3rd Party ConnectionsI'm extractin this from the ISO 17799 that may help as a
big reference:
4.2 Security of third party access
Objective: To maintain the security of organizational information processing
facilities and
information assets accessed by third parties.
Access to the organization's information processing facilities by third parties
should be
controlled.
Where there is a business need for such third party access, a risk assessment
should be carried
out to determine security implications and control requirements. Controls
should be agreed
and defined in a contract with the third party.
Third party access may also involve other participants. Contracts conferring
third party access
should include allowance for designation of other eligible participants and
conditions for their
access.
This standard could be used as a basis for such contracts and when considering
the
outsourcing of information processing.
4.2.1 Identification of risks from third party access
4.2.1.1 Types of access
The type of access given to a third party is of special importance. For
example, the risks of
access across a network connection are different from risks resulting from
physical access.
Types of access that should be considered are:
a) physical access, e.g. to offices, computer rooms, filing cabinets;
b) logical access, e.g. to an organization's databases, information systems.
4.2.1.2 Reasons for access
Third parties may be granted access for a number of reasons. For example, there
are third
parties that provide services to an organization and are not located on-site
but may be given
physical and logical access, such as:
a) hardware and software support staff, who need access to system level or low
level
application functionality;
b) trading partners or joint ventures, who may exchange information, access
information systems or share databases.
Information might be put at risk by access from third parties with inadequate
security
management. Where there is a business need to connect to a third party location
a risk
assessment should be carried out to identify any requirements for specific
controls. It should
take into account the type of access required, the value of the information,
the controls
employed by the third party and the implications of this access to the security
of the
organization's information.
4.2.1.3 On-site contractors
Third parties that are located on-site for a period of time as defined in their
contract may also
give rise to security weaknesses. Examples of on-site third party include:
a) hardware and software maintenance and support staff;
b) cleaning, catering, security guards and other outsourced support services;
c) student placement and other casual short term appointments;
d) consultants.
It is essential to understand what controls are needed to administer third
party access to
information processing facilities. Generally, all security requirements
resulting from third
party access or internal controls should be reflected by the third party
contract (see also 4.2.2).
For example, if there is a special need for confidentiality of the information,
non-disclosure
agreements might be used (see 6.1.3).
Access to information and information processing facilities by third parties
should not be
provided until the appropriate controls have been implemented and a contract
has been signed
defining the terms for the connection or access.
4.2.2 Security requirements in third party contracts
Arrangements involving third party access to organizational information
processing facilities
should be based on a formal contract containing, or referring to, all the
security requirements
to ensure compliance with the organization's security policies and standards.
The contract
should ensure that there is no misunderstanding between the organization and
the third party.
Organizations should satisfy themselves as to the indemnity of their supplier.
The following
terms should be considered for inclusion in the contract:
a) the general policy on information security;
b) asset protection, including:
1) procedures to protect organizational assets, including information and
software;
2) procedures to determine whether any compromise of the assets, e.g. loss or
modification of data, has occurred;
3) controls to ensure the return or destruction of information and assets at
the end of,
or at an agreed point in time during, the contract;
4) integrity and availability;
5) restrictions on copying and disclosing information;
c) a description of each service to be made available;
d) the target level of service and unacceptable levels of service;
e) provision for the transfer of staff where appropriate;
f) the respective liabilities of the parties to the agreement;
g) responsibilities with respect to legal matters, e.g. data protection
legislation,
especially taking into account different national legal systems if the contract
involves
co-operation with organizations in other countries (see also 12.1);
h) intellectual property rights (IPRs) and copyright assignment (see 12.1.2) and
protection of any collaborative work (see also 6.1.3);
i) access control agreements, covering:
1) permitted access methods, and the control and use of unique identifiers such
as
user IDs and passwords;
2) an authorization process for user access and privileges;
3) a requirement to maintain a list of individuals authorized to use the
services being
made available and what their rights and privileges are with respect to such
use;
j) the definition of verifiable performance criteria, their monitoring and
reporting;
k) the right to monitor, and revoke, user activity;
l) the right to audit contractual responsibilities or to have those audits
carried out by a
third party;
m) the establishment of an escalation process for problem resolution;
contingency
arrangements should also be considered where appropriate;
n) responsibilities regarding hardware and software installation and
maintenance;
o) a clear reporting structure and agreed reporting formats;
p) a clear and specified process of change management;
q) any required physical protection controls and mechanisms to ensure those
controls
are followed;
r) user and administrator training in methods, procedures and security;
s) controls to ensure protection against malicious software (see 8.3);
t) arrangements for reporting, notification and investigation of security
incidents and
security breaches;
u) involvement of the third party with subcontractors.
----- Original Message -----
From: James McGee
To: security-management@securityfocus.com
Sent: Sunday, November 21, 2004 9:31 PM
Subject: 3rd Party Connections
Hi
I am doing some perimeter security work for a large insurance company who
have around 130 connections to various 3rd party organisations. These range
from direct-dial to a PC on the LAN, to ISDN, to Leased-Line connections. Some
are firewalled, most are not! We are working on that!
I have put in the infrastructure to isolate the LAN from "untrusted" sites
and users and now need to write up a strategic policy that is workable for all
new connectivity requests and all existing requests (over time)
I would really appreciate if you could share some real-world workable
policies that I could potential use as a template or information resource.
I found some good ones via google, but non really cut it to the full extent
my client is looking for
Any help appreciated..
Thanks
JM
