PUBLIC 1.01 EA-ISP-004 http://blogs.plymouth.ac.uk/strategyandarchitecture/wpcontent/uploads/sites/4/2015/03/EA-ISP-004-Outsourcingand-Third-Party-Access.pdf January 2016
EA-ISP-004-Outsourcing and Third Party Access Document Control Version 0.90
Author Paul Ferrier
Position Enterprise Security Architect Head of School of Computing, Associate Professor Supplier Manager, Supplier Liaison Administrator and Third Party Service Provision Manager Enterprise Security Architect
Steve Furnell and Paul Dowland
Nicola Tricker, Emma Brewer and Adrian Jane
PW, AH, GB, CD, PF
Interim IT Director
Details Created the document
Peer review and comments
Peer review and comments
Alteration following Hosting Policy changes Approved sign off
Correction of links
Interim IT Director
Page 2 of 5
EA-ISP-004-Outsourcing and Third Party Access Introduction This information security policy document sets out principles and expectations about maintaining the security of Plymouth University IT facilities that are accessed, managed, supported or provided by third parties. It is a sub-document of the Information Security Policy (EA-ISP-001) and should be read in conjunction with the Data Classification Policy (EIM-POL-001).
is information that if improperly disclosed or lost could cause harm to the business or an individual. This includes personal data as identified by the Data Protection Act and other value or sensitive information that is not in the public domain. are external organisations or individuals other than the University’s own staff or students.
2.1 All third parties who are given access to the University’s information systems, whether as suppliers, customers or otherwise, must agree to follow the information security policies of the organisation. An appropriate summary of the information security policies and the third party’s role in ensuring compliance must be formally delivered to any such third party, prior to being granted access. 2.2 Confidentiality (or Non-Disclosure) agreements must be used in all situations where the confidentiality, sensitivity or value of the information being disclosed is classified as Standard or Restricted1. 2.3 All contracts with third parties to supply, manage or facilitate service are subject to Plymouth University performing audits (either directly, or via a specialist third party auditor) to ensure compliance with information security requirements. This may be in the form of planned or no-notice inspections. 2.4 All contracts must include appropriate provisions to ensure the continued security of information and systems in the event that a contract is terminated or transferred to another supplier.
3. Third Party Development, Maintenance and Support 3.1 Persons responsible for commissioning outsourced development of computer based systems and services must use reputable companies that operate in accordance with quality standards, as denoted by Business Impact Level2 (minimum level 3), ISO27001 accreditation or equivalent. These companies will be required to follow the information security policies of this organisation, in particular those relating to application development. 3.2 Persons responsible for agreeing maintenance and support contracts will ensure that the contracts being signed are in accord with the contents and spirit of the University’s information security policies. 3.3 Any maintenance undertaken by a third party, must be agreed and timetabled with all concerned parties prior to the engagement in any work itself. 3.4 All third parties must use discretion when creating or managing credentials to administer service. Default user names can only be used when no alternative is available and passwords must be randomly generated and contain uppercase, lowercase, numeric and special characters with a minimum length of fifteen characters. If the system or service is unable to support this, consultation must be sought to agree a minimum standard of complexity suitable for the system. No default system passwords must ever be used in any state of development, test or live service.
As derived from the Data Classification Policy As denoted by the UK Governments Business Impact Levels
Page 3 of 5
EA-ISP-004-Outsourcing and Third Party Access 3.5 If access is required to Plymouth University assets within its perimeter, communications must be secured through approved mechanisms for remote access3 and/or data transfer4. 3.6 All third parties who provide payment related services (including cardholder data processing, transmission and storage) must be compliant with the current Payment Card Industry Data Security Standards (PCI DSS). This data will not be held within the University environment and must be managed entirely by the third party. 3.7 Any Information Security breaches that occur against a third party provider of service must be conveyed to the University, through the Enterprise Security Architect or Data Protection Officer within the agreed priority one incident level (as denoted in the Service Level Agreement) or at the earliest available opportunity, whichever is sooner. When the breach has been remedied, a report detailing the steps taken and any measures that will prevent the breach from occurring again should also be provided to the University, within a maximum period of ten working days.
4. Third Party Service Provision 4.1 Any outsourcing or similar company with which this organisation may do business must be able to demonstrate compliance with the organisation’s information security policies and enter in to binding service level agreements that specify the required performance and appropriate remedies available in the case of non-compliance.
Remote Access Policy Data Transfer Policy
Page 4 of 5
EA-ISP-004-Outsourcing and Third Party Access Appendix 2. Contractual Issues Explanatory Notes Adequate security constraints may be in force for employees and contractors, but those same levels of safeguard may be overlooked when dealing with third parties, such as customers or collaborators, hardware and software suppliers, consultants, and other service providers. It is common practice to use a confidentiality agreement as a legally enforceable means to redress for the case that a third party may inappropriately communicate confidential information covered by the agreement to a non-authorised party. If contracts with third parties do not include provisions for monitoring compliance with information security obligations then it may be impossible to determine whether these agreements are causing information security problems. The termination or transfer of a third party contract involves especially high risks to information security.
3. Third Party Development, Maintenance and Support Explanatory Notes It is important that any third party agreement is mutually beneficial to our organisation, as such our suppliers have expert knowledge that can be used to inform or enhance elements of on premise intelligence.