Starting with the definition of a third party. Anybody who is a
non-employee. And the access is that anybody accessing the trusted
network from your premises or from outside through a dedicated or
non-dedicated link.
The definition of third party access would include all of what has been
described.
That depends on what you mean by "third party access"... Are you
talking about...
...vendors having access to data on your systems?
...business partners having access to data on your systems?
...regulatory agencies or law enforcement having access to data on your
systems?
...infrastructure outsourcing providers having access to the data?
...consultants or contractors having access to the data?
...employees of your company having access to others data via the above?
...selling or sharing data you collected to others?
It is increasingly being seen based on my experience with several
clients that there is pressure from regulators to track third party
access and entitlement at a very granular level. i.e. who has access to
what and when. Also they would like to track/audit the detail of when
the access occurred. They are looking at this specifically based on the
risk that a third party introduces into a trusted network.
All of this cannot be tracked just by enhancing policies and standards,
However this would an important step to achieve.
Third Party Access would delve into the areas of
* Network Segmentation / Partitioning for access
* Tracking Identity / Entitlement Management
* Data Classification / Privacy
* Analysis of current third party, operational & business
processes and streamline them to adhere to third party policies and
guidelines that are established.
Regards,
Shree
_____________________________________________________________
Shree Parthasarathy (Par tha sarah thee)
DELOITTE & TOUCHE LLP | 2 WFC | New York | NY | 10281
Office: 212.436.5485 | Toll-Free 800.328.8782 ext. 5485
Fax: 212.653.6140 | Mobile: 646.637.8560
sparthasarathy@deloitte.com | http://www.deloitte.com
-----Original Message-----
From: Subscriber [mailto:itnomert@shaw.ca]
Sent: Friday, August 06, 2004 2:51 PM
To: security-management@securityfocus.com
Subject: Re: third party access information
At 06/08/2004 08:51 AM, nuerostar-secmgt@yahoo.com wrote:
Hi,
Hey, what does this list know about the policies of
"third party access". Like I am looking for research
material, views, advice on this. What have you all
seen in the field. My questions will grow with time.
I would appreciate any help on this.
Thanks,
nuero
That depends on what you mean by "third party access"... Are you
talking about...
...vendors having access to data on your systems?
...business partners having access to data on your systems?
...regulatory agencies or law enforcement having access to data on your
systems?
...infrastructure outsourcing providers having access to the data?
...consultants or contractors having access to the data?
...employees of your company having access to others data via the above?
...selling or sharing data you collected to others?
This message (including any attachments) contains confidential information
intended for a specific individual and purpose, and is protected by law. If
you are not the intended recipient, you should delete this message. Any
disclosure, copying, or distribution of this message, or the taking of any
action based on it, is strictly prohibited.
