Added annual security reassessment as part of contract renewal

This MR is to add language clarifying timing of security assessment as part of vendor contract renewal.

Currently all vendors that will be storing, processing, transmitting RED and ORANGE data must undergo a security review as part of the procure-to-pay process.

This MR adds a note about the timing of this review as part of the contract renewal. This re-assessment upon renewal supports our Vendor Risk Management Control

Given that Procure to Pay is an audited, financial process, I am requesting that @pmachle and @kathyw (or @jurbanc) please review and approve the language.

Approvals required:

• @pmachle
• @kathyw OR @jurbanc

/cc @sheetaljain @gitlab-com/gl-security/compliance @jhurewitz @cciresi for visibility.