Monday, July 30, 2007

Information Security Policy 101 – Vendor/Third-Party Access Policy

Part 17 in the Information Security Policy 101 Series

Some organizations call on the support of a third-party and/or vendor rarely. Other organizations have third-party support personnel in and out of various areas all day, every day. Most organizations fall somewhere in the middle. I cannot think of a single organization that has not allowed a third-party and/or vendor at least physical access to restricted areas to conduct seemingly innocent tasks.

Question: What governs a vendor and/or other third party's access?

Answer: Vendor/Third-Party Access Policy.

NOTE: Some organizations have already negotiated detailed contracts with vendors and other third-party entities. In some instances an existing contract may need to be appended, a new contract drawn up, or a waiver request approved.

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

The purpose of the %ORGANIZATION% Vendor Access Policy is to establish the
rules for vendor access to %ORGANIZATION% Information Resources and support
services (A/C, UPS, PDU, fire suppression, etc.), vendor responsibilities, and
protection of %ORGANIZATION% information. Vendor access to
%ORGANIZATION% Information Resources is granted solely for the work
contracted and for no other purposes.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. A Third-Party/Vendor Access Policy typically applies to those persons involved in contracting third-party/vendor support and representatives of the third-party/vendor itself.

The %ORGANIZATION% Vendor Access Policy applies to all individuals that are
responsible for the installation of new %ORGANIZATION% Information Resource
assets, and the operations and maintenance of existing %ORGANIZATION%
Information Resources, and who do or may allow vendor access for support,
maintenance, monitoring and/or troubleshooting purposes.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Vendor/Third-Party Access Policy
The Vendor/Third-Party Access Policy is longer and more in-depth than some of the policies we have covered most recently. Use the information gleaned from your business assessment to determine to what extent your policy should be detailed towards the information resources you are trying to protect.

TIP: Have your legal department (or whoever is in charge for negotiating contracts) review the policy in detail. You may also choose to have your legal department assist you in the drafting of this policy.


- Vendors must comply with all applicable %ORGANIZATION% policies, practice standards and agreements, including, but not limited to:
@ Safety Policies
@ Privacy Policies
@ Security Policies
@ Auditing Policies
@ Software Licensing Policies
@ Acceptable Use Policies
- Vendor agreements and contracts must specify:
@ The %ORGANIZATION% information the vendor should have access to
@ How %ORGANIZATION% information is to be protected by the vendor
@ Acceptable methods for the return, destruction or disposal of %ORGANIZATION% information in the vendor’s possession at the end of the contract
@ The Vendor must only use %ORGANIZATION% information and Information Resources for the purpose of the business agreement
@ Any other %ORGANIZATION% information acquired by the vendor in the course of the contract cannot be used for the vendor’s own purposes or divulged to others

The draft, approval, and implementation of a Vendor/Third-Party Access Policy will assist in ensuring that information security is forethought in contract negotiations and no longer an afterthought. Seasoned information security personnel understand the benefit of information security applied early on vs. retrofitting an existing solution with security after the fact.


Next in the series: “Information Security Policy 101 – Virus Protection Policy”

Previous: “Information Security Policy 101 – “Software Licensing Policy”

No comments: