Third Party Security Guidelines. e-governance

Transcription

1 for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India.

2 Document Control S/L Type of Information Document Data 1. Document Title 2. Document Code 3. Date of Release 4. Next Review Date 5. Document Revision Number 6. Document Owner 7. Document Author(s) 8. Document Reference Document Approval Sr. No. Document Approver Approver Designation Approver ID Document Change History Version Revision Date Nature of Change Date of Approval No. For Internal Use Only Page 2 of 11

3 Tablle off Conttentts 1. INTRODUCTION SCOPE PURPOSE THIRD PARTY RISK MANAGEMENT FRAMEWORK MANAGEMENT OF THIRD PARTY EXCHANGE OF INFORMATION HIRING AND TRAINING OF EMPLOYEES ACCESS CONTROL REPORTING AND INVESTIGATING SECURITY INCIDENTS CHANGES IN SERVICES THIRD PARTY RISK ASSESSMENT DISCIPLINARY MEASURES FOR NON-COMPLIANCE REFERENCES ANNEXURE For Internal Use Only Page 3 of 11

4 1. INTRODUCTION Third Parties can assist management in attaining strategic objectives by increasing revenues or reducing costs. The use of a third party also commonly serves as a vehicle for management to access greater expertise or efficiency for a particular activity. However the use of third parties in no way diminishes the responsibility of e-gov service delivery to ensure that the third-party activity is conducted in a safe and sound manner and in compliance with applicable laws, regulations, and internal policies. This recognises the close cooperation between e-gov service delivery and third parties particularly in the area of information security. The use of third party services depends on the fundamental observation that the services provided by the third party will be trusted. This trust results from the confidence that the third party is managed correctly and its services are operated securely. To build such trust third parties can communicate the effectiveness of their information security controls by obtaining security certifications such as ISO and/or by having an independent body review of their information security and privacy practices. 2. SCOPE These guidelines are applicable across all geographies where information of e-gov service delivery is processed and/or stored by third-party. These are is applicable to all third-parties, sub-contractors and/or representatives of the third-party providing services to e-gov service delivery. 3. PURPOSE The purpose of these guidelines is: Ensure appropriate level of security controls are implemented by third parties to protect information processing facilities of e-gov service delivery, assets accessed by any third For Internal Use Only Page 4 of 11

5 party entity and maintain security of information when the responsibility for information processing has been outsourced. Ensure that regular reviews of third party are conducted towards adherence of this policy and any contractual or regulatory requirement; and Provide the third-party with an approach and directives for implementing information security controls for all information assets used by them for providing services to e-gov service delivery. 4. THIRD PARTY RISK MANAGEMENT FRAMEWORK Due Dilligence Contract Structuring Post Association Assessment Vendor Evaluation criteria will be used which will consider the Financial Status, Process Maturity, Information Security etc. Will have defines guidelines (with clause on information security) to be followed as part of contract Risk Profiling/ Assessment Self Assessment Onsite Review Due Diligence (Selecting a third-party) Criteria for selecting a vendor shall be defined and documented, taking into account the: Information Security; Government Fitment with respect to e-gov service delivery; Financial; Technology and Infrastructure; Process Maturity; Customer Satisfaction. For Internal Use Only Page 5 of 11

6 Based on the weighted average scores obtained on the above mentioned criteria and as per the best fit, vendor may be shortlisted/ selected. Contract Structuring (Contracts and confidentiality agreements) A formal contract between government department and third-party shall exist to protect both the parties. Person responsible shall ensure that while entering in an agreement with the outsourcing party, the security requirements are clearly communicated to the third-party. The following should be, as a minimum, included in the agreement. Information shared shall be classified, labelled and controlled in accordance with the e-gov security policy. If the information being exchanged is non-public, a binding confidentiality agreement shall be in place between e-gov service delivery and the third-party, whether as part of the service contract itself or a separate non-disclosure agreement (which may be required before the main contract is negotiated). The security responsibilities for third party staff should be incorporated in the contract with the third parties. Provision shall be there for acceptable use of the information processed by the outsourced function or service including breach of information security. Contract should explicitly state the right to access and right to audit third party and their sub-contractors. The third-party should not only understand the rationale for audit but also provide all support necessary to conduct the audits. If the third party, sub contracts any of the part of work, then the sub contracted parties shall also ensure the adherence to e-gov Security Policy. Contract shall provide detail of legal, regulatory and other third party obligations such as data protection/privacy laws, etc. For Internal Use Only Page 6 of 11

7 Upon termination of the contract, the confidentiality arrangements shall be revisited to determine whether confidentiality has to be extended beyond the tenure of the contract. Post Association Assessment If a third-party is performing its activities based at a location other than e-gov service delivery premises or the third-party is operating both from service delivery and outside locations, the auditor may audit the third-party s physical premises and applicable security controls periodically for compliance to e-gov Security policies, ensuring that it meets the requirements identified in the contract. Additionally, third party may go ahead with risk/self-assessments or audits as applicable. 5. MANAGEMENT OF THIRD PARTY 5.1 EXCHANGE OF INFORMATION While entering in any kind of outsourcing agreement, transition of information and information processing facilities should be planned, similarly at the time of termination of contract it should be ensured that such assets are returned as required. Information security shall be ensured throughout the transition period. In cases where the third-party is requested to perform the deletion of given data previously used in the outsourced service, mechanisms such as reports or logs should be produced to verify that proper data deletion had been securely and properly carried out. 5.2HIRING AND TRAINING OF EMPLOYEES Third-party or sub-contractor employees shall be subjected to background checks. Such screening shall take into consideration the level of trust and responsibility associated with the position: Proof of the person s identity; For Internal Use Only Page 7 of 11

8 Proof of their academic qualifications; Proof of their work experience; Criminal record check; Credit check. Suitable information security awareness, training and education shall be provided to all employees and third parties working on the contract, clarifying their responsibilities relating to e-gov security policies, standards, procedures and guidelines and all relevant obligations defined in the contract. 5.3ACCESS CONTROL The concerned department/ asset owner will ensure: A risk assessment to identify the security implications while providing such access to third party. The risk assessment shall be approved by Head IT Security. Third party staff shall be provided access to information assets as per User Access Management Procedure. However, following shall be analysed and documented by the IT Helpdesk prior to providing access to critical information systems. A report for the same shall be submitted to Head IT Security for review. Type of access required Duration of access required Mode of access required Criticality of the systems on which access is being provided In case third party staff has higher privileges (e.g. administrator, power user, etc.), appropriate clauses relating to non-disclosure agreement shall be included into the contract. For Internal Use Only Page 8 of 11

9 The asset owner is responsible for accepting the risk related to third party access to information assets before access to information asset is actually provided to third party. Datacenter head shall ensure that prior to providing access, security guidelines are issued to third party staff and an acceptance on the same is obtained from them. Access to all classified information shall be documented and carried out in a controlled fashion. A list of personnel is to be maintained to ensure that only the listed personnel have legitimate access to the Information System areas. All third party personnel shall be given the access cards/identification badges based on need. The access cards/identification badges given to the personnel shall be marked as nontransferable and returnable on termination of contract. At the time of disengagement, all user accounts and access rights assigned to the thirdparty employees shall be revoked in a timely manner. 5.4REPORTING AND INVESTIGATING SECURITY INCIDENTS Third party shall educate its employees and establish formal reporting and feedback procedures as well as incidence response procedures for all security incidents and system weaknesses. Third party shall promptly investigate and mitigate the risk arising from any security incident or system weakness, and shall inform datacenter head about such instances, investigations, remedial plan and a timetable for achievement of the planned improvements. 5.5CHANGES IN SERVICES Changes to provision of third party services should be re-assessed considering the current service delivery systems and the processes involved. For Internal Use Only Page 9 of 11

10 5.6THIRD PARTY RISK ASSESSMENT The access to information assets of e-gov Service Delivery should be provided on need-toknow and need-to-have basis to third parties. The access provided could be physical, logical and even remote logical access. The Third-party access should be provided as per the business requirement s and after analysing the risk(s) associated with such access. Therefore, it is important to identify and address such risks through comprehensive Risk Assessment (hereinafter referred to as RA in this document) exercise. This kind of RA ensures the following: Third party access where there is a valid business justification is only provided; and Mitigation controls are implemented to reduce the risk(s) due to such access. This procedure intends to cover RA in sufficient depth to understand and manage the risks arising due to Third-parties access in information assets of e-gov Service Delivery. The objectives of conducting a RA for Third-party access are as follows: To Identify, understand and manage the Risks applicable and associated with Thirdparty Access to information assets of e-gov Service delivery To provide a fair and reasonable amount of assurance to stakeholders about the security controls in place for Third-party access to address the risks; To ensure that access is provided to the Third -party only on need-to-know or need-tohave basis; and To ensure that the Third-party access controls are appropriately designed and implemented with reasonable effectiveness. Procedure for Third-party Access Risk Assessment The RA for Third-party access is done in 4 phases: For Internal Use Only Page 10 of 11

11 Risk Identification- IT/ Networks function should identify the risks due to providing the required access to the identified information assets and/ or facilities. Risk Treatment Plan- For each identified risk, a Risk Treatment plan should be developed. This should be reviewed and approved by the Composite team - Security or IT/ Networks function or CISO. Also, for each risk identified, a Risk owner should be identified. Implementation strategy- The CISO may be required to discuss the risks identified by the IT/ Networks functions. The CISO should provide his/ her inputs on whether to implement the additional controls or choose to accept the risk. Audit of Third-party Access- The CISO or designated personnel from Composite team- Security should conduct an audit for third- party access and implemented mitigation controls to examine their effectiveness. The audit team should review the implementation of controls against each access provided to Third-party. 6. DISCIPLINARY MEASURES FOR NON-COMPLIANCE Non-compliance with the Third Party Security Guidelines is ground for disciplinary actions up to and including termination of the contract. 7. REFERENCES e-gov Security Policy User access management 8. ANNEXURE Third Party - Risk Management Third party- Risk management.doc For Internal Use Only Page 11 of 11