Third Party Identification Policy

Version: 1.00Issue Date: 3/3/2015

This Third Party Identification Policy specifies the requirements for third party organizations to work on projects for the organization. It also specifies requirements for identifying third parties that connect electronically.

1.0 Overview

This Third Party Identification Policy will help ensure security by making sure third party organizations providing project support or services to the organization follow appropriate policies. It will also ensure that third parties connecting electronically are adequately identified.

2.0 Purpose

This Third Party Identification Policy is intended to ensure quality of services and project support to the organization by third parties. It also ensures that third parties are adequately identified when connecting electronically to the organization.

3.0 Scope

This Third Party Identification Policy applies to all third parties including vendors, contractors, and business partners. This policy applies to any external organization that manages or delivers application capabilities, hosting services, or manages/supports applications or systems that are located on organizational facilities. This policy is effective as of the issue date and does not expire unless superceded by another policy.

4.0 Project/Service Requirements

The below requirements are for contractors and third parties that will work on projects, host services for the organization, work on organizational systems, or possess organizational data.

  • The project must be appropriate and it must be prudent to utilize third party services to support the project.
  • The third party must comply with this Third Party Identification Policy and all other applicable organizational policies including but not limited to:
    • Change Management Policy
    • Server Monitoring Policy where applicable.
    • Patch Management Policy where applicable.
    • Virus Protection Policy where applicable.
    • Approved Application Policy where applicable.
    • Third Party IT Service Policy
    • Development Life Cycle Policy where applicable.
    • Contracting Policy
    • Software Standards Policy and Specification where applicable.
    • Application Implementation Policy where applicable.
  • A risk assessment must be completed for all applications or services to be outsourced prior to completion or implementation of the contract for services. Controls required by the risk assessment must be implemented by the third party.
  • Third parties providing hosting services or other services which will hold organizational data must provide copies of policies and controls used to protect organizational information on their servers or in their facility.
  • The third party providing services must agree to have regular audits performed by the organization or by independent auditors to be sure apporpriate controls and policies are in force.
  • When systems or applications are hosted at our organization and the third party supports the system or application, the third party must comply with the Remote Access Policy and other access control policies when on organizational premises such as the Password Policy and Network Login Policy.
  • Any third party managed computers that are connected to our organizational computers or networks must be patched according to the Patch Management Policy and protected against viruses according to the Virus Protection Policy.
  • Any third party managed computers that are connected to our organizational computers or networks must comply with the Approved Application Policy including remote control software.

5.0 Third Party Identity Requirements

When a third party is connecting to the organizational network or organizational resources remotely, they must be properly identified to ensure security. This includes connections by business parties used to exchange data. The following are required:

  • The credentials (certificate) of a connecting third party must be verified by a registration authority before data may be exchanged.
  • A certification authority must be used to certify that a third party is authentic.

6.0 Enforcement

Since proper identification of third parties and service management is critical for protecting the security of the organization, employees that purposely violate this policy may be subject to disciplinary action up to and including denial of access, legal penalties, and/or dismissal. Any employee aware of any violation of this policy is required to report it to their supervisor or other authorized representative.

Approval

Approved by:__________________________ Signature:_____________________ Date:_______________