Third Party IT Service Policy

Version: 1.00Issue Date: 4/6/2015

This Third Party IT Service Policy specifies requirements that third party vendors must meet to sell services to the organization. This Third Party IT Service Policy also specifies responsibilities for managing third party IT service and management methods required.

1.0 Overview

This Third Party IT Service Policy will help ensure the quality of third party IT services by specifying management methods and requirements.

2.0 Purpose

This Third Party IT Service Policy is intended to ensure a consistant quality in third party IT services including the security aspects of the provided service.

3.0 Scope

This Third Party IT Service Policy applies to any and all use of third party IT service organizations used by any part of the organization directly or indirectly. This policy is effective as of the issue date and does not expire unless superceded by another policy.

4.0 Third party Organization Requirements

  1. The third party must agree to abide by organizational policies.
  2. The third party must share descriptions of their policies they use to manage the service they provide to the organization.
  3. The third party must share their security control information by use of a non-disclosure agreement with the organization so the organization knows the security measures implemented by the third party and can be sure they meet the business needs.
  4. The third party must have an independent audit performed at least once per year to show they are complying with stated policies and security controls.
  5. The third party must ensure that any computers connected to the organizational network or containing organizational data follow the Patch Management Policy, Virus Protection Policy and System Lockdown Policy.

5.0 Management Responsibilities

  • The management of the part of the organization that wants to utilize third party service must provide a written business case justifying the use of the third party service.
  • The management of the organization that uses third party service must ensure that the third party complies with this policy.
  • For outsourced applications or systems, the management of the section using the third party service must ensure that a security risk assessment is done before the contract is implemented. The assessment will determine required controls.
  • The management of the section using the third party service must establish and document the roles and responsibilities of individual positions responsible for managing contracts and managing service supplier relationships. These roles should be assigned based on qualifications combined with previous experience.
  • The management and communication structure between the third party and our organization must be defined and documented. A contract manager should be appointed to interface with the supplier regarding matters about the contract.
  • The management of the section using the third party service is responsible for being sure the delivery and quality of service delivered by the third party is adequate for the business need. Management at the enterprise level of the organization may overrule the management of the section involved if they believe the costs are too high, the third party is not sufficiently complying with policy, there are overriding security concerns, or the third party is not delivering reasonable quality.
  • Those who have the authority to approve and sign contracts for the orgainzation are identified in advance. The maximum contract amount each person who can approve contracts have must be specified and appropriately communicated.

6.0 Contracting Process

  • The contracting process must provide an ability to determine whether potential suppliers can deliver the service being bid on. The ability of the supplier to meet the terms of the contract over the life of the contract should be considered.
  • A request for proposal process should be created for bidding on contracts.
  • Reference checks should be used to get more information about bidders to assess whether they can deliver the proposed deliverables and the potential quality of their work.
  • Financial and technical factors about the bidders should be considered which may affect their ability to meet the terms of the contract.
  • Before the bidding for a contract is begun, a scoring system should be created which can be used to get a good indication about whether the contractor understands the technical requirements and can provide the proper service.
  • Based on communication with the potential contractors when the contract proposal phase is happening, additional evidence about the ability of the contractor to provide the proposed service should be gathered and assessed.
  • Any additional material should be used to determine the potential contractor's ability to provide the services proposed and their history of quality should be considered when merited factual information can be found. Use of the internet, the contractors website, and publically available information where the information found has merit should be considered.
  • The security control environment on the third party equipment or network should be considered when determining who should get the contract. An audit and/or statements of official policy used by the third party organization should be considered.
  • The potential contractor should be given consideration for quality assurance programs that they can prove that their organization has in place.
  • Adherence to industry standards and other independent assessments of quality of deliverables should be used to assess the ability of the potential provider to provide a good quality deliverable.
  • If needed or appropriate, an independent review of the third party should be performed.

7.0 Contract Requirements

  • Management must establish and agree with the third party to specific measurable deliverables including results oriented and time specific goals and deliverables. These goals must be written into the contract. The measureable deliverables must cover service levels which must meet the business need on a continuous basis.
  • Service level agreements must meet business need and be expressed in business terms.
    • The service level agreement should provide required performance metrics which can be measured and are expected to be met by the contractor.
    • The service level agreement must include problem management which classifies the severity of problems based on a business impact rating such as low, moderate, or severe. The time it takes for problem resolution should be recorded. Where applicable, required minimum time for resolution based on the severity of the problem should be specified in the service level agreement.
    • The service level agreement should provide for monitoring of contract performance using policies and procedures. It should be agreed in advance the items to measure along with how and when the measurements are made. The contractor should be able to create a process to measure performance and provide reports to show how their performance rates compared to the service level metrics. The reports provided by the contractor are evaluated and their accuracy is determined by the organization.
    • The contractor should meet regularly with organizational members managing the contract including stakeholders in the business process. During meetings, the effectiveness of the contract im meeting the organizational business goals should be evaluated. Operational, control, legal, and financial issues with the contract should be evaluated.
    • The costs and service levels should be compared to market costs and expected service levels in the industry.
  • The contract should allow for changes to the service level agreement when there is a chance that the business requirement may change during the life of the contract.
  • The contract should specify incentives or penalties for meeting or failing to meet specific key performance indicators (KPIs). A combination of organizational policies and the contract must specify and document penalties and incentives relative to the service delivery to be delivered to the organization by the third party. Penalties must be actively enforced and incentives must be promptly provided as agreed.
  • The contract must specify any action required at the end of the contract period such as transition support of the project to someone else whether the contract is terminated on schedule or terminated early.
  • The contract must include specific security, audit, and control requirements that must be met by the contractor.
  • The contract must specify confidentiality, integrity, and availability requirements for the data and system. If laws apply including laws applying to data privacy, this compliance must be required.
  • Costs must be agreed to between organizational management and the third party and included in the contract. Any payment schedule with required deliverables must be included in the contract.
  • Any limitation of liability must be included in the contract, reviewed by qualified law staff, and agreed to by organizational management.
  • The contract must contain nondisclosure agreements as are appropriate between both the contractor and our organization and our organization and the contractor.
  • Terms of contract termination and contract modification must be provided in the contract. The contract must define any circumstance that would be a breach of contract on the part of the contractor and allow for termination of the contract if that circumstance occurs.
  • The contract must consider the possibility that the supplier will be taken over by another business or go out of business. A strategy for continuing the service if these situations materialize must be a part of the contract.
  • The contract must require the third party to comply with this policy and all organizational security policies and relevant standards such as software standards.
  • The contract must specify minimum levels of documentation or reference documentation standards. All documentation must be made available to the organization.
  • Contracts must be approved by authorized members of management and by qualified legal staff.
  • Contracts should normally specify that the organization may obtain independent audit reports of audits, specifically security audits, to the third party that apply to the services provided.
  • Contracts should allow penetration testing by or on behalf of our organization against systems providing service to our organization.
  • The contract considers alternate suppliers in the event that the contractor fails to provide service. Standby agreements for service should be put in place where continuity of service is critical to the business.
  • Contractors that work on or have access to organizational systems, networks, or data, or create systems must agree in writing and as part of the terms of their contract to comply with all organizational policies and all security policies and procedures. Penalties for non-compliance should be specified in the contract. Third parties are not given accounts and passwords until they have agreed in writing that they understand and will comply with security policies and have signed a nondisclosure agreement.
  • Contracts must specify that the contractor must comply with all policies, laws, and regulations that apply for all contracts without exception. Contracts must expect compliance regardless of the type of work whether it is onsite work or offsite creation of a product.
  • Contracts should specify applicable policies, laws, and regulations.

8.0 Software Contract Requirements

  • When software is developed, all source code must be owned by our organization or code not owned by our organization must be placed in software escrow so that if the contractor goes out of business our organization will still be able to maintain the software. Circumstances under whish the excrowed software would be released must be defined and should include poor service response times which are defined, business termination, and not fulfilling the obligations of the maintenance agreement. This is especially true of business critical software.
  • If software is purchased with a license agreement from a third party, a fixed support contract must be established at the time of purchase. An annual maintenance fee may be negociated for support services. Items covered by the support contract should be specified and may vary depending on the business need. Software enhancements, bug corrections, consultations, user training, technical training, and maintenance should be considered.
  • If the contractor developing software outsources their work to another third party, the contract should require any deliverables to the approval and review of the business stakeholders. The subcontractor must be held to the minimum standards of our organization's policies, procedures, and the contract.
  • Any third party that is testing software with confidential data must guarantee that the data will be kept securely and confidential.
  • When the finished software cannot be owned, broad licensing rights of the software must be obtained.

9.0 Service Contract Requirements

  • This policy requires service providers to be contractually obligated to provide an initial accreditation report and a report on a yearly basis. Re-accreditation or must be done annually. The report must meet one of the following:
    • The accredidation must be performed by someone acceptable to the service provider and our organization.
    • The service provider can provide a SAS70 type II report for their service.
    • The service provider's internal audit team is allowed to provide a report but our organization may inspect the supporting working papers of the auditors.
  • A procedure for measuring the effectiveness of the service must be created and utilized.
  • This policy requires that service providers keep our organization informed about the status of any control exceptions found lacking in any certification/accreditation report.
  • The service provider must provide confirmation of compliance with laws, contracts, and regulations annually. The contract must provide for termination if noncompliance with law, regulations, or contracts is found.
  • Contracts with service providers allow the organization to review the service provider's effectiveness. The contract requires access to information or the providers facilities utilizing an agreed upon process for the purpose of conducting thorough reviews.

10.0 Work Requirements

  • Third parties may not begin work until the required contract is agreed to and signed by all parties.
  • A process for resolving problems (technical or administrative) with the contractor working on the contract should be created. Issues should be logged.
  • User feedback about service levels should be periodically obtained using a mechanism set up at the time the contract was written or created as required by the contract.

11.0 Project Completion

  • A qualified technical person, engineer, or architect is appointed with creating an inspection plan for inspecting and testing the completed project or inspecting the facility. The person performing the testing or inspection must provide a statement that the project is complete with the results attached. The work is not accepted without a valid statement of completion.
  • All documentation, warranties, certifications, and other deliverables and information as required by the contract must be obtained before the work is accepted and final payment is made.
  • Testing is based on acceptance test plans and the project plan must allow ample time for proper testing. Staff with the proper expertise must perform the testing.
  • Testing must consider the production environment and simulate production workloads.
  • A test report must be created reporting the results of the tests. The report will determine whether the deliverable complies with the specifications and contract requirements.

12.0 Enforcement

Since proper third party service and relationships are important for the operation of the organization, employees that purposely violate this policy may be subject to disciplinary action up to and including denial of access, legal penalties, and/or dismissal. Any employee aware of any violation of this policy is required to report it to their supervisor or other authorized representative. Any third party that violates this policy may be subject to financial penalties including but not limited to termination of their contract or contracts.

13.0 Other Requirements

  • Policies and procedures for preparing contracts with third parties must be developed. The procedures must include an ability for the legal department to review the contract, the technology and computer security department must review and evaluate the contract, and the purchasing department must review the contract.
  • A contracting process must be written which covers the system and methods used to allow contractors to bid fairly for contracts and determine the best but not necessarily the lowest cost bidder.
  • A process for resolving problems (technical or administrative) with contractors should be created.
  • Policies and procedures for measuring contract performance must be created.

Approval

Approved by:__________________________ Signature:_____________________ Date:_______________