ABC Industries     Policy name: 3rd Party Access     Revision: X1

Policy section

Purpose

The purpose of this policy is to limit, monitor and control the availability of access of third parties to any sensitive areas including facilities, computing infrastructure and data, and to establish controls to protect them including defining reasons and necessity of access by third parties.

Overview

Third party access to information resources while often strategic can cause a myriad of security issues. Access to information and systems for third parties must be carefully considered as to what the business reasons are for access as well as the minimum/maximum amount of access that will be permitted and what the justification for that access is. Risk analysis should be performed and careful monitoring should occur.

Scope

The scope of this policy includes all personnel who manage permissions/access to systems and grant access to data in concert with those who engage/manage/contract third parties. Those who perform and assess risk analysis will also be consulted.

Policy

The intent of the third access security policy is to provide clearly defined and documented rules and rights for each third party user or group and to ensure that controls are in place to assure compliance. The objective of this policy is to control the third party access to information and information services based upon the business and security requirements.

Policy details

When ever there are contracts between the organization and any third party with data or system access, this contract shall address access.

The reason for third party access will be provided to (name, organization)and must be approved by (name, department) prior to granting third party access.

All third parties that access the organization will be required to acknowledge their compliance to the access control policies for each application that have access.

When ever there are contracts between the organization and any third party with data or system access, this contract shall address access.

The organization will also put controls in place to mitigate the risk for those third parties with casual access to IT assets (i.e. Cleaning or maintenance third parties).

Add additional statements as required to meet your IT security requirements.

List additional security statements below:

Violation - Consquences section

Consquences for failure to follow this policy:     Employee support of our written IT security polices is the corner stone in implementing and maintaining a security IT infrastructure. Consequences of failure to comply with IT Security policies may include: loss of access rights, verbal warnings, written warnings, discipline up to and including employment termination and/or prosecution.

Report violations to:     Violations to the this IT Security policy will be immediately reported to the (Variables) IT Security Coordinator, violators Manager, Department manager, Asset owner, Executive Management, Human Resources, Law Enforcement Authorities. Violations will be reported via: E-mail, IM’s, phone, fax, paging, physically tracking down appropriate personal.

Document control section

Supporting Documents:     Supporting documents for this policy include:

This document supercedes:    N/a

Written by (owner):    

Date written:    0000-00-00

Approval 1 by:   

Date approved:     0000-00-00

Approval 2 by:    

Date approved:    0000-00-00

Policy status:     Not started

Date released:    0000-00-00