Third Party Security Guidelines. e-governance



Similar documents
Proposed guidance for firms outsourcing to the cloud and other third-party IT services

Security Testing and Vulnerability Management Process. e-governance

Remote Access Procedure. e-governance

IT OUTSOURCING SECURITY

Estate Agents Authority

HIPAA Compliance Evaluation Report

GUIDANCE FOR MANAGING THIRD-PARTY RISK

ISO27001 Controls and Objectives

ISO Controls and Objectives

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Office 365 Data Processing Agreement with Model Clauses

Microsoft s Compliance Framework for Online Services

Compliance Management Systems

White Paper on Financial Institution Vendor Management

Central Agency for Information Technology

INFORMATION TECHNOLOGY SECURITY STANDARDS

Vendor Management Best Practices

INSURANCE ACT 2008 CORPORATE GOVERNANCE CODE OF PRACTICE FOR REGULATED INSURANCE ENTITIES

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

Client information note Assessment process Management systems service outline

Information Security Policies. Version 6.1

Information Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services

OUTSOURCING DUE DILIGENCE FORM

Translation Service Provider according to ISO 17100

Certification Process Requirements

Newcastle University Information Security Procedures Version 3

TG TRANSITIONAL GUIDELINES FOR ISO/IEC :2015, ISO 9001:2015 and ISO 14001:2015 CERTIFICATION BODIES

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

FINAL DOCUMENT. Guidelines for Regulatory Auditing of Quality Management Systems of Medical Device Manufacturers Part 1: General Requirements

Customer-Facing Information Security Policy

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE

Identifying and Managing Third Party Data Security Risk

KLC Consulting, Inc. All Rights Reserved. 1 THIRD PARTY (VENDOR) SECURITY RISK MANAGEMENT

Third-Party Access and Management Policy

Outsourcing Risk Guidance Note for Banks

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129

9/13/ /20 Vision for Vendor Management & Oversight. Disclaimer. Bank Service Company Act - FIL-49-99

Supplier Security Assessment Questionnaire

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

e-governance Password Management Guidelines Draft 0.1

14 December 2006 GUIDELINES ON OUTSOURCING

Page 1 of 15. VISC Third Party Guideline

FINRA Publishes its 2015 Report on Cybersecurity Practices

ICT SERVICE LEVEL AGREEMENT MANAGEMENT POLICY (EXTERNAL SERVICE PROVIDERS/VENDORS)

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

Solvency Assessment and Management: Pillar II Sub Committee Governance Task Group Discussion Document 81 (v 3)

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

CITY UNIVERSITY OF HONG KONG

Anatomy of an IT Outsourcing Deal. Bruce Laco Deloitte John Pickett IT World Canada Barry Sookman McCarthy Tetrault

Western Australian Auditor General s Report. Information Systems Audit Report

Service Children s Education

HIPAA Privacy Rule Policies

Vendor Management. Outsourcing Technology Services

Bank of Israel. 1. Background. In recent years, cloud. environmentally. from. aspects in. these. 2. Applicability. Directive ). 3.

Asset Management Systems Scheme (AMS Scheme)

ISO 27002:2013 Version Change Summary

OUTSOURCING POLICY

GUIDELINE NO. 22 REGULATORY AUDITS OF ENERGY BUSINESSES

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

Personal data and cloud computing, the cloud now has a standard. by Luca Bolognini

Does it state the management commitment and set out the organizational approach to managing information security?

TRANSPORT FOR LONDON (TfL) LOW EMISSIONS CERTIFICATE (LEC) GUIDANCE NOTES FOR THE COMPANY AUDIT PROCESS. LEC (Company Audit) Guidance Notes

Information Technology Services Guidelines

BANK OF RUSSIA RECOMMENDATIONS ON STANDARDISATION MAINTENANCE OF INFORMATION SECURITY OF THE RUSSIAN BANKING SYSTEM ORGANISATIONS

Third Party Relationships

SUPPLIER SECURITY STANDARD

NSW Government Digital Information Security Policy

WHITE PAPER Third-Party Risk Management Lifecycle Guide

Patch Management Procedure. e-governance

Information Shield Solution Matrix for CIP Security Standards

Third Party Risk Management 12 April 2012

Shared service centres

Data Processing Agreement for Oracle Cloud Services

Seven Requirements for Successfully Implementing Information Security Policies and Standards

This Amendment consists of two parts. This is part 1 of 2 and must be accompanied by and signed with part 2 of 2 (Annex 1) to be valid.

How to Protect Intellectual Property While Offshore Outsourcing?

How To Protect Decd Information From Harm

Third-Party Cybersecurity and Data Loss Prevention

Smart Meters Programme Schedule 2.5. (Security Management Plan) (CSP South version)

ISO 9001:2015 Overview of the Revised International Standard

IAF Mandatory Document. Witnessing Activities for the Accreditation of Management Systems Certification Bodies. Issue 1, Version 2 (IAF MD 17:2015)

Statement of Guidance: Outsourcing All Regulated Entities

The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II).

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Information Security Program

Adopting Cloud Computing with a RISK Mitigation Strategy

Information Security Program CHARTER

Transcription:

for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India.

Document Control S/L Type of Information Document Data 1. Document Title 2. Document Code 3. Date of Release 4. Next Review Date 5. Document Revision Number 6. Document Owner 7. Document Author(s) 8. Document Reference Document Approval Sr. No. Document Approver Approver Designation Approver E-mail ID Document Change History Version Revision Date Nature of Change Date of Approval No. For Internal Use Only Page 2 of 11

Tablle off Conttentts 1. INTRODUCTION... 4 2. SCOPE... 4 3. PURPOSE... 4 4. THIRD PARTY RISK MANAGEMENT FRAMEWORK... 5 5. MANAGEMENT OF THIRD PARTY... 7 5.1 EXCHANGE OF INFORMATION...7 5.2 HIRING AND TRAINING OF EMPLOYEES...7 5.3 ACCESS CONTROL...8 5.4 REPORTING AND INVESTIGATING SECURITY INCIDENTS...9 5.5 CHANGES IN SERVICES...9 5.6 THIRD PARTY RISK ASSESSMENT... 10 6. DISCIPLINARY MEASURES FOR NON-COMPLIANCE... 11 7. REFERENCES... 11 8. ANNEXURE... 11 For Internal Use Only Page 3 of 11

1. INTRODUCTION Third Parties can assist management in attaining strategic objectives by increasing revenues or reducing costs. The use of a third party also commonly serves as a vehicle for management to access greater expertise or efficiency for a particular activity. However the use of third parties in no way diminishes the responsibility of e-gov service delivery to ensure that the third-party activity is conducted in a safe and sound manner and in compliance with applicable laws, regulations, and internal policies. This recognises the close cooperation between e-gov service delivery and third parties particularly in the area of information security. The use of third party services depends on the fundamental observation that the services provided by the third party will be trusted. This trust results from the confidence that the third party is managed correctly and its services are operated securely. To build such trust third parties can communicate the effectiveness of their information security controls by obtaining security certifications such as ISO 27001 and/or by having an independent body review of their information security and privacy practices. 2. SCOPE These guidelines are applicable across all geographies where information of e-gov service delivery is processed and/or stored by third-party. These are is applicable to all third-parties, sub-contractors and/or representatives of the third-party providing services to e-gov service delivery. 3. PURPOSE The purpose of these guidelines is: Ensure appropriate level of security controls are implemented by third parties to protect information processing facilities of e-gov service delivery, assets accessed by any third For Internal Use Only Page 4 of 11

party entity and maintain security of information when the responsibility for information processing has been outsourced. Ensure that regular reviews of third party are conducted towards adherence of this policy and any contractual or regulatory requirement; and Provide the third-party with an approach and directives for implementing information security controls for all information assets used by them for providing services to e-gov service delivery. 4. THIRD PARTY RISK MANAGEMENT FRAMEWORK Due Dilligence Contract Structuring Post Association Assessment Vendor Evaluation criteria will be used which will consider the Financial Status, Process Maturity, Information Security etc. Will have defines guidelines (with clause on information security) to be followed as part of contract Risk Profiling/ Assessment http://www.makemytrip.com/holidays/india/package?id=12406&depcityid=4476&listingclassid=84 Self Assessment Onsite Review Due Diligence (Selecting a third-party) Criteria for selecting a vendor shall be defined and documented, taking into account the: Information Security; Government Fitment with respect to e-gov service delivery; Financial; Technology and Infrastructure; Process Maturity; Customer Satisfaction. For Internal Use Only Page 5 of 11

Based on the weighted average scores obtained on the above mentioned criteria and as per the best fit, vendor may be shortlisted/ selected. Contract Structuring (Contracts and confidentiality agreements) A formal contract between government department and third-party shall exist to protect both the parties. Person responsible shall ensure that while entering in an agreement with the outsourcing party, the security requirements are clearly communicated to the third-party. The following should be, as a minimum, included in the agreement. Information shared shall be classified, labelled and controlled in accordance with the e-gov security policy. If the information being exchanged is non-public, a binding confidentiality agreement shall be in place between e-gov service delivery and the third-party, whether as part of the service contract itself or a separate non-disclosure agreement (which may be required before the main contract is negotiated). The security responsibilities for third party staff should be incorporated in the contract with the third parties. Provision shall be there for acceptable use of the information processed by the outsourced function or service including breach of information security. Contract should explicitly state the right to access and right to audit third party and their sub-contractors. The third-party should not only understand the rationale for audit but also provide all support necessary to conduct the audits. If the third party, sub contracts any of the part of work, then the sub contracted parties shall also ensure the adherence to e-gov Security Policy. Contract shall provide detail of legal, regulatory and other third party obligations such as data protection/privacy laws, etc. For Internal Use Only Page 6 of 11

Upon termination of the contract, the confidentiality arrangements shall be revisited to determine whether confidentiality has to be extended beyond the tenure of the contract. Post Association Assessment If a third-party is performing its activities based at a location other than e-gov service delivery premises or the third-party is operating both from service delivery and outside locations, the auditor may audit the third-party s physical premises and applicable security controls periodically for compliance to e-gov Security policies, ensuring that it meets the requirements identified in the contract. Additionally, third party may go ahead with risk/self-assessments or audits as applicable. 5. MANAGEMENT OF THIRD PARTY 5.1 EXCHANGE OF INFORMATION While entering in any kind of outsourcing agreement, transition of information and information processing facilities should be planned, similarly at the time of termination of contract it should be ensured that such assets are returned as required. Information security shall be ensured throughout the transition period. In cases where the third-party is requested to perform the deletion of given data previously used in the outsourced service, mechanisms such as reports or logs should be produced to verify that proper data deletion had been securely and properly carried out. 5.2HIRING AND TRAINING OF EMPLOYEES Third-party or sub-contractor employees shall be subjected to background checks. Such screening shall take into consideration the level of trust and responsibility associated with the position: Proof of the person s identity; For Internal Use Only Page 7 of 11

Proof of their academic qualifications; Proof of their work experience; Criminal record check; Credit check. Suitable information security awareness, training and education shall be provided to all employees and third parties working on the contract, clarifying their responsibilities relating to e-gov security policies, standards, procedures and guidelines and all relevant obligations defined in the contract. 5.3ACCESS CONTROL The concerned department/ asset owner will ensure: A risk assessment to identify the security implications while providing such access to third party. The risk assessment shall be approved by Head IT Security. Third party staff shall be provided access to information assets as per User Access Management Procedure. However, following shall be analysed and documented by the IT Helpdesk prior to providing access to critical information systems. A report for the same shall be submitted to Head IT Security for review. Type of access required Duration of access required Mode of access required Criticality of the systems on which access is being provided In case third party staff has higher privileges (e.g. administrator, power user, etc.), appropriate clauses relating to non-disclosure agreement shall be included into the contract. For Internal Use Only Page 8 of 11

The asset owner is responsible for accepting the risk related to third party access to information assets before access to information asset is actually provided to third party. Datacenter head shall ensure that prior to providing access, security guidelines are issued to third party staff and an acceptance on the same is obtained from them. Access to all classified information shall be documented and carried out in a controlled fashion. A list of personnel is to be maintained to ensure that only the listed personnel have legitimate access to the Information System areas. All third party personnel shall be given the access cards/identification badges based on need. The access cards/identification badges given to the personnel shall be marked as nontransferable and returnable on termination of contract. At the time of disengagement, all user accounts and access rights assigned to the thirdparty employees shall be revoked in a timely manner. 5.4REPORTING AND INVESTIGATING SECURITY INCIDENTS Third party shall educate its employees and establish formal reporting and feedback procedures as well as incidence response procedures for all security incidents and system weaknesses. Third party shall promptly investigate and mitigate the risk arising from any security incident or system weakness, and shall inform datacenter head about such instances, investigations, remedial plan and a timetable for achievement of the planned improvements. 5.5CHANGES IN SERVICES Changes to provision of third party services should be re-assessed considering the current service delivery systems and the processes involved. For Internal Use Only Page 9 of 11

5.6THIRD PARTY RISK ASSESSMENT The access to information assets of e-gov Service Delivery should be provided on need-toknow and need-to-have basis to third parties. The access provided could be physical, logical and even remote logical access. The Third-party access should be provided as per the business requirement s and after analysing the risk(s) associated with such access. Therefore, it is important to identify and address such risks through comprehensive Risk Assessment (hereinafter referred to as RA in this document) exercise. This kind of RA ensures the following: Third party access where there is a valid business justification is only provided; and Mitigation controls are implemented to reduce the risk(s) due to such access. This procedure intends to cover RA in sufficient depth to understand and manage the risks arising due to Third-parties access in information assets of e-gov Service Delivery. The objectives of conducting a RA for Third-party access are as follows: To Identify, understand and manage the Risks applicable and associated with Thirdparty Access to information assets of e-gov Service delivery To provide a fair and reasonable amount of assurance to stakeholders about the security controls in place for Third-party access to address the risks; To ensure that access is provided to the Third -party only on need-to-know or need-tohave basis; and To ensure that the Third-party access controls are appropriately designed and implemented with reasonable effectiveness. Procedure for Third-party Access Risk Assessment The RA for Third-party access is done in 4 phases: For Internal Use Only Page 10 of 11

Risk Identification- IT/ Networks function should identify the risks due to providing the required access to the identified information assets and/ or facilities. Risk Treatment Plan- For each identified risk, a Risk Treatment plan should be developed. This should be reviewed and approved by the Composite team - Security or IT/ Networks function or CISO. Also, for each risk identified, a Risk owner should be identified. Implementation strategy- The CISO may be required to discuss the risks identified by the IT/ Networks functions. The CISO should provide his/ her inputs on whether to implement the additional controls or choose to accept the risk. Audit of Third-party Access- The CISO or designated personnel from Composite team- Security should conduct an audit for third- party access and implemented mitigation controls to examine their effectiveness. The audit team should review the implementation of controls against each access provided to Third-party. 6. DISCIPLINARY MEASURES FOR NON-COMPLIANCE Non-compliance with the Third Party Security Guidelines is ground for disciplinary actions up to and including termination of the contract. 7. REFERENCES e-gov Security Policy User access management 8. ANNEXURE Third Party - Risk Management Third party- Risk management.doc For Internal Use Only Page 11 of 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information