Third Party Access Policy (3PAP)

(Insert 3rd Party Company name and address)

Hull City Council

Business Support, ICT.

Implementation Date: May 2007

Revised: November 2011

Updated: April 2013

06.09a HCC-ISM Third Party Access Policy PROTECT - Network

Revision History

Date / Issue / Summary of Changes
27th October 06 / 1.0 / Initial draft
6th March 2007 / 1.1 / Revised to include partner access, GB.
6th May 2007 / 1.2 / Revised to include IGT amendments, CB
16th Sept 2009 / 1.3 / Revised to include CoCo requirements, ACS
19th April 2010 / 1.4 / Edited layout and updated references, ACS
5th May 2010 / 1.5 / Further editing for clarification, ACS
25th May 2010 / 1.6 / Updated references to 2FA and Protective Monitoring, ACS
10th Nov 2011 / 1.7 / Updated references to 2FA GB
23rd April 2013 / 2.0 / Review and re-write. GB.

Approvals

Name / Title / Date of Issue / Issue

Distribution

Name / Title / Date of Issue / Issue

Ref: Version 1.7 Page 3 of 3

Date: 10th Nov 2011

06.09a HCC-ISM Third Party Access Policy PROTECT - Network

Table of Contents

1 General Policy…………………………………………………………………………………. 4

1.1 Introduction………………………...………………………………………………. 4

1.2 Scope……………...……………………………………………………………….. 4

1.3 Permitted Third Party Access……………...…………………………………….. 5

1.4 Access Requests……………...…………………………………………………… 5

1.5 Third Party Remote Access User Agreement………………………………….. 7

1.6 Risk Management…………………………………………………………………. 7

1.7 Unique Authentication……………...…………………………………………….. 7

1.8 Host Security……………...………………………………………………………. 8

1.9 Remote Access by Third Parties …………………..…………………………… 8

1.10 Acceptable Usage Policy…………...…………………………………………….. 8

1.11 Third Party Workstations……...…………………………………………………. 9

1.12 Third Party Management……………………...…………………………………. 9

2 Agreement……………...……………………………………………………………………… 9

2.1 Introduction……………...…………………………………………………………. 9

2.2 Access Requests……………...………………………………………………….. 9

2.3 Access Details……………...……………………………………………………… 9

2.4 Security Conditions……………...………………………………………………... 10

Ref: Version 1.7 Page 3 of 3

Date: 10th Nov 2011

06.09a HCC-ISM Third Party Access Policy PROTECT - Network

1 General Policy

1.1  Introduction

1.1.1  The purpose of this policy is to define standards for all Third Parties seeking to access the Hull City Council (HCC) network, systems, data or any devices attached to the network and includes partner access where the Third party is defined as a partner using the Authorities network to access their own resources via network links supplied and maintained by the Council or any partner not employed directly by the Council who uses the Council’s systems and network.

1.1.2 This policy is designed to minimise the potential exposure to the Council and its partners from risks associated with Third Party Access. In the case of access to personal information this form should be supported by reference to the Partnership Toolkit (Personal Information Sharing section), Personal Information Handling Policy, Personal Information Access Arrangements Form.

1.2  Scope

1.2.1 This policy applies to organisations, third party support system suppliers and Council partners requiring remote or direct access to the Council network, data or devices attached to the network or using the Council’s network to access their own systems and resources.

1.2.2 Third parties are defined, as any individual, Council partner, group contractor, vendor or agent not wholly owned by the Council. Third party Access is defined as all local or remote access to the corporate network, systems, data or devices attached to the Authorities network for any purpose.

1.2. This policy applies to all types of third party, e.g.:

·  individuals

·  trading partners (including agents, joint ventures etc.)

·  clients or customers

·  suppliers of products, services and information

·  suppliers of remote systems support and maintenance

·  vendors

·  agents not wholly owned by the Council

·  external auditors

requiring remote or direct access to the HCC network, data or devices attached to the network or using the Council’s network to access their own systems and resources.

1.2.4 The policy does not cover:

·  remote access by staff

·  long-term contractors working from home (they are considered to be the equivalent to employees)

·  outgoing access by staff to third party systems or services (such as the Internet)

·  information systems which support unrestricted public areas, such as WWW pages and electronic mail services.

1.3  Permitted Third Party Access

Third Party Access to the Council’s network may be made for administrative support purposes or to access the third party’s own resources electronically and may include a Council partner not employed directly by the Council who has remote or direct access to the Council’s systems and network.

1.4  Access Requests

Requests to allow access to the Council’s network or attached devices must meet the following criteria:

1.4.1 An initial request for third party access must be formally authorised by the relevant responsible System Owner (sponsor) or Senior Manager within ICT & eGovernment as a Request for Change (RFC) via the Service Desk.

1.4.2 Appropriate risk assessment of the requirements will be undertaken by the System Owner in conjunction with the relevant Service Area Information Asset Owner in line with best practice (ITIL and ISO27001). This may need to include carrying out a Privacy Impact Assessment to ensure that the utilisation of the data concerned is appropriate for the purposes required.

1.4.3 The System Owner will act as the sponsor for the Third Party where there is an approved need for Third Party Access.

1.4.4 Security controls will be agreed and defined in a contract with the third party as detailed in section 1.5.

1.4.5 Access to the Council network facilities by third parties will not be provided until the appropriate measures have been implemented and a contract signed defining the terms for the connection.

1.4.6 The owners of all links into HCC systems must ensure that any systems connections they maintain do not affect HCC systems.

1.4.7 Virtual Private Networks (VPN) access will be using appropriate standards and technical solutions as defined by HCC ICT technical staff.

1.4.8 Third party users will be restricted to the minimum services and functions necessary for the process and these must be defined for each such connection.

1.4.9 Third parties will only access HCC systems using hardware, software and operating systems approved by HCC ICT Staff. All Firmware, Hardware, Software and operating systems used to access HCC systems must be patchable, up to date with the latest security patches and be running Antivirus software loaded with up to date Virus signatures

1.4.10 For support access, the System Owner (sponsor) will be expected to notify the service desk once the work has been completed..


1.4.11 Where possible, the system/application being accessed by a third party is to be segmented from other systems/applications using firewall techniques. If this is not possible, then strict auditing will be applied to the users to ensure no unauthorised activity is unnoticed. Any audit logs produced will be reviewed frequently.

1.4.12 Appropriate protective monitoring techniques will be applied in accordance with the Councils’ requirements to adhere to the PSN Code of Connection CESG GPG 13- depending on the sensitivity of the data involved in the transactions.

1.4.15 With the exception of those requiring only electronic mail access, each individual party user of access services will be identified and authenticated using a strong authentication mechanism before access is allowed.[1]

1.4.16 Access requests involving regular access to personal information (i.e. partnership arrangements) must be supported in the case of other public organisations with a protocol or with private, voluntary or charitable organisations with a written signed agreement (contract or SLA). See Partnership Toolkit or IGT for further information.

1.4.17 HCC may require Third Parties to undertake appropriate Information Security Awareness training sessions and to sign up to the HCC Acceptable Usage Policy (AUP) and HCC Personal Commitment Statement (PCS).

1.4.18 Access by the third party, if not covered by a protocol or written agreement (contract), will be the subject of an access request on each occasion. If necessary procedures for this will be agreed in writing (or encrypted email) between the parties and attached to this agreement. The Supplier shall comply with such procedures at all times.

1.4.19Third party access must be permitted only to the facilities, services and data, which are required to perform the specified tasks, as outlined by the System Owner (sponsor) in the original request for access. In the case of VPN access, Hosts and network protocols will be agreed in advance and filters will be applied to prevent all other access.

1.4.20 A request for remote access in advance by the Third Party/System Owner (sponsor) via the Service Desk will be required quoting the 3rd Party agreement number with any changes and risks being highlighted.

1.4.22 The Council reserves the right to monitor activity and revoke access.

1.4.23 Third party access will be governed by formal agreements. These will:

a)  define clearly the service level commitments to the third party

b)  identify responsibilities in both parties, including security management and administration of third party access to limit the liabilities of HCC

c)  require both parties to comply with any necessary security standards and procedures

d)  define how wilful or negligent disregard for this policy will be investigated and treated

e)  be legally binding.

1.4.24 The Third Party Agreement must be signed by all third parties prior to access being given.

1.5  Risk Management

1.5.1 HCC recognises that by providing third parties with access to information systems, risks are introduced through:

·  opening up systems that were previously restricted to internal use

·  losing direct control of the identity and physical location of users of systems

·  the complexity and limitations of technical measures needed to secure external access

·  the obligations on HCC to provide a reliable service to third party users and potential liabilities that arise from this

·  infringement of Data Protection Act rules and regulations

·  inadequate destruction of data.

1.5.4 Controls to mitigate these risks are put in place by virtue of this Policy and the related Agreement.

1.5.5 On completion of the contract the third Party must return or destroy all data belonging to the Council.

1.6  Unique Authentication

1.6.1 In order to ensure individual accountability on network devices and applications, all third parties granted access must be given a unique userid and password.

1.6.2 The third party will at all times be held responsible for any activities which occur on the Authorities networks and applications using this unique userid.

1.6.3 The Third Party is solely responsible for ensuring that any username and password that they are granted remains confidential and is not used by unauthorised individuals.

1.7  Host Security

1.7.1 When a Third Party is logged onto the Council’s network they should not leave the host they are logged onto unattended.

1.7.2 Workstations/laptops that are used to display data should be located in such a way that confidential information is not displayed to unauthorised persons or the general public.

1.7.3 Up-to-date Virus checking software and anti-spyware/malware software must be installed on any relevant devices that are being used to access the Council network or attached devices and these devices must be up to date with relevant operating system patches.

1.8  Remote Access by Third Parties

1.8.1 Responsibilities for security management and administration of third party access will be assigned clearly, within both HCC and the third party and training provided where appropriate. An appropriate level of management and technical support will be provided by both parties to ensure that compliance with this policy is achieved.

1.8.2 For each party connection, the following positions must be appointed:

a)  A Head of Service Area or delegated authority who will be responsible for permitting third party access by authorising the connection on a written authorisation form. This will be carried out in conjunction with the Information Security Manager (ISM).

b)  A System Owner who will have overall responsibility for each third party connection to ensure that the policy and standards are applied. They are also responsible for confirming whether third party access to their systems would be permitted and may prohibit third party access to certain sensitive systems.

c)  A Connection Owner who will ensure that the third party access is implemented, operated and maintained in accordance with this policy and associated standards.

1.9  Acceptable Usage Policy

1.9.1 When using the Council’s systems or networks, all third parties must adhere to the relevant sections of the Council’s ‘Policy on the use of Information Technology’. Such access is restricted and may be monitored. This will be supplied to Third Parties by the System Owner.

1.10  Third Party Workstations

Where Third Parties use PC’s or Laptops not owned or managed by the Council to access the resources on the Council’s network and systems, Third Parties must ensure the following:

·  Operating Systems should be fully up-to-date with patches.

·  Anti-virus software should be fully up-to-date with patches and virus definitions.

·  Anti-spyware/malware software should be fully up-to-date with patches and malware definitions.

1.11  Third Party Management

1.11.1 A central list of authorised third party users will be maintained and reviewed regularly to confirm a continuing organisational need.

1.11.2 This will include as a minimum the following:

·  third party connected

·  location

·  to which organisational area

·  number of users

·  system accessed

·  domain/applications available via this system

·  protection methods in use to protect connection/time

·  protection methods in use to protect domain/other application use

·  protection methods in use to protect organisational sensitive data

·  authorisation by/date

·  review date.

1.11.3 When the organisational relationship with the third party ceases, or third party access is no longer required, authorisation for third party access will terminate and any connecting hardware and/or software must be removed from the system.

1.11.4 Appropriate accounting and auditing mechanisms will be implemented by the service areas to assist with identifying and investigating potential and actual security breaches.

1.11.5 The third party connection may be disconnected without notice if a breach of security is suspected or if the connection is interfering with normal operation of the production systems.