Outsourcing and third party access This document is part of the UCISA Information Security Toolkit providing guidance on the policies and processes needed to implement an organisational information security policy. To use the Toolkit effectively it should be read alongside the Toolkit Introduction and the How to use guide and then used to develop appropriate information security elements for inclusion in your organisation s policies. 1. Introduction The Outsourcing and Third Party Access Policy sets out the conditions that are required to maintain the security of the organisation s information and systems when third parties, other than the organisation s own staff or students are involved in their operation. This may occur in at least three distinct circumstances: When third parties (for example contractors) are involved in the design, development or operation of information systems for the organisation. There may be many reasons for this to happen, including writing and installing bespoke software, third party maintenance or operation of systems, to full outsourcing of an IT facility; When access to the organisation s information systems is granted from remote locations where computer and network facilities may not be under the control of the organisation (this is covered in more detail by the Mobile Computing Policy); When users who are not members of the organisation are given access to information or information systems. Each of these circumstances involves a risk to the organisation s information, which should be assessed before the third party is granted. Such access must be subject to appropriate conditions and controls to ensure the risk can be managed. 2. BS 7799 definitions and numbering Outsourcing and third party access issues are covered by sections 6.2, 10.2 and 12.5.5 of the standards document. Issues around roles and responsibilities covered by section 8.1.1 of the standards are also relevant. 6.2 External parties Objective: To maintain the security of the organisation s information and information processing facilities that are accessed, processed, communicated to, or managed by external parties. 6.2.1 Identification of risks related to external parties The risks to the organisation s information and information processing facilities from business processes involving external parties shall be identified and appropriate controls implemented before granting access. 6.2.2 Addressing security when dealing with customers All identified security requirements shall be addressed before giving customers access to the organisation s information or assets. 6.2.3 Addressing security in third party agreements Agreements with third parties involving accessing, processing, communicating or managing the organisation s information or information processing facilities, or adding products or services to information processing facilities shall cover all relevant security requirements. 8.1 Prior to employment Objective: To ensure that employees, contractors and third party users understand their responsibilities, and are suitable for the roles they are considered for, and to reduce the risk of theft, fraud or misuse of facilities. 8.1.1 Roles and responsibilities Security roles and responsibilities of employees, contractors and third party users shall be defined and documented in accordance with the organisation s information security policy. 36
10.2 Third party service delivery management Objective: To implement and maintain the appropriate level of information security and service delivery in line with third party service delivery agreements. 10.2.1 Service delivery It shall be ensured that the security controls, service definitions and delivery levels included in the third party service delivery agreement are implemented, operated, and maintained by the third party. 10.2.2 Monitoring and review of third party services The services, reports and records provided by the third party shall be regularly monitored and reviewed, and audits shall be carried out regularly. 10.2.3 Managing changes to third party services Changes to the provision of services, including maintaining and improving existing information security policies, procedures and controls, shall be managed, taking account of the criticality of business systems and processes involved and re-assessment of risks. 12.5 Security in development and support processes Objective: To maintain the security of application system software and information. 12.5.5 Outsourced software development Outsourced software development shall be supervised and monitored by the organisation. 3. Interrelationship between policies in this document and related BS 7799 references In this Toolkit, each subsection addresses a number of the outsourcing and third party controls from the standard. All of the controls in sections 6.2 and 10.2 of the standard and control 12.5.5 are covered. Part of control 8.1.1 is covered and this is also covered in the Personnel Policy. Toolkit subsection Contractual issues Third party support and maintenance Third party development Facilities management and outsourcing Control(s) 6.2.2 Addressing security when dealing with customers 6.2.3 Addressing security in third party agreements 8.1.1 Roles and responsibilities 10.2.2 Monitoring and review of third party services 10.2.3 Managing changes to third party services 6.2.1 Identification of risks related to external parties 12.5.5 Outsourced software development 10.2.1 Service elivery 4. Guidelines for use The purpose of these policies is to maintain the security of the organisation s IT facilities that are accessed or provided by third parties. Access to the organisation s IT facilities by third parties must be controlled. The risk associated with access to the organisation s IT facilities by third parties should be assessed and appropriate security controls implemented. The security of the organisation s IT systems might be put at risk by access from third party locations with inadequate security management. Where there is business need to connect to a third party location, a risk analysis should be undertaken to identify any requirements for specific security measures. The risk analysis should take into account the type of access required, the value of the information, the security measures employed by the third party and the implications of the access for the security of the organisation s IT infrastructure. Access to the organisation s IT facilities by third parties must not be provided until appropriate countermeasures have been implemented and a contract has been signed defining the terms for connection. u c i s a i n f o r m a t i o n s e c u r i t y t o o l k i t e d i t i o n 3. 0
High Criticality Systems Medium Criticality Systems Low Criticality Systems The risks associated with access to organisational information processing facilities by third parties (i.e. external contractors etc., not [say] website users) shall always be assessed and strong security controls implemented. The risks associated with access to organisational information processing facilities by third parties shall be separately assessed. The general user forum should discuss and agree baseline information security standards. 5. Contractual issues Contracts with third parties involving the organisation s IT facilities must specify security conditions. The contract, including the elements addressing information security, must be in place before access to the organisation s IT facilities is provided. The organisation must not allow access to third parties that will not respect and comply with its information security policy. Arrangements involving third party access to the organisation s IT facilities should be based on a formal contract setting out all necessary security conditions to ensure compliance with the organisation s information security policy. The performance of this contract, and especially the security conditions it contains, must be monitored. Arrangements for the termination of the contract, or transfer of the contract to another organisation, must be in place to ensure that these events do not present a threat to the organisation s information security or to the provision of information systems. The security requirements of an organisation outsourcing the provision, management, operation and/or control of all or any of its information systems, networks and/or desktop environments shall be addressed in a contract agreed between the parties. The organisation should provide third parties with access to its information security policy and a summary of the policy must be available. i. Suggested Policy Statement All third parties who are given access to the organisation s information systems, whether as suppliers, customers or otherwise, must agree to follow the information security policies of the organisation. An appropriate summary of the information security policies and the third party s role in ensuring compliance must be formally delivered to any such third party, prior to their being granted access. Adequate security constraints may be in force for employees and contractors, but those same levels of safeguard maybe overlooked when dealing with third parties, such as customers or collaborators, hardware and software suppliers, consultants, and other service providers. Where third party agreements do not refer to your information security policy, you may have difficulty in making a case if the breach of security should only become evident after the contract with the third party is completed. Where a contract with an external service provider does not refer to the information security policies and standards of your organisation, your information is at greater risk as their standards and safeguards are likely to differ. Where you are supplying services to a customer or collaborator, misunderstandings about the extent of the services provided may result in loss of confidential information or inappropriate use of your systems that cannot be remedied. The staff members of third party organisations may not be bound to keep information they come by in confidence and may inadvertently disclose information to the disadvantage of the organisation. ii. Suggested Policy Statement Confidentiality agreements must be used in all situations where the confidentiality, sensitivity or value of the information being disclosed is classified as proprietary (or above). It is common practice to use a confidentiality agreement as a legally enforceable means of redress for the case that a third party may inappropriately communicate confidential information covered by the agreement to a non-authorised party. 38
Where confidentiality agreements are not agreed and signed with third parties who have access to your information systems and projects, unguarded conversations may result in sensitive information being divulged to a competitor. iii. Suggested Policy Statement All contracts with external suppliers for the supply of services to the organisation must be monitored and reviewed to ensure that information security requirements are being satisfied. Contracts must include appropriate provisions to ensure the continued security of information and systems in the event that a contract is terminated or transferred to another supplier. If contracts with third parties do not include provisions for monitoring compliance with information security obligations then it may be impossible to determine whether these arrangements are causing information security problems. The termination or transfer of a third party contract involves especially high risks to information security. If you cannot monitor a contractor s compliance, then you are unlikely to detect or be able to investigate any breach of your information security that occurs via their systems or staff. A third party contractor will have knowledge about your information and information systems that could be used to harm you after a contract has been terminated. Arrangements for the handover of an outsourced service between two external contractors must ensure that all necessary information is transferred and that there is not a period when neither or both of them have control of the service. 6. Third party support and maintenance Because maintenance and support staff from third party companies may need to access information systems with the highest level of access privilege or indeed when the normal access controls are not operational, then it is imperative that they comply with the information security policies of your organisation. The policies outlined in the contractual section of this document are sufficient to ensure this. In practice, many support and maintenance contracts will offer assurances from the supplier of service that their staff and agents will follow good codes of practice in handling their customers information. You need to assess these and ensure that they do not breach your organisation s policies. iv. Suggested Policy Statement Persons responsible for agreeing maintenance and support contracts will ensure that the contracts being signed are in accord with the contents and spirit of the organisation s information security policies. 7. Third party development If external third parties are used to develop computer systems for the organisation, appropriate arrangements must be put in place to ensure the information security policy is respected. v. Suggested Policy Statement Persons responsible for commissioning outsourced development of computer based systems and services must use reputable companies that operate in accordance with quality standards and which will follow the information security polices of this organisation, in particular those relating to application development. The following issues should be considered if the organisation decides to outsource some or all of its computer processing. That failure to follow the information security policies during the development of an application system may prevent the system meeting the required policies when it is installed as an operational element in the organisation s production systems. u c i s a i n f o r m a t i o n s e c u r i t y t o o l k i t e d i t i o n 3. 0
8. Facilities management and outsourcing The use of an external contractor to manage computer or network facilities may introduce a number of potential security exposures such as the possibility of compromise, damage, or loss of data at the contractor s site. Proposal to use an external facilities management service should identify the full security implications and include appropriate security controls. Risks should be identified in advance and appropriate security measures should be agreed with the contractor, and incorporated into the contract (See 5. Contractual issues). Issues associated with the transfer of compliance requirements to a third party must be addressed. vi. Suggested Policy Statement Any facilities management, outsourcing or similar company with which this organisation may do business must be able to demonstrate compliance with this organisation s information security policies and enter in to binding service level agreements that specify the performance to be delivered and the remedies available in case of non-compliance. This is addressing the commissioning of an outside organisation to some (or all) of your IT systems. This might be full outsourcing or it may be at the level of facilities management. Poor or inadequate service delivered by the contracting organisation can result in disruption to your business operations and adversely affect your organisation s performance. Lack of direct control can compromise data confidentiality. Inadequate provisions for compliance with legal or statutory requirements, e.g. ata Protection, can jeopardise the integrity of your business operations. Inadequate disaster recovery plans can terminate the organisation s commercial activities in the event of an unforeseen problem. Specimen Information Security Elements of an Outsourcing and Third Party Access Policy All third parties who are given access to the organisation s information systems, whether suppliers, customers or otherwise, must agree to follow the organisation s information security policies. A summary of the information security policies and the third party s role in ensuring compliance will be provided to any such third party, prior to their being granted access. The organisation will assess the risk to its information and, where deemed appropriate because of the confidentiality, sensitivity or value of the information being disclosed or made accessible, the organisation will require external suppliers of services to sign a confidentiality agreement to protect its information assets. Persons responsible for agreeing maintenance and support contracts will ensure that the contracts being signed are in accord with the content and spirit of the organisation s information security policies. All contracts with external suppliers for the supply of services to the organisation must be monitored and reviewed to ensure that information security requirements are being satisfied. Contracts must include appropriated provisions to ensure the continued security of information and systems in the event that a contract is terminated or transferred to another supplier. Any facilities management, outsourcing or similar company with which this organisation may do business must be able to demonstrate compliance with the organisation s information security policies and enter into binding service level agreements that specify the performance to be delivered and the remedies available in case of non-compliance. These specimen policy elements are intended only as a guide and should be adapted for individual organisations. The implementation of an outsourcing and third party access policy will also require the development of processes and procedures. ocumentary evidence of these will be required to satisfy an external party, such as an auditor, that the policy has been fully implemented. 40