finance Officer (CFO), Chief Operating Officer (COO) and Chief Technology Officer (CTO) must be informed that a dispute exists.
-
The CEO, CFO, COO and CTO will then decide on next steps, based on an assessment of the dispute.
-
Where applicable, legal advice should be obtained via the CEO, CFO, CTO, COO.
-
All correspondence with the service provider in dispute must be in writing and with the approval of the CEO, CFO, COO, and CTO.
-
An assessment of the risk to the organisation should be carried out prior to escalating any dispute, and contingency plans put in place.
At all times the degree of risk to business must be managed and if possible minimised. In case of any dispute with a service provider, Simpaisa will maintain its active contract with the service provider.
2.7.3 End of Contract¶
The following process will be followed for scheduled end of contract, early end of contract or transfer of contract to another party:
-
The end of contract will be requested in writing within the agreed terms.
-
Transfer to another party shall be planned as a project and appropriate change control procedures followed.
-
An assessment of the risk to the organisation must be carried out prior to ending or transferring the contract, and contingency plans put in place.
-
Any budgetary implications shall be incorporated into the financial model.
The implications of ending a contract must be carefully considered at initial contract negotiation time.