THIRD PARTY ACCESS

brokenroomΔίκτυα και Επικοινωνίες

21 Νοε 2013 (πριν από 3 χρόνια και 11 μήνες)

123 εμφανίσεις


Source: www.knowledgeleader.com

1


THIRD PARTY ACCESS

POLIC
Y AND PROCEDURE


Prepared By:


Approved By:


Revision Date:


Effective Date:


The following sample outlines a set of policies and procedures
governing third party access to
c
ompany
owned
network and applications.

PURPOSE:

The purpose of this policy is to define security policies that apply to temporaries, contractors, consultants,
and third parties, when such connectivity is necessary for busin
ess purposes
.
This policy covers both the
physical and administrative requirements needed to manage secure network connectivity between
Company X

and any third party requiring access to
Company X’s

computing resources.

SCOPE:

A third party who needs IT access to
Company X

may be:



A temporary or contractor employed by
Company X

or one of its subsidiaries or divisions



A consultant contracted to perform
work

for
Company X

or one of its subsidiaries or divisions



An outside company with a current and valid business relationship with
Company X

Company X

will limit third party access to

only

the information, services and computing resources that
are required for the fulfillment of the third party job functions
.
This
includes all types of access to
Company X

facilities and technology resources
.
Third parties must utilize
Company X

approved methods
of access.

POLICY:

Third party access to
Company X

technology resources
will be in accordance with

specific
security policy

requirements

determined based on business needs
.

Inbound connections from outside organizations
must be limited to specific systems, proxies, or applications on those systems
.

At no time will external
parties have unlimited access to
Company X

computers or networks from external locations.

Third party access levels may consist of any of the following:



Specific / Targeted



Access will be limited to a specific
resource

or application



General
-
Level Access



Access to
Company X’s

technology resour
ces while onsite at the
corporate campus or at any
Company X

field location


Source: www.knowledgeleader.com

2




Developer or Administrator Access



Access to
Company X’s

technology resources
with
privileged or sensitive acc
ess and/or configuration rights



Business
-
to
-
Business (B2B)



Site
-
to
-
site VPN, frame relay, or other B2B connection with a service
provider

Third party access methods may include:



Onsite



Users working in a
Company X

corporate or field office



Remote Access



Users working away from
Company X

offices accessing the
network using dial
-
up, broadband (cable or DSL), or other means



Permanent connection (B2B)



Site
-
to
-
site connection via frame relay, VPN, or other
dedicated

connection method

DEFINITIONS:



B2B

-

Business
-
to
-
Business
.

The exchange of services, information
and/or products from one
business to another.



B
usiness partner

-

Third party companies that have business relationships with
Company X

that
include
IT

connectivity to
Company X

resources
.



E
nd user access

-

Users who access the production sy
stem or appl
ication as
part of their normal
day
-
to
-
day responsibilities.



F
rame relay

-

A packet
-
switching protocol for connecting devices on a Wide Area Network (WAN).



T
echnology resources

-

Company X
’s

technology resources
including

computer

systems
,
network
s
, and software applications that can be accessed by authorized
Company X

users.



T
hird party

-

A person contracted to
Company X
;

an individual or group of individuals employed by
one of
Company X
’s

subsidiaries
;

or an outside company with a current and valid business
relationship with
Company X
.



U
ser

-

Anyone with authorized access to
Company X
’s

technology resources including permanent
and temporary employees or third party personnel such as temporaries, contra
ctors, consultants and
other parties with valid
Company X

access accounts
.



Virtual Private Network

(VPN
)

-

A
network using encryptions and other security measures to allow
the creation of a private network using public connections on the Internet
.

Generally
used

for
connecting
computer
networks,

or to allow remote access by authorized users into
private networks,
without the need for dedicated circuits
.

PROCEDURES:

Section 1

Roles and Responsibilities

Information Security Services (ISS) will be the primary point of contact regarding requests for third party
access to
Company X’s

technology resources
.
Third parties bringing computer resources into
Company
X

and connecting to the
Company X

network must ha
ve a contract in place.

1.1

Company X Sponsor

The role of the
Company X

sponsor is to be the contact point and coordinator in the third party /
Company X

relationship
.
The sponsor is also responsible for making sure that third party
responsibilities are unders
tood by everyone.


Source: www.knowledgeleader.com

3


The
Company X

sponsor of a third party access must promptly notify ISS when access is no longer
needed or requires modification
.
This may include logins, remote access and permanent
connections.

1.2

Network Systems Engineering

Network System
s Engineering (NSE) provides setup of B2B connections and single user VPN
connections.

1.3

Security Accounts Management

Security Accounts Management (SAM) ensures that properly requested changes to user accounts
(for account types that they manage) are carrie
d out in an appropriate and timely manner and that
required procedures are followed.

1.4

Information Security Services

I
SS
is responsible for receiving and approving temporary, contractor, consultant and third party
access privileges.

1.5

Director, Information Tec
hnology Operations

The
d
irector of IT
o
perations is responsible for review and approval of all B2B third party access
requests.

1.6

Legal and Purchasing

The Legal and Purchasing Departments are responsible for negotiating terms and agreements with
the third
party
.
The Legal and Purchasing Departments will consult with ISS to determine
needs/requirements before any agreement is reached.

1.7

Hiring/Recruiting Manager

The
h
iring/
r
ecruiting
m
anager is responsible for hiring temporaries, consultants, or contractors an
d
ensuring that third party policies or contract terms are understood by all.

Section 2

Temporaries or Contractors

Hired through the recruiting process, temporaries or contractors work in a
Company X

d
epartment,
d
ivision, or
s
ubsidiary:



Typically they are employed through one of
Company X’
s lines of busine
ss or another temporary
service



Use of
Company X

equipment and resources is standa
rd for this type of third party

2.1

General Policies



Temporaries or contractors working onsite for
Company X

will be given end
-
user access
unless their job function requ
ires
additional

permissions



Accounts
will
expire in 90 days and must be renew
ed by the third party’s sponsor



All ISS policies, procedures,
standards and guidelines apply



E
nd user access to production systems
by temporaries or contractors
is governed by
the
Change of Access Status Policy



Access

as a non
-
end user
by a temporary or a contractor
to
Company X’s
production systems
is governed by
the Production Access Policy



Tempo
raries or contractors requesting remote access must comply with
the
Remote Access
Policy




Source: www.knowledgeleader.com

4


Section 3

Consultants

Company X’s

Legal and Purchasing Departments are involved in hiring consultants
.
Consultants are
generally
employees of

a third party company
operating under a
statement of work
for

Company X

or
one of its divisions or subsidiaries.

3.1

General Policies



Accounts
will
expire in 90 days and must be renewed by the third party’s sponsor



Company X

must be notified of any changes in third party personnel
.
New personnel will be
granted access by following the
Change of Access Status Policy
, not by assuming the identity
of the former user



All ISS policies, procedures, standards and guidelines apply



End

user access to production systems
by consultants
is gov
erned by
the

Change of Access
Status Policy



Consultants’ access as a non
-
end user to
Company X’s

production systems is governed by
the

Production Access Policy



Consultants
requiring

remote access must comply with
the

Remote Access Policy



Consultants may us
e
Company X

equipment and are
considered

a temporary or contractor
with regards to the use of
Company X

equipment



Non
-
Company X

equipment brought into
Company X

facilities and/or connected to the
Company X

network is bound by Section 6

of this document:

Th
ird Party Use of Non
-
Company X

Equipment on the
Company X

Network
.
Authorization of
Non
-
Company X

equipment with
Company X

technology resources requires
prior

written

approval and is not
automatically granted.

Section 4

Third Party Companies

Third party companies who have a business relationship with
Company X

may require
IT

connectivity to
Company X

systems on a permanent or semi
-
permanent basis
.
The following policies apply to third
parties.

4.1

General Policies



Each third party employee must h
ave their own account
,

and those accounts must not be
shared
.
User accounts expire in 90 days and must be renewed by the third party’s sponsor



Company X

must be notified of any changes in third party personnel

with access to
Company
X
systems
.
New personnel will be granted access by following the
Change of Access Status
Policy
, not by assuming the identity of the former user



The third party company must promptly notify
Company X

when any authorized third party
company employee leaves said compan
y’s employ or no longer requires access to
Company
X’s

technology resources



All ISS policies, procedures, standards and guidelines apply



Third party companies’ end user access to production systems is governed by
the

Change of
Access Status Policy



Third pa
rty companies’ access as a non
-
end user to
Company X’s

production systems is
governed by
the

Production Access Policy



Third party companies
requiring

remote access must comply with
the

Remote Access Policy



Third party companies may use

Company X

equipment
and are
considered

a temporary or
contractor with regards to the use of
Company X

equipment
.
Company X

equipment issued

Source: www.knowledgeleader.com

5


and used by third parties must follow Section 5

of this document:

Third Party Use of
Company
X
Equipment or Software



Non
-
Company X

equip
ment brought into
Company X

facilities and/or connected to the
Company X

network is bound by Section 6

of this document
: Third Party Use of
Non
-
Company X

Equipment on the
Company X

Network
.
Authorization of
Non
-
Company X

equipment with
Company X

technology resources requires
prior written

approval and is not
automatically granted



The third party company will allow only their employees performing work for
Company X

access to
Company X

technology resources or to any

Company X

equipment
.
Company X

has the right to approve, monitor, and restrict all third party company employees having access
to
Company X

technology resources
.
The third party company is responsible for ensuring that
their employees follow ISS
policies, procedures, standards

and guid
elines



Company X

equipment located offsite at the third party companies’ premises must be secured
according to ISS policies, procedures, standards and guidelines

4.2

Notifications

Third party companies must notify
Company X

via agreed up
on methods (by email,
telephone

and
in writing) promptly:



Upon any change to the user base for the work performed over the approved

third party
network connection



Whenever a change to the connection or the functional requirements of the third party access
connection is necessar
y

4.3

Network Security for Third Party Company (B2B) Access

When there is a business need for a third party connection, a risk assessment must be carried out
to determine security implications and control requirements
.
An adequate controls strategy must be
agr
eed upon and defined
.
Access will not be granted until risks associated with the request are
discussed and a risk mitigation strategy is agreed
upon

with ISS and the request sponsor
.
The
Company X

Change Control Process must be adhered to for tracking and implementing change
requests associated with the connection (including the initial setup of the connection).

Both
Company X

and the third party company are responsible for the selection, implement
ation
and maintenance of security procedures and policies that are sufficient to ensure that:



Access to
Company X’s

network and the third party company’s use of
Company X
-
owned
equipment is secure and is used on
ly for authorized purposes



Company X’s

busine
ss records and data are protected against improper access, use, loss,
alteration, or destruction.

Section 5

Third Party Use of Company X Equipment or Software

Company X

may, at its sole discretion, loan to the third party certain equipment or software for
use on the
third party or
Company X’s

premises
.
An agreement governing the third party’s use of the equipment, the
term of the loan, and any other applicable restrictions or permissions, will be signed by authorized
management at both
Company X

and the thi
rd party.

Users are responsible for ensuring that appropriate operating system, security software and virus updates
and patches are applied at regular intervals to the equipment used to access the network remotely (refer
to the
Guidelines for Updating
Software Procedure
)
.
If the equipment is used on a daily basis, a check for
available updates must occur daily, and when appropriate updates are available, they must be installed
immediately
.
If the devices are used less frequently, checks for appropriate
updates must occur each time
that the units are used to access
Company X

technology resources
.
The same rules apply to checking
updates for:



The operating system for each devices


Source: www.knowledgeleader.com

6




Any application running on the client device that shares data with the host s
ystem

5.1

Modifications to Company X Equipment

No modification to the configuration of
Company X

equipment on the third party or
Company X’s

premises is allowed unless a formal written request is approved by
Company X

m
anagement
.
Once an
approved modification
is completed, the third party must notify

Company X

via agreed
-
upon methods
(
i.e
.
by email, telephone,
or

in writing).

Section 6

Third Party Use of Non
-
Company X Equipment on the Company X Network

Documented approval and authorization of third party use of

non
-
Company X

equipment is required
(refer to
the
Third Party Access Form
)
.
If allowed to use
non
-
Company

X

equipment, users accessing
Company X

technology resources must have the following security software installed on their equipment:



Personal firewall

(that limits access to and from the machine)



Anti
-
virus (that has both real
-
time protection and scheduled virus scans)



Spyware detection

Users are responsible for ensuring that appropriate operating system, security software, and virus
updates and patches

are applied at regular intervals to the equipment used to access the network
remotely (refer to
the

Guidelines for Updating Software Procedure
)
.
If the equipment is used on a daily
basis, a check for available updates must occur daily and when appropriate

updates are available, they
must be installed immediately
.
If the devices are used less frequently, checks for appropriate updates
must occur each time that the units are used to access
Company X

technology resources
.
The same
rules apply to checking upda
tes for:



The operating system of each device



Any application running on the client device that shares data with the host system

NOTE:

Machines may be audited at any time and those found to be non
-
compliant with these
requirements will be denied access to
C
ompany X

technology resources.

Section 7

Exceptions

Requests for policy exceptions must have a valid business justification
.
The exception must be
documented and approved by the system owner or department manager
.
ISS

will evaluate, approve and
store excep
tion requests
.
Refer to
the
Exceptions and Non
-
Conformance Policy
or
the Policy Exceptions
and Non
-
Conformance Standard

for more specific information on exceptions.

NOTE:

Each exception request must be justified, documented and approved separately
.
I
SS

mai
ntains
the right to deny any exception from this policy.

Section 8

Enforcement

Network activities may be monitored and logged to ensure compliance with the rules established in this
and other I
SS

policies, procedure
s, standards

and guidelines.

Any user
found to have violated this policy may be subject to disciplinary action, up to and including
termination of employment, or legal action as appropriate, or both
.
No provision of this policy will alter the
at
-
will nature of the employment relationship at
Co
mpany X
.

Section 9

Policy Update and Notification

Company X

reserves the right to revise the conditions of this policy at any time by giving notice via
the
Information Security Policy Update Procedure
.
Users are responsible for understanding or seeking
clarification of any rules outlined in this document and for familiarizing themselves with the most current
version of this policy.