Академический Документы
Профессиональный Документы
Культура Документы
5.1.
Definition of Terms
A third party is defined as any individual or organisation that is not an employee of the Fund who
requires access to any aspect of the Funds ICT infrastructure for a specified purpose. Third Parties are
individuals and organisations which fall into the following categories. These will include, but not be
limited to:
Contracted staff
a) Hardware and software maintenance and support staff
b) Cleaning, catering, security guards and other outsourced support services
c) Temps(e.g. NYSC, IT) and staff that are not employed through the Funds contract
Trusted Partners
Staff or Organizations working with the Fund for a specific purpose e.g. NIDTA.
Network/Operational Device
Any item that forms part of the infrastructure of the Funds network, this includes servers, routers,
firewalls and PCs. This list is intended as a representative sample and is not exhaustive.
Sensitive Data
Sensitive data is defined as either personal data or the Funds proprietary information.
4.4 Remote Access
For the purposes of this document, remote access is defined as any form of access obtained from an
external location.
5.2.
Introduction
In order to ensure that the Fund provides a secure and robust ICT service, it is essential that Third
Party access to key operational devices and/or systems is conducted through a robust framework that
ensures that:
Access is permitted through a mechanism that ensures appropriate controls are in place to
restrict access to authorised Third Party organisations only;
Any changes that are conducted are done so in accordance with the Funds Management and
administrative policies
There is a robust accountability framework present.
It is the responsibility of Trust ICT staff to ensure that this policy document is adhered to when
enabling access for ANY third party individual or organisation.
Third Party Organisation
It is the responsibility of all third party organisations to:
Abide by the controls detailed within this document;
Sign and comply with all Agreements e.g. Non-Disclosure Agreement;
To comply with the standards detailed within the Funds ICT Security Policy and to ensure that a
robust information security infrastructure is implemented and adhered to within their own
organisation;
To ensure that each access session is used solely for the agreed purpose for that connection
5.3.
Objectives
This document details the control mechanism for enabling legitimate access by a third party
to the
Funds ICT infrastructure. The implementation and maintenance of these controls will ensure that the
Fund is able to:
Manage Risk from Third Party Access;
Ensure a secure Technical Environment through the control of access;
Manage the connection life-cycle;
Restrict access to authorised parties only;
Limit liability.
5.4.
Scope
This document applies to all third party organisations that access the Fund ICT infrastructure on-site or
remotely. Third Parties requiring administrative access to the Funds ICT Infrastructure include but not
Policy Statements
Accessing the web based solution via an account not belonging to the individual may result in
disciplinary action.
Any remote access to the Fund infrastructure will be via the Funds Remote Access System, a
connection to the Funds network will then be established with all traffic passing through the
Funds firewall.
Access Restrictions
Any Third Party access session MUST only occur when prior approval has been provided by the
Fund.
Unauthorised access may result in further action being taken against the third party in question.
Access Monitoring
Each access session must have a member of the appropriate Fund ICTD monitoring the activity
of the third party. In the event of the third party accessing sensitive data, a recording of the
session will be maintained.
Failure to comply with this requirement may result in disciplinary action.
Termination of Access
The Fund reserves the right to terminate any remote access session without prior notice.
Access may also be terminated if an unauthorised session is detected. These sessions will be
terminated as soon as it is established that there will be no adverse impact upon the system
that is currently being accessed.
Outbound Communications
It is accepted that during a physical visit to the site, there may be a requirement for a third party
to remotely connect to their organisations network whilst connected to a device belonging to the
Fund. Any such connection will be bound by the contents of this policy in a non-disclosure
agreement, and it is incumbent upon the third party
Audit Lifecycle
All third party access sessions will be subject to a full and comprehensive audit trail as per the
Funds Monitoring Policy.
Reports
Reports will be produced on a regular basis in order to facilitate audit requirements. These
reports will be stored for an appropriate period of time to ensure that they are available in the
event of an incident. The reports will be reviewed monthly by appropriate ICTD staff.
Contractual Obligations
Any third party requiring remote access to the Funds systems must sign and abide by the Nondisclosure Agreement. Failure to sign and comply with the requirements of these documents will
prevent access from being obtained by the Third Party.
These documents may be substituted with other formal documents providing that they match
the Funds requirements. The Director ICTD should be consulted in those instances.
All agreements will be reviewed on a regular basis to ensure that they are both accurate and
appropriate. A physical copy of the agreement will be retained by both the third party and the
Fund.
Granting Access to Contract Staff
Where contract staff (e.g. outsourced support staff or Consultant) requires access to the Funds
network in order to carry out their role, the following steps MUST be taken:
ICTD Director must request an account to be created
The Director must understand the contractual arrangements in place for outsourced staff and
consultants. The Director, or their nominated representative, must log a work request and complete a
Non-Disclosure Agreement and must be signed and attached to the work request
ICTD Director must confirm when access is no longer required
It is the responsibility of the Director to notify when access is no longer required by the contracted staff.
TRUSTED PARTNERS
IF the Fund works closely with a partner organisation, and in some cases the partners staff work on the
Funds premises, These staff will be considered to be Trusted partner. These staff are not directly
employed or managed by the Fund and are not signed up to the Funds Code of Conduct. They are not
subject to the Funds disciplinary procedures. Therefore, there is a high degree of risk associated with
account management for these staff.
ICTD Director must act as sponsor for trusted parties
The Director must understand the contractual arrangements in place for Trusted Partner. The Director,
or their nominated representative, must log a work request and complete a Non-Disclosure Agreement
and must be signed and attached to the work request
ICTD Director must confirm when access is no longer required
It is the responsibility of the Director to notify when access is no longer required by the Trusted parties.
Third Parties Requiring Administrative Access
When the Fund sets up an account for a third party we need to understand risk, manage the
account carefully and keep it open for no longer than necessary. The accounts are set up in
order for a third party to provide technical support or consultation, and as such they often
involve a high level of access.
This access requires a detailed risk assessment, focussing on the nature of the data that the third party
will have access to and the risks that this may present to the Fund in the case of loss or
mismanagement.
The system owner of the particular system is the person best placed to understand the data and risk
around each system, and we will continue to ask the system owner to complete this form.
These accounts will then be set up by ICTD but must be open only for the MINIMUM amount of time
necessary
The following policy statements MUST be adhered to:
Fund can assess the risk to its ICT systems and information.
(see sample form in appendix II) Any risk assessment must provide at least the information set out in
this template. All risk assessments must be in writing, signed by the system owner, and provided to
ICTD who will maintain a copy of these for reference.
Third parties must sign a Third Party Network Access Agreement
Third party access to the Funds network potentially exposes the Fund infrastructure to risk and
therefore there must be an agreement in place that assures the Fund that the service being provided
meets the Funds security standards.
Third parties must maintain an activity log when connected to the Fund
The Third Party must maintain a log of activity when connected to the Fund network and will need to
retain this log for a period of six months. Remote access software must be disabled when not in use.
All third parties must conform to Fund security policies
To help make sure that a third party does not put the Funds ICT equipment or information at risk, they
must conform to the Funds security policies, which are set out in the ICT Security Policy Framework.
These policies are available (state the means of accessing the policy) prior to accessing the network.
Only authorised connection methods must be used
Only approved ways to connect remotely to the Funds systems must be used. This makes sure that
the Funds security solutions cannot be bypassed. Please refer to this policy itself and specifically ICT
Security Policy for more details of approved access methods. If further clarification is required third
parties should contact the ICTD.
Third parties must notify any changes to their connection
All third party connections must have a clearly defined change management process. This helps the
Fund to have confidence that any security controls that have been put in place are being maintained.
Any changes to suppliers connections must be immediately sent to ICTD so that access can be
updated or ceased.
The Fund will inform third parties of network configuration changes
System owners will be informed of any changes to the network configuration and access controls that
will affect access to the network. ICTD will be responsible for coordinating this with system owners and
will rely upon system owner information held.
Third parties must inform the Fund about any security incidents
An ICT Security Incident is an adverse event that has caused or has the potential to cause damage to
the Funds assets, reputation and / or personnel. Incident management is concerned with intrusion,
compromise and misuse of information and information resources, and the continuity of critical
information systems and processes. Please refer to the Incidence Management Policy (state the
means/method of accessing the policy).
A central register of all third party connections must be maintained
A central register of all third party connections will help the Fund to better manage third party security
access. This information will be provided on the network access which should contain At Least the
following information:
a) Description of the service
b) Key contacts at the Fund for the service
c) Key contacts at the third party for the service
d) Start date for the service
e) Expected life span of the service
f)
5.6. Sanctions
(help from ITF personnel)
5.7 Procedures
(embedded within policies)
5.8. Others
Appendix
1
This form is to request access to the Funds network and must be completed by the system owner
before the Third Party is provided with access to the Network.
System owner information
Name of System
Job title
Telephone
Budget code:
Signature
Name of Third Party (company name)
APPENDIX II
RISK ASSESSMENT TEMPLATE
As part of the ITF ICT Third Party Policy a risk assessment must be carried out before allowing any
network connection to any third party. It is the responsibility of the named system owner to ensure that
this risk assessment is undertaken. In undertaking the risk assessment, the type of access required
and the data that will be available to the third party needs to be understood. In addition, the details
about how the third party will secure their ICT equipment and networks must also be understood. Once
this information has been collected the ICTD can assess the risk to its ICT systems and information.
The following needs to be completed as part of this risk assessment
a) A scope of the assessment itself
b) A description of the participants in the assessment
c) System information
d) Data being accessed by the system
e) Overview of the users
f)
A vulnerability statement
g) A threat statement
h) An overall RISK MATRIX
i)
An overall conclusion
Participant (name(s))
3. SYSTEM INFORMATION
IT System ID
System Common Name
System owner: Full name
System owner: telephone
System owner: email
Physical Location
Major Business Function
Other Relevant Information
IT System Description and
Components
IT System Interfaces
Sensitivity classification
(Critical, Significant,
Minor, Negligible)
Description
Classification Description
Critical
Loss of this information will usually cause the degradation of vital service(s) for a
large number of users, involve a serious breach of network security, affect missioncritical equipment or services, or damage public confidence in the government.
E.g. targeted attacks or loss of publicly available online service.
Significant
Loss of this information are likely to impact a smaller group of users, disrupt nonessential services, breach network security policy, or affect the respect of government
bodies and services.
E.g. website defacement or damaging unauthorised changes to a system.
Minor
Loss of this information can be capably handled by local IT support and security
officers and do not require GovCertUK assistance, although GovCertUK should be
notified of their occurrence. This aids the correlation of similar events, furthers the
understanding of the IT security challenges facing government and may raise
awareness of new attacks.
E.g. unsuccessful denial-of-service attack or the majority of network monitoring alerts.
Negligible
Loss of this information will not necessarily need to be reported since these are of
Impact
limited impact or those affecting only a few users. This sort of event would include
receipt of isolated spam or anti-virus alerts, minor computer hardware failure, loss of
How users access the system and their intended use of the system
6. VULNERABILITY STATEMENT
A comment about the vulnerabilities of the system and the setup of the system with particular attention
to how this is affected by having third party connection to the system.
List of vulnerabilities
Description
Mitigation
7. THREAT STATEMENT
A comment about the threats facing the system, regardless of third party connection to it and then a
consideration of how these are impacted by having third party access to the system.
List of threats
Description
Mitigation
RISK MATRIX
The risk matrix flows from the information gathered from the preceding seven steps and should result in a list of risks with an overall risk
statement for each. The focus of the risk matrix is to examine what the impact of third party access has to the system. It is worth being very
realistic and comparing this to an ideal scenario where the system was very contained.
No. Risk Observation
Threat /
Vulnerability
Existing
controls
Likelihood Impact
(H/M/L
(H/M/L)
_____________________
17