Third Party Security Policy Template

Third Party Security Policy Template

Posted by Peter Bassill on 05/01/2021

Important notes on using these templates. Check through the document and replace or consider the entries in red and/or within curly brackets {}.
POLICY STATEMENT
The aim of this Policy is to enable the business to operate effectively and efficiently, to comply with legislation, regulations, information standards (ISO/IEC27001) and good practice, and to safeguard information and data against potential loss by theft, malicious or accidental damage, or breach of privacy or confidentiality.
The purpose of this Third Party Security Policy is to ensure that {company_name} addresses the requirement for information security within contracts with third-parties who may have access to customer's sensitive or personal information, cardholder data and other sensitive data, or networks and systems where that sensitive data is processed and stored. 
APPLICABILITY
This Policy applies to all {employees, contractors, consultants, auditors, temporary workers - adjust or delete as needed} and other workers employed by {company_name}, including all personnel affiliated with third parties who provide services for {company_name} (collectively the “Users”). It also applies to all equipment that is owned or leased by {company_name}.
COMPLIANCE WITH THE POLICY
A breach of any part of this Policy may be dealt with under {company_name} Disciplinary Policy. In serious cases such a breach of any part of this Policy may be treated as gross misconduct, and may lead to disciplinary action up to and including dismissal. It may also give rise to civil and/or criminal liability.
It is essential that all individuals employed by {company_name} familiarise themselves with the content of this Policy and understand its disciplinary implications. 
THIRD PARTY SECURITY POLICY
{company_name} shall implement measures to ensure that all contracts with third party companies should have a registered UK office, and therefore comply with UK Data Protection Laws. If {company_name} does not have a UK registered office, an office within the EU is acceptable though the contract must include reference to adherence of the UK Data Protection Act and relevant laws.
Where sensitive data is shared, for example sharing Personal Identifiable Data or Cardholder Data with a fraud screening agency, the contract must contain provisions requiring adherence to the Data Protection Act, ICO guidelines for handling of sensitive data and the PCI-DSS requirements. Additionally, the contract must contain provision for acknowledgement by the third party of their responsibility for securing Personal Data, Employee Data, Cardholder Data and other sensitive data which may be exchanged during the execution of the contract.
Responsibilities
User’s Responsibilities:

Anyone who deals directly or indirectly with third parties during the connection negotiation stage of contracts is responsible for following all appropriate procedures that relate to that connection.
Users are responsible for their actions and should not take any action which is outside the law or in breach of Company policies, procedures, guidelines or codes of conduct.
Users are responsible for ensuring that only the bare minimum access through a connection is granted in order to support the business function and that the details within Annex A are completed in accordance with the guidelines published within this policy.

Manager’s Responsibilities:

To ensure that all third party connections are explicitly written into business contracts in accordance with the guidelines published within this policy.
To seek explicit authorisation from the Information Security Office and IT Director for any third party network interconnections before they occur and their user authentication devices.
To ensure that connections that are no longer required by the business are terminated as early as possible and in an authorised and systematic manner in line with this policy.
To implement and monitor this policy within their areas of responsibility and for ensuring that those for whom they are responsible, including visitors and contractors, are aware of and comply with this policy and associated guidelines.
To notify and seek guidance from the Information Security Office of all breaches of this policy.

General Guidelines
When developing a relationship with a third party a risk assessment should be completed, taking the following factors into account:

All third party companies should have a registered UK office, and therefore comply with UK Data Protection Laws. If {company_name} does not have a UK registered office, an office within the EU is acceptable, though the contract must include reference to adherence of the UK Data Protection Act and other relevant laws.
Where private or sensitive data is shared, for example sharing Cardholder data with a fraud screening agency, the contract must contain provisions requiring adherence to the Data Protection Act, the ICO’s data handling guides and PCI DSS requirements. Additionally, the contract must contain provision for acknowledgement by the third party of their responsibility for securing private or sensitive data. Where a third party is unable to make this assurance, a clause must be included in the contract which allows {company_name} to conduct audits as they see appropriate.
All Company business partners, suppliers, customers, and other business associates must be made aware of their information security responsibilities through specific language appearing in contracts that define their relationship with {company_name}.
Private or sensitive information in {company_name}’s custody must not be disclosed to third parties unless these third parties have signed an explicit chain of trust agreement approved by the relevant IT Director.
All disclosures of secret, confidential, or private Company information to third parties must be accompanied by an explicit statement describing exactly what information is restricted and how this information may and may not be used.
All agreements with information systems outsourcing organisations must stipulate that {company_name} will receive annually a report expressing an independent opinion about the adequacy of the controls in use at that outsourcing organisation. If a third party is unable to provide an independent report as to their compliance with standards required in the contract or SLA then, where appropriate, {company_name} must be able to conduct audits as it seems necessary.
All third party companies providing critical services to {company_name} must provide an agreed Service Level Agreement.
When placing orders for products or services, or when establishing any new or modified business relationship, Company staff must notify third party vendors that they must not publicly reveal either the nature or existence of their relationship with us without written approval from one of {company_name}’s corporate officers.
Third party organisations must not use our Company name in its advertising or marketing materials unless explicit written permission has first been obtained from {company_name}’s legal counsel.
If a privacy policy prevents {company_name} from performing a certain act or taking a certain course of action, it must not hire one or more third parties to perform this action instead.
If {company_name} terminates its contract with any third party organisation that is handling {company_name}’s private information, this same third party organisation must immediately thereafter destroy or return all of {company_name}’s private data in its possession, and return a certificate to that effect.
All information systems related outsourcing contracts must be reviewed and approved by the relevant IT Director who is responsible for ensuring that these contracts sufficiently define information security responsibilities, how to respond to a variety of potential security problems and the right to terminate the contract for cause, if it can be shown that the outsourcing organisation does not abide by the information security related contractual terms.

A comprehensive list of all third party companies connected to any of Company’s networks must be held and maintained by the Information Security Office. Due diligence must be conducted prior to connection and the entity must:

Adhere to the PCI-DSS or PA-DSS security requirements and be PCI-DSS or PA-DSS compliant.
Adhere to, and be compliant to, other standards relevant to the contract.
Acknowledge their responsibility for securing the Cardholder data.
Acknowledge that the Cardholder data must only be used for assisting with the completion of a transaction, providing a fraud control service or for other uses specifically required by law.
Have appropriate provisions for business continuity in the event of a major disruption, disaster or failure.
Provide full cooperation and access to a Payment Card industry representative, or a Payment Card industry approved third party, to conduct a thorough security review after a security intrusion or data breach.
Acknowledge that these agreed obligations to safeguard the confidentiality of the Cardholder and other sensitive data shall survive the termination of any other contractual agreements with {company_name}.

As a condition of gaining access to {company_name}’s computer network, every third party must secure its own connected systems in a manner consistent with {company_name}’s requirements and following the VPN Technical Standards Policy. {company_name} reserves the right to audit the security measures in effect on these connected systems without prior warning. {company_name} also reserves the right to immediately terminate network connections with all third party systems. Such a disconnection would be warranted if {company_name} believes the third party is not meeting these requirements, or if the third party is providing an avenue of attack against {company_name}’s systems.
Before a user ID can be issued to a third party, documentary evidence of an information security system or process must be provided to, and approved by, {company_name}’s Information Security Office and the third party must agree in writing to maintain this system or process to prevent unauthorised and improper use of {company_name}’s systems.
Decisions about who will be granted access to both Company information and Company information systems must be made by Company management and never by outsourcing organisation personnel.
All contracts with web site hosting organisations, application service providers, managed systems security providers, and other information systems outsourcing organisations, must include both a documented backup plan and a periodic third party testing schedule.
A formal process for connecting and disconnecting entities must be in place and the connected entity list must be reviewed on at least a 6 monthly basis by the Networks and Security Team and Information Security Office.
GETTING HELP
All questions relating to this Third Party Security Policy should be directed to  the Information Security Office in the first instance. 
 
Annex A to Third Party Security Policy
Dated {{month}} {{year}}
DETAILS TO BE RECORDED ON THIRD PARTY ACCESS TO NETWORK
Contact Information




Requester Information


 




Name:
Department:
Phone Number:
Email Address:


 




Technical Contact Information


 




Name:
Department:
Phone Number:
Email Address:


 




Back-up Point of Contact


 




Name:
Department:
Phone Number:
Email Address:


 




 
Connection Details




Physical address of termination point of network connection.
 
 
 
 


 




24x7 Support contact information.
 
 
 


 




 
 
 
 

 
Statement of Purpose
The requesting company must include a statement about the business needs of the proposed connection.




 
 
 
 
 




 
Checklist Of Questions To Be Answered




Required services?


 




Required authentication?  (two factor?)


 




Encryption requirements?


 




Duration for connection to be maintained?


 




How will the connection be used?


 




What applications will be used?


 




What type of data transfers will be done?


 




What are the estimated hours of use each week?


 




What are peak hours?


 




Is this connection critical to business operation?


 




Is the third party PCI DSS compliant?


 




Is there a contractual agreement in place?


 




Has a mutual bi-lateral NDA been completed?


 




Has the third party been vulnerability scanned by a PCI ASV?


 




Have the test results been verified?


 




 

Contact us



  • Worklab, Europort, Gibraltar

  • +350 540 73836

  • hello@wearehedgehog.com