Section 12: Third Party Policy

5.1.

Definition of Terms

A third party is defined as any individual or organisation that is not an employee of the Fund who
requires access to any aspect of the Funds ICT infrastructure for a specified purpose. Third Parties are
individuals and organisations which fall into the following categories. These will include, but not be
limited to:
Contracted staff
a) Hardware and software maintenance and support staff
b) Cleaning, catering, security guards and other outsourced support services
c) Temps(e.g. NYSC, IT) and staff that are not employed through the Funds contract
Trusted Partners
Staff or Organizations working with the Fund for a specific purpose e.g. NIDTA.
Network/Operational Device
Any item that forms part of the infrastructure of the Funds network, this includes servers, routers,
firewalls and PCs. This list is intended as a representative sample and is not exhaustive.
Sensitive Data
Sensitive data is defined as either personal data or the Funds proprietary information.
4.4 Remote Access
For the purposes of this document, remote access is defined as any form of access obtained from an
external location.

5.2.

Introduction

In order to ensure that the Fund provides a secure and robust ICT service, it is essential that Third
Party access to key operational devices and/or systems is conducted through a robust framework that
ensures that:

Access is permitted through a mechanism that ensures appropriate controls are in place to
restrict access to authorised Third Party organisations only;
Any changes that are conducted are done so in accordance with the Funds Management and
administrative policies
There is a robust accountability framework present.
It is the responsibility of Trust ICT staff to ensure that this policy document is adhered to when
enabling access for ANY third party individual or organisation.
Third Party Organisation
It is the responsibility of all third party organisations to:
Abide by the controls detailed within this document;
Sign and comply with all Agreements e.g. Non-Disclosure Agreement;
To comply with the standards detailed within the Funds ICT Security Policy and to ensure that a
robust information security infrastructure is implemented and adhered to within their own
organisation;
To ensure that each access session is used solely for the agreed purpose for that connection

5.3.

Objectives

This document details the control mechanism for enabling legitimate access by a third party

to the

Funds ICT infrastructure. The implementation and maintenance of these controls will ensure that the
Fund is able to:
Manage Risk from Third Party Access;
Ensure a secure Technical Environment through the control of access;
Manage the connection life-cycle;
Restrict access to authorised parties only;
Limit liability.
5.4.

Scope

This document applies to all third party organisations that access the Fund ICT infrastructure on-site or
remotely. Third Parties requiring administrative access to the Funds ICT Infrastructure include but not

limited to the following:

a) External IT support staff
b) Suppliers (including Suppliers of IT goods, systems or services)
c) Auditors not employed directly by the Fund
5.5.

Policy Statements

5.5.1 Third Party Access Sessions Internal session requests

All third party access sessions must be made to the ICTD Director or in his absence a nominated
member of their Division.
5.5.2 External Session Requests
In the event that a third party access request is received, the request will be recorded by that member
of the ICT Division and access granted for the duration of the approved session.
Required Information
Whenever a request is made in relation to an access session, the following information must be
recorded:
Third Party (Organisation) Name
Third Party Name (Designated Personnel) person who will be connecting
Contact details phone and email
Comprehensive Reason for Access
Date Access to be facilitated
Details of Access Session (Time/Date initiated, performed by, date session terminated etc.)
Authorised third Party Organisations
Details of authorised third Party organisations will be maintained by the ICTD Support team and
distributed to all relevant parties within the Fund.
Web Based Sessions
Each member of ICTD staff enabling a web based access session will have their own individual
account in order to enable appropriate audit functionality.

Accessing the web based solution via an account not belonging to the individual may result in
disciplinary action.
Any remote access to the Fund infrastructure will be via the Funds Remote Access System, a
connection to the Funds network will then be established with all traffic passing through the
Funds firewall.
Access Restrictions
Any Third Party access session MUST only occur when prior approval has been provided by the
Fund.
Unauthorised access may result in further action being taken against the third party in question.
Access Monitoring
Each access session must have a member of the appropriate Fund ICTD monitoring the activity
of the third party. In the event of the third party accessing sensitive data, a recording of the
session will be maintained.
Failure to comply with this requirement may result in disciplinary action.
Termination of Access
The Fund reserves the right to terminate any remote access session without prior notice.
Access may also be terminated if an unauthorised session is detected. These sessions will be
terminated as soon as it is established that there will be no adverse impact upon the system
that is currently being accessed.
Outbound Communications
It is accepted that during a physical visit to the site, there may be a requirement for a third party
to remotely connect to their organisations network whilst connected to a device belonging to the
Fund. Any such connection will be bound by the contents of this policy in a non-disclosure
agreement, and it is incumbent upon the third party
Audit Lifecycle
All third party access sessions will be subject to a full and comprehensive audit trail as per the
Funds Monitoring Policy.
Reports

Reports will be produced on a regular basis in order to facilitate audit requirements. These
reports will be stored for an appropriate period of time to ensure that they are available in the
event of an incident. The reports will be reviewed monthly by appropriate ICTD staff.
Contractual Obligations
Any third party requiring remote access to the Funds systems must sign and abide by the Nondisclosure Agreement. Failure to sign and comply with the requirements of these documents will
prevent access from being obtained by the Third Party.
These documents may be substituted with other formal documents providing that they match
the Funds requirements. The Director ICTD should be consulted in those instances.
All agreements will be reviewed on a regular basis to ensure that they are both accurate and
appropriate. A physical copy of the agreement will be retained by both the third party and the
Fund.
Granting Access to Contract Staff
Where contract staff (e.g. outsourced support staff or Consultant) requires access to the Funds
network in order to carry out their role, the following steps MUST be taken:
ICTD Director must request an account to be created
The Director must understand the contractual arrangements in place for outsourced staff and
consultants. The Director, or their nominated representative, must log a work request and complete a
Non-Disclosure Agreement and must be signed and attached to the work request
ICTD Director must confirm when access is no longer required
It is the responsibility of the Director to notify when access is no longer required by the contracted staff.
TRUSTED PARTNERS
IF the Fund works closely with a partner organisation, and in some cases the partners staff work on the
Funds premises, These staff will be considered to be Trusted partner. These staff are not directly
employed or managed by the Fund and are not signed up to the Funds Code of Conduct. They are not

subject to the Funds disciplinary procedures. Therefore, there is a high degree of risk associated with
account management for these staff.
ICTD Director must act as sponsor for trusted parties
The Director must understand the contractual arrangements in place for Trusted Partner. The Director,
or their nominated representative, must log a work request and complete a Non-Disclosure Agreement
and must be signed and attached to the work request
ICTD Director must confirm when access is no longer required
It is the responsibility of the Director to notify when access is no longer required by the Trusted parties.
Third Parties Requiring Administrative Access
When the Fund sets up an account for a third party we need to understand risk, manage the
account carefully and keep it open for no longer than necessary. The accounts are set up in
order for a third party to provide technical support or consultation, and as such they often
involve a high level of access.

This access requires a detailed risk assessment, focussing on the nature of the data that the third party
will have access to and the risks that this may present to the Fund in the case of loss or
mismanagement.

The system owner of the particular system is the person best placed to understand the data and risk
around each system, and we will continue to ask the system owner to complete this form.

These accounts will then be set up by ICTD but must be open only for the MINIMUM amount of time
necessary
The following policy statements MUST be adhered to:

Third parties must have a contract with the Fund

It is necessary for any third party organization seeking access to the Funds ICT infrastructure to have a
signed contract with the Fund.
Third party access must be disabled by default
Third parties, including suppliers of systems, must have their access to Fund systems denied by
default. Thereafter, access to Fund systems must only be enabled for specific, agreed and approved
documented tasks.
Third party access must be authorised
Partner agencies or third party suppliers must not be given details of how to access the Funds systems
without permission from ICTD who will manage all permissions and access methods.
System owners must request third party access to the Fund systems
The system owner needs to request access to enable a third party to have access to the Fund system.
The system owner will therefore need to complete a Third Party Access Form (see sample form in
appendix I)
The system owner is the named individual/organisation who is responsible for ensuring that a system is
fit for the business purposes for which the system was acquired, for ensuring that it meets end user
needs (by engaging with them) and for setting the future evolution of the system to ensure that the
system remains aligned to business needs.
System owners must undertake a risk assessment before access is granted
A risk assessment must be carried out for each Fund system before allowing any systems connection
to any third party. It is the responsibility of the named system owner to ensure that this risk assessment
is undertaken.
In undertaking the risk assessment, the type of access required and the data that will be available to
the third party needs to be understood. In addition, the details about how the third party will secure their
ICT equipment and networks must also be understood. Once this information has been collected the

Fund can assess the risk to its ICT systems and information.
(see sample form in appendix II) Any risk assessment must provide at least the information set out in
this template. All risk assessments must be in writing, signed by the system owner, and provided to
ICTD who will maintain a copy of these for reference.
Third parties must sign a Third Party Network Access Agreement
Third party access to the Funds network potentially exposes the Fund infrastructure to risk and
therefore there must be an agreement in place that assures the Fund that the service being provided
meets the Funds security standards.
Third parties must maintain an activity log when connected to the Fund
The Third Party must maintain a log of activity when connected to the Fund network and will need to
retain this log for a period of six months. Remote access software must be disabled when not in use.
All third parties must conform to Fund security policies
To help make sure that a third party does not put the Funds ICT equipment or information at risk, they
must conform to the Funds security policies, which are set out in the ICT Security Policy Framework.
These policies are available (state the means of accessing the policy) prior to accessing the network.
Only authorised connection methods must be used
Only approved ways to connect remotely to the Funds systems must be used. This makes sure that
the Funds security solutions cannot be bypassed. Please refer to this policy itself and specifically ICT
Security Policy for more details of approved access methods. If further clarification is required third
parties should contact the ICTD.
Third parties must notify any changes to their connection
All third party connections must have a clearly defined change management process. This helps the
Fund to have confidence that any security controls that have been put in place are being maintained.
Any changes to suppliers connections must be immediately sent to ICTD so that access can be

updated or ceased.
The Fund will inform third parties of network configuration changes
System owners will be informed of any changes to the network configuration and access controls that
will affect access to the network. ICTD will be responsible for coordinating this with system owners and
will rely upon system owner information held.
Third parties must inform the Fund about any security incidents
An ICT Security Incident is an adverse event that has caused or has the potential to cause damage to
the Funds assets, reputation and / or personnel. Incident management is concerned with intrusion,
compromise and misuse of information and information resources, and the continuity of critical
information systems and processes. Please refer to the Incidence Management Policy (state the
means/method of accessing the policy).
A central register of all third party connections must be maintained
A central register of all third party connections will help the Fund to better manage third party security
access. This information will be provided on the network access which should contain At Least the
following information:
a) Description of the service
b) Key contacts at the Fund for the service
c) Key contacts at the third party for the service
d) Start date for the service
e) Expected life span of the service
f)

Emergency handling process for terminating or suspending the service.

g) Risk assessment results

Minimum Third Party Device Access Requirements

Minimum standards set for a Connected Network
All devices accessing the Funds connected network must comply with the following:
a) Dual factor authentication.
b) No split tunnelling. A secure Virtual Private Network (VPN) tunnel between the client and the
Funds connected network that doesnt allow other access to a public network (e.g., the Internet)
or a local LAN or WAN at the same time, using the same physical network connection.
c) Personal Firewall. Protection on the client in the form of a personal firewall (which may be
incorporated into the VPN client).
d) Antivirus software installed, up-to-date and active.
Exceptions for known third parties without Fund-owned equipment
There are very specific requirements for third parties where it is impractical to meet the requirement
that the equipment accessing the network is owned and configured by the Fund. In order for these
exceptions to exist the following requirements for exception must always be met:

a) The third party is not accessing RESTRICTED information in any way.

b) Any Fund service area wishing to provide access for a third party without the requirement for
Fund-owned equipment must complete a formal Request (Advisable to develop a form) to ICTD
and should keep all records of this.
c) Any users that are part of an exceptions group will be held on record in an exceptions list and
their access regularly reviewed.

5.6. Sanctions
(help from ITF personnel)

5.7 Procedures
(embedded within policies)
5.8. Others
Appendix
1

THIRD PARTY NETWORK ACCESS FORM

This form is to request access to the Funds network and must be completed by the system owner
before the Third Party is provided with access to the Network.
System owner information
Name of System

Job title

Telephone

Budget code:

Signature
Name of Third Party (company name)

Name of contact at the Third Party

Name of the user account required

Start date for access required

Finish date for access required

Emergency handling process for terminating or suspending the service.

System owners commitment

I authorise the third party to have access to the network and systems listed below. I confirm that I have
read the ICT User Management Policy and understand my obligations as a line manager in terms of
this policy. I understand that I will be charged to my budget code.
Risk Assessment
I confirm that a risk assessment has been undertaken meeting the requirements of the Third Party
Policy and that a copy of this risk assessment has been provided to ICTD.
Network Access and system access required
(Please provide full details, including detailed server names and systems.)

Where does this form go?

(specify responsible person)

APPENDIX II
RISK ASSESSMENT TEMPLATE
As part of the ITF ICT Third Party Policy a risk assessment must be carried out before allowing any
network connection to any third party. It is the responsibility of the named system owner to ensure that
this risk assessment is undertaken. In undertaking the risk assessment, the type of access required
and the data that will be available to the third party needs to be understood. In addition, the details
about how the third party will secure their ICT equipment and networks must also be understood. Once
this information has been collected the ICTD can assess the risk to its ICT systems and information.
The following needs to be completed as part of this risk assessment
a) A scope of the assessment itself
b) A description of the participants in the assessment
c) System information
d) Data being accessed by the system
e) Overview of the users
f)

A vulnerability statement

g) A threat statement
h) An overall RISK MATRIX
i)

An overall conclusion

1. SCOPE OF THE RISK ASSESSMENT

Describe the scope of the risk assessment including system components, elements, users, field site
locations (if any), and any other details about the system to be considered in the assessment:
2. PARTICIPANTS IN THIS RISK ASSESSMENT
Role
System owner
Security administrator
Database administrator
Network manager
Risk assessment team

Participant (name(s))

3. SYSTEM INFORMATION
IT System ID
System Common Name
System owner: Full name
System owner: telephone
System owner: email
Physical Location
Major Business Function
Other Relevant Information
IT System Description and
Components
IT System Interfaces

4. DATA ACCESSED BY THE SYSTEM

The classification table should be referred to when preparing the Data Risk Table. The type of risk is
directly defined by the impact exposing this information would have on the council.
Data element

Sensitivity classification
(Critical, Significant,
Minor, Negligible)

Description

Classification Description
Critical
Loss of this information will usually cause the degradation of vital service(s) for a
large number of users, involve a serious breach of network security, affect missioncritical equipment or services, or damage public confidence in the government.
E.g. targeted attacks or loss of publicly available online service.
Significant
Loss of this information are likely to impact a smaller group of users, disrupt nonessential services, breach network security policy, or affect the respect of government
bodies and services.
E.g. website defacement or damaging unauthorised changes to a system.
Minor
Loss of this information can be capably handled by local IT support and security
officers and do not require GovCertUK assistance, although GovCertUK should be
notified of their occurrence. This aids the correlation of similar events, furthers the
understanding of the IT security challenges facing government and may raise
awareness of new attacks.
E.g. unsuccessful denial-of-service attack or the majority of network monitoring alerts.
Negligible
Loss of this information will not necessarily need to be reported since these are of
Impact
limited impact or those affecting only a few users. This sort of event would include
receipt of isolated spam or anti-virus alerts, minor computer hardware failure, loss of

network connectivity to a peripheral device such as a printer, or loss of access to an

external non-essential service. In general these would be considered to be part of
normal IT support operations.
E.g. isolated anti-virus alert or spam email.
Please refer to the categorisation look-up table and associated definitions below to
assess the most appropriate response.

5. USERS WHO ACCESS THE SYSTEM

An overview of who has access to the system, what third party user access will mean and what the
intended use routinely will be.
Categories of users

How users access the system and their intended use of the system

6. VULNERABILITY STATEMENT
A comment about the vulnerabilities of the system and the setup of the system with particular attention
to how this is affected by having third party connection to the system.
List of vulnerabilities

Description

Mitigation

e.g. the vulnerability and its impact

7. THREAT STATEMENT
A comment about the threats facing the system, regardless of third party connection to it and then a
consideration of how these are impacted by having third party access to the system.
List of threats

Description

Mitigation

RISK MATRIX
The risk matrix flows from the information gathered from the preceding seven steps and should result in a list of risks with an overall risk
statement for each. The focus of the risk matrix is to examine what the impact of third party access has to the system. It is worth being very
realistic and comparing this to an ideal scenario where the system was very contained.
No. Risk Observation

Threat /
Vulnerability

Existing
controls

Likelihood Impact
(H/M/L
(H/M/L)

Overall Risk Recommended mitigation

(H/M/L)

8. RISK ASSESSMENT: CONCLUSION

Describe a free text summary of the risk matrix findings.
RISK ASSESSMENT: Authorised by
ITF system owner
(named person)
Job title
Telephone
Signature

_____________________

Where does this form go?

(specify responsible person)

17