This policy outlines procedures governing third-party access to (Organization) owned systems, network and applications.

A third party is an organization or individual (non-permanent employee) external to the (Organization) 

The policy covers the following aspects of third party relationships:

• Third party risk assessments.
• Agreement and Contracts.
• Network service provision.
• Authorization of connections.
• Security of access by non-permanent employees (both physical and logical).

The purpose of this policy is to define standards for all Third Parties seeking to access the (Organization) systems or network for the purpose of transacting business related to (Organization). 

This policy is designed to minimize the potential exposure to the (Organization) from risks associated with Third Party Access.

This policy applies to all (Organization) Staff seeking to provide access to the (Organization) system, network or devices attached to the network to Third parties, and to all Third Parties whether they are vendors, contractors, consultant or outsourced professionals.

1. A Non-disclosure agreement is essential and must be signed contracting with a third party, and the role and responsibilities of the third party should be clearly defined in the agreement.

• Third party access to (Organization) system and network facilities will be given only after the signing of a formal contract defining the terms for the connection which should contain all security requirements by which the third party is to abide.
• All new connection requests between third parties and (Organization) require that the third party and (Organization) representatives agree to and sign the Agreement.

2. Pre-Requisites: All new connectivity will go through a security review and approval with the Information Security department.


• The reviews are to ensure that all access matches the business requirements in a best possible way, and that the principle of least access is followed.All third parties must follow the information security requirements that determine the minimum level of security the (Organization) requires to be achieved by the third party. These set out the security measures that must be implemented and maintained by the (Organization) in relation to all aspects of information security and all associated supporting processes.
• All third parties must ensure that they do not breach any of the information security management system statements at any time during their contract with the (Organization).

3. Establishing Connectivity:


• All connectivity established must be based on the least-access principle, in accordance with the approved business requirements and the security review.

4. Modifying or Changing Connectivity and Access:


• All changes in access must be accompanied by a valid business justification, and are subject to security review. Changes are to be implemented via (Organization) change management process.

5. Permitted Third Party Access :


• Third Party Access to the (Organization)’s systems or  network should be made only for the purposes agreed in the contract, this shall be applied to (Organization) partner not employed directly by the (Organization) who has remote or direct access to the (Organization)’s systems and network.
• Third party access must be permitted only to the facilities, services and data, which are required to perform the specified tasks, as outlined to the IT appropriate Network Manager/Administrator in the original request for access.

6. Third Party Workstations :

Where Third Parties use PC’s / Laptops or any other devises not owned or managed by the (Organization) to access the resources on the (Organization)’s network and systems, Third Parties must ensure the following:

• Operating Systems should be fully up-to-date with patches.
• Anti-virus software should be fully up-to-date with patches and virus definitions.
• Anti-spyware/malware software should be fully up-to-date with patches and malware definitions.

7. Remote Access by Third Parties: 


• Responsibilities for security management and administration of third party access will be assigned clearly to both (Organization) and the third party.  An appropriate level of management and technical support will be provided by both parties to ensure that compliance with this policy is achieved.
• For each party connection, the following positions must be appointed:
• A Head of Service Area or delegated authority who will be responsible for permitting third party access by authorizing the connection on a written authorization form.
• A System Owner who will have overall responsibility for each third party connection to ensure that the policy and standards are applied.  They are also responsible for confirming whether third party access to their systems would be permitted and may prohibit third party access to certain sensitive systems.

8. Incident Reporting: Third Parties shall report to management any incident affecting information security and privacy, and all observed and suspected security weaknesses in or threats to Information Technology Assets.
9. Terminating Access:

• When access is no longer required, the responsible of access and connection in (Organization) must terminate the access.
• The responsible of connection must conduct an audit of their respective connections on an annual basis to ensure that all existing connections are still needed, and that the access provided meets the needs of the connection.
• Connections that are found to be depreciated, and/or are no longer being used to conduct (Organization) business, will be terminated immediately.
• All Third party and external users, if defined on the system, should have a mandatory expiry date.

Confidentiality Agreements are must be signed when (Organization) is considering entering into a business relationship with a third party and where there is a need to understand or evaluate each other’s business processes, some of which might be proprietary or otherwise sensitive in nature.

The purpose of this guideline is to ensure a consistent process for the signing and retention of the (Organization) Information Confidentiality Agreement by all individuals having access to (Organization) confidential information.

This guideline applies to (Organization) and to all Third Parties whether they are vendors, contractors, consultant or outsourced professionals.

1. All third parties are required to sign an Information Confidentiality Agreement at the initial start of their contractual relationship, acknowledging they understand and will adhere to this policy.
2. Where a Third Part has direct or indirect access to data or information owned by the (Organization), this information must not be divulged or distributed to anyone.
3. (Organization) is committed to ensuring confidential services to all third parties. The confidentiality is between the third parties and the organization, not the members of staff delivering a particular service.
4. Documents which contain personal information including but not limited to names, addresses or telephone numbers, medical records, financial records of (Organization) staff must be carefully controlled and must not be released or disclosed to any unauthorized individuals or sources.
5. The agreement should at least address the following:

• • The names of the contracting parties.
  • Which party of the contracting entities is obligated to protect the secrecy of the disclosed information, whether it is the receiving party or the disclosing one or both (Unilateral or Bilateral). Furthermore, NDAs could have more than two parties, therefore such NDAs should address which parties are to be obligated.
  • Defining what is to be confidential.
  • The term (in years) the agreement is binding.
  • The term and conditions (in years) of the confidentiality, i.e. the time period of confidentiality.
  • Information that to be excluded from the NDA. Such as having a prior knowledge of the information, being in public domain, or subsequently gained from other parties.
  • Restrictions regarding the transfer of confidential information.
  • Required actions that should be taken with the confidential information upon NDA’s ending.
  • The responsibilities of the recipient concerning the confidential information:

• • Using the information only for the agreed upon purposes.
  • To reveal it only to people with a need to know the information for those purposes.
  • To use appropriate efforts (not less than reasonable efforts) to keep the information secure. Reasonable efforts are often defined as a standard of care relating to confidential information that is no less rigorous than that which the recipient uses to keep its own similar information secure.
  • To ensure that anybody to whom the information is revealed further abides by obligations restricting use, restricting disclosure, and ensuring security at least as protective as the agreement.

• • Types of allowed disclosure – such as those required by law or court order.
  • The parties should choose the law and jurisdiction that is governing their agreement.