Outsourcing and third party access



Similar documents
EA-ISP-004-Outsourcing and Third Party Access

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

Financial Services Guidance Note Outsourcing

University of Sunderland Business Assurance Information Security Policy

Information Security Policies. Version 6.1

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

INFORMATION TECHNOLOGY SECURITY STANDARDS

Business continuity management and planning

Third Party Security Requirements Policy

Information Security: Business Assurance Guidelines

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

University of Aberdeen Information Security Policy

EA-ISP-005-Personnel IT Policy. Technology & Information Services. Owner: Adrian Hollister Author: Paul Ferrier Date: 17/02/2015

GUIDANCE NOTE OUTSOURCING OF FUNCTIONS BY ENTITIES LICENSED UNDER THE PROTECTION OF INVESTORS (BAILIWICK OF GUERNSEY) LAW, 1987

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE

ISO27001 Controls and Objectives

Information Security Policy. Information Security Policy. Working Together. May Borders College 19/10/12. Uncontrolled Copy

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

RISK MANAGEMENT AND COMPLIANCE

Operational Risk Management Policy

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

Newcastle University Information Security Procedures Version 3

ISO Controls and Objectives

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

FINAL May Guideline on Security Systems for Safeguarding Customer Information

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Guidance on data security breach management

STFC Monitoring and Interception policy for Information & Communications Technology Systems and Services

GUIDANCE NOTE ON OUTSOURCING

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

Operational Risk Publication Date: May Operational Risk... 3

THE MORAY COUNCIL. Guidance on data security breach management DRAFT. Information Assurance Group. Evidence Element 9 appendix 31

Information Services IT Security Policies B. Business continuity management and planning

INFORMATION SECURITY California Maritime Academy

CODE OF ETHICS AND BUSINESS CONDUCT

Guidance on data security breach management

Service Children s Education

Data Security Breach Management - A Guide

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ Ã

Information Security Management System Policy

GUIDANCE FOR MANAGING THIRD-PARTY RISK

Principles on Outsourcing by Markets

Information Security Management System Information Security Policy

VENDOR MANAGEMENT. General Overview

NSW Government Digital Information Security Policy

Ethical Considerations for Lawyers Using the Cloud

The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II).

Estate Agents Authority

HORIZON OIL LIMITED (ABN: )

STRATEGIC POLICY REQUIRED HARDWARE, SOFTWARE AND CONFIGURATION STANDARDS

Statement of Guidance: Outsourcing All Regulated Entities

Shepway District Council Risk Management Policy

Information Security Policy

Information Incident Management Policy

Information Security Program

Business Continuity Management Framework

security policy Purpose The purpose of this paper is to outline the steps required for developing and maintaining a corporate security policy.

2.0 Emended due to the change to academy status Review Date. ICT Network Security Policy Berwick Academy

UoB Risk Assessment Methodology

External Supplier Control Requirements

5.5. Penetration Tests. Report of the Auditor General of the Ville de Montréal to the City Council and to the Urban Agglomeration Council

Regulation for Establishing the Internal Control System of an Investment Management Company

Information Security Incident Management Policy and Procedure

How To Protect Decd Information From Harm

How To Protect School Data From Harm

NOTICE 158 OF 2014 FINANCIAL SERVICES BOARD REGISTRAR OF LONG-TERM INSURANCE AND SHORT-TERM INSURANCE

Information for Management of a Service Organization

Privacy and Electronic Communications Regulations

Utica College. Information Security Plan

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

State of Michigan Department of Technology, Management & Budget. Acceptable Use of Information Technology (former Ad Guide 1460.

GUIDELINES FOR THE MANAGEMENT OF OPERATIONAL RISK FOR CREDIT UNIONS

HIPAA and Mental Health Privacy:

Consultative report. Committee on Payment and Settlement Systems. Board of the International Organization of Securities Commissions

TABLE OF CONTENTS Information Systems Security Handbook Information Systems Security program elements. 7

IM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction Policy Statement Purpose...

Information Governance Strategy & Policy

Standard 4.1. Establishment and maintenance of internal control and risk management. Regulations and guidelines

INFORMATION SECURITY PROCEDURES

Mental Health Resources, Inc. Mental Health Resources, Inc. Corporate Compliance Plan Corporate Compliance Plan

Guidelines 1 on Information Technology Security

OCC 98-3 OCC BULLETIN

14 December 2006 GUIDELINES ON OUTSOURCING

Internal Audit Progress Report Performance and Overview Committee (19 th August 2015) Cheshire Fire Authority

Risk Management Policy and Framework

TELEFÓNICA UK LTD. Introduction to Security Policy

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

Procedure for Managing a Privacy Breach


Information Security Policy Best Practice Document

STATE OF NEW JERSEY Security Controls Assessment Checklist

1.1 Terms of Reference Y P N Comments/Areas for Improvement

Qatar University Information Security Policies Handbook November 2013

Standards of. Conduct. Important Phone Number for Reporting Violations

005ASubmission to the Serious Data Breach Notification Consultation

PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA

GAO. INFORMATION SECURITY Persistent Weaknesses Highlight Need for Further Improvement

Transcription:

Outsourcing and third party access This document is part of the UCISA Information Security Toolkit providing guidance on the policies and processes needed to implement an organisational information security policy. To use the Toolkit effectively it should be read alongside the Toolkit Introduction and the How to use guide and then used to develop appropriate information security elements for inclusion in your organisation s policies. 1. Introduction The Outsourcing and Third Party Access Policy sets out the conditions that are required to maintain the security of the organisation s information and systems when third parties, other than the organisation s own staff or students are involved in their operation. This may occur in at least three distinct circumstances: When third parties (for example contractors) are involved in the design, development or operation of information systems for the organisation. There may be many reasons for this to happen, including writing and installing bespoke software, third party maintenance or operation of systems, to full outsourcing of an IT facility; When access to the organisation s information systems is granted from remote locations where computer and network facilities may not be under the control of the organisation (this is covered in more detail by the Mobile Computing Policy); When users who are not members of the organisation are given access to information or information systems. Each of these circumstances involves a risk to the organisation s information, which should be assessed before the third party is granted. Such access must be subject to appropriate conditions and controls to ensure the risk can be managed. 2. BS 7799 definitions and numbering Outsourcing and third party access issues are covered by sections 6.2, 10.2 and 12.5.5 of the standards document. Issues around roles and responsibilities covered by section 8.1.1 of the standards are also relevant. 6.2 External parties Objective: To maintain the security of the organisation s information and information processing facilities that are accessed, processed, communicated to, or managed by external parties. 6.2.1 Identification of risks related to external parties The risks to the organisation s information and information processing facilities from business processes involving external parties shall be identified and appropriate controls implemented before granting access. 6.2.2 Addressing security when dealing with customers All identified security requirements shall be addressed before giving customers access to the organisation s information or assets. 6.2.3 Addressing security in third party agreements Agreements with third parties involving accessing, processing, communicating or managing the organisation s information or information processing facilities, or adding products or services to information processing facilities shall cover all relevant security requirements. 8.1 Prior to employment Objective: To ensure that employees, contractors and third party users understand their responsibilities, and are suitable for the roles they are considered for, and to reduce the risk of theft, fraud or misuse of facilities. 8.1.1 Roles and responsibilities Security roles and responsibilities of employees, contractors and third party users shall be defined and documented in accordance with the organisation s information security policy. 36

10.2 Third party service delivery management Objective: To implement and maintain the appropriate level of information security and service delivery in line with third party service delivery agreements. 10.2.1 Service delivery It shall be ensured that the security controls, service definitions and delivery levels included in the third party service delivery agreement are implemented, operated, and maintained by the third party. 10.2.2 Monitoring and review of third party services The services, reports and records provided by the third party shall be regularly monitored and reviewed, and audits shall be carried out regularly. 10.2.3 Managing changes to third party services Changes to the provision of services, including maintaining and improving existing information security policies, procedures and controls, shall be managed, taking account of the criticality of business systems and processes involved and re-assessment of risks. 12.5 Security in development and support processes Objective: To maintain the security of application system software and information. 12.5.5 Outsourced software development Outsourced software development shall be supervised and monitored by the organisation. 3. Interrelationship between policies in this document and related BS 7799 references In this Toolkit, each subsection addresses a number of the outsourcing and third party controls from the standard. All of the controls in sections 6.2 and 10.2 of the standard and control 12.5.5 are covered. Part of control 8.1.1 is covered and this is also covered in the Personnel Policy. Toolkit subsection Contractual issues Third party support and maintenance Third party development Facilities management and outsourcing Control(s) 6.2.2 Addressing security when dealing with customers 6.2.3 Addressing security in third party agreements 8.1.1 Roles and responsibilities 10.2.2 Monitoring and review of third party services 10.2.3 Managing changes to third party services 6.2.1 Identification of risks related to external parties 12.5.5 Outsourced software development 10.2.1 Service elivery 4. Guidelines for use The purpose of these policies is to maintain the security of the organisation s IT facilities that are accessed or provided by third parties. Access to the organisation s IT facilities by third parties must be controlled. The risk associated with access to the organisation s IT facilities by third parties should be assessed and appropriate security controls implemented. The security of the organisation s IT systems might be put at risk by access from third party locations with inadequate security management. Where there is business need to connect to a third party location, a risk analysis should be undertaken to identify any requirements for specific security measures. The risk analysis should take into account the type of access required, the value of the information, the security measures employed by the third party and the implications of the access for the security of the organisation s IT infrastructure. Access to the organisation s IT facilities by third parties must not be provided until appropriate countermeasures have been implemented and a contract has been signed defining the terms for connection. u c i s a i n f o r m a t i o n s e c u r i t y t o o l k i t e d i t i o n 3. 0

High Criticality Systems Medium Criticality Systems Low Criticality Systems The risks associated with access to organisational information processing facilities by third parties (i.e. external contractors etc., not [say] website users) shall always be assessed and strong security controls implemented. The risks associated with access to organisational information processing facilities by third parties shall be separately assessed. The general user forum should discuss and agree baseline information security standards. 5. Contractual issues Contracts with third parties involving the organisation s IT facilities must specify security conditions. The contract, including the elements addressing information security, must be in place before access to the organisation s IT facilities is provided. The organisation must not allow access to third parties that will not respect and comply with its information security policy. Arrangements involving third party access to the organisation s IT facilities should be based on a formal contract setting out all necessary security conditions to ensure compliance with the organisation s information security policy. The performance of this contract, and especially the security conditions it contains, must be monitored. Arrangements for the termination of the contract, or transfer of the contract to another organisation, must be in place to ensure that these events do not present a threat to the organisation s information security or to the provision of information systems. The security requirements of an organisation outsourcing the provision, management, operation and/or control of all or any of its information systems, networks and/or desktop environments shall be addressed in a contract agreed between the parties. The organisation should provide third parties with access to its information security policy and a summary of the policy must be available. i. Suggested Policy Statement All third parties who are given access to the organisation s information systems, whether as suppliers, customers or otherwise, must agree to follow the information security policies of the organisation. An appropriate summary of the information security policies and the third party s role in ensuring compliance must be formally delivered to any such third party, prior to their being granted access. Adequate security constraints may be in force for employees and contractors, but those same levels of safeguard maybe overlooked when dealing with third parties, such as customers or collaborators, hardware and software suppliers, consultants, and other service providers. Where third party agreements do not refer to your information security policy, you may have difficulty in making a case if the breach of security should only become evident after the contract with the third party is completed. Where a contract with an external service provider does not refer to the information security policies and standards of your organisation, your information is at greater risk as their standards and safeguards are likely to differ. Where you are supplying services to a customer or collaborator, misunderstandings about the extent of the services provided may result in loss of confidential information or inappropriate use of your systems that cannot be remedied. The staff members of third party organisations may not be bound to keep information they come by in confidence and may inadvertently disclose information to the disadvantage of the organisation. ii. Suggested Policy Statement Confidentiality agreements must be used in all situations where the confidentiality, sensitivity or value of the information being disclosed is classified as proprietary (or above). It is common practice to use a confidentiality agreement as a legally enforceable means of redress for the case that a third party may inappropriately communicate confidential information covered by the agreement to a non-authorised party. 38

Where confidentiality agreements are not agreed and signed with third parties who have access to your information systems and projects, unguarded conversations may result in sensitive information being divulged to a competitor. iii. Suggested Policy Statement All contracts with external suppliers for the supply of services to the organisation must be monitored and reviewed to ensure that information security requirements are being satisfied. Contracts must include appropriate provisions to ensure the continued security of information and systems in the event that a contract is terminated or transferred to another supplier. If contracts with third parties do not include provisions for monitoring compliance with information security obligations then it may be impossible to determine whether these arrangements are causing information security problems. The termination or transfer of a third party contract involves especially high risks to information security. If you cannot monitor a contractor s compliance, then you are unlikely to detect or be able to investigate any breach of your information security that occurs via their systems or staff. A third party contractor will have knowledge about your information and information systems that could be used to harm you after a contract has been terminated. Arrangements for the handover of an outsourced service between two external contractors must ensure that all necessary information is transferred and that there is not a period when neither or both of them have control of the service. 6. Third party support and maintenance Because maintenance and support staff from third party companies may need to access information systems with the highest level of access privilege or indeed when the normal access controls are not operational, then it is imperative that they comply with the information security policies of your organisation. The policies outlined in the contractual section of this document are sufficient to ensure this. In practice, many support and maintenance contracts will offer assurances from the supplier of service that their staff and agents will follow good codes of practice in handling their customers information. You need to assess these and ensure that they do not breach your organisation s policies. iv. Suggested Policy Statement Persons responsible for agreeing maintenance and support contracts will ensure that the contracts being signed are in accord with the contents and spirit of the organisation s information security policies. 7. Third party development If external third parties are used to develop computer systems for the organisation, appropriate arrangements must be put in place to ensure the information security policy is respected. v. Suggested Policy Statement Persons responsible for commissioning outsourced development of computer based systems and services must use reputable companies that operate in accordance with quality standards and which will follow the information security polices of this organisation, in particular those relating to application development. The following issues should be considered if the organisation decides to outsource some or all of its computer processing. That failure to follow the information security policies during the development of an application system may prevent the system meeting the required policies when it is installed as an operational element in the organisation s production systems. u c i s a i n f o r m a t i o n s e c u r i t y t o o l k i t e d i t i o n 3. 0

8. Facilities management and outsourcing The use of an external contractor to manage computer or network facilities may introduce a number of potential security exposures such as the possibility of compromise, damage, or loss of data at the contractor s site. Proposal to use an external facilities management service should identify the full security implications and include appropriate security controls. Risks should be identified in advance and appropriate security measures should be agreed with the contractor, and incorporated into the contract (See 5. Contractual issues). Issues associated with the transfer of compliance requirements to a third party must be addressed. vi. Suggested Policy Statement Any facilities management, outsourcing or similar company with which this organisation may do business must be able to demonstrate compliance with this organisation s information security policies and enter in to binding service level agreements that specify the performance to be delivered and the remedies available in case of non-compliance. This is addressing the commissioning of an outside organisation to some (or all) of your IT systems. This might be full outsourcing or it may be at the level of facilities management. Poor or inadequate service delivered by the contracting organisation can result in disruption to your business operations and adversely affect your organisation s performance. Lack of direct control can compromise data confidentiality. Inadequate provisions for compliance with legal or statutory requirements, e.g. ata Protection, can jeopardise the integrity of your business operations. Inadequate disaster recovery plans can terminate the organisation s commercial activities in the event of an unforeseen problem. Specimen Information Security Elements of an Outsourcing and Third Party Access Policy All third parties who are given access to the organisation s information systems, whether suppliers, customers or otherwise, must agree to follow the organisation s information security policies. A summary of the information security policies and the third party s role in ensuring compliance will be provided to any such third party, prior to their being granted access. The organisation will assess the risk to its information and, where deemed appropriate because of the confidentiality, sensitivity or value of the information being disclosed or made accessible, the organisation will require external suppliers of services to sign a confidentiality agreement to protect its information assets. Persons responsible for agreeing maintenance and support contracts will ensure that the contracts being signed are in accord with the content and spirit of the organisation s information security policies. All contracts with external suppliers for the supply of services to the organisation must be monitored and reviewed to ensure that information security requirements are being satisfied. Contracts must include appropriated provisions to ensure the continued security of information and systems in the event that a contract is terminated or transferred to another supplier. Any facilities management, outsourcing or similar company with which this organisation may do business must be able to demonstrate compliance with the organisation s information security policies and enter into binding service level agreements that specify the performance to be delivered and the remedies available in case of non-compliance. These specimen policy elements are intended only as a guide and should be adapted for individual organisations. The implementation of an outsourcing and third party access policy will also require the development of processes and procedures. ocumentary evidence of these will be required to satisfy an external party, such as an auditor, that the policy has been fully implemented. 40

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information