Third Party Security Policy Template

Home / Services / Virtual CISO / Policies / Third Party Security Policy Template

Third Party Security Policy
Third Party Security Policy outlines how {{company_name}} manages information security risks related to its interactions with external parties. 
Purpose
The purpose of this policy is to ensure that {{company_name}} conducts due diligence when engaging with external entities. The policy sets guidelines for assessing and managing these risks.
Scope
This policy covers all information assessments present at {{company_name}}.
POLICY
The Company shall implement measures to ensure that all contracts with third party companies should have a registered UK office, and therefore comply with UK Data Protection Laws. If the company does not have a UK registered office, an office within the EU is acceptable though the contract must include reference to adherence of the UK Data Protection Act and relevant laws.  

Where sensitive data is shared, for example sharing Personal Identifiable Data or Cardholder Data with a fraud screening agency, the contract must contain provisions requiring adherence to the Data Protection Act, ICO guidelines for handling of sensitive data and the PCI-DSS requirements. Additionally, the contract must contain provision for acknowledgement by the third party of their responsibility for securing Personal Data, Employee Data, Cardholder Data and other sensitive data which may be exchanged during the execution of the contract.
Responsibilities
User’s Responsibilities:
  • Anyone who deals directly or indirectly with third parties during the connection negotiation stage of contracts is responsible for following all appropriate procedures that relate to that connection.
  • Users are responsible for their actions and should not take any action which is outside the law or in breach of Company policies, procedures, guidelines or codes of conduct.
  • Users are responsible for ensuring that only the bare minimum access through a connection is granted in order to support the business function and that the details within {{Annex A}} are completed in accordance with the guidelines published within this policy.
Manager’s Responsibilities:
  • To ensure that all third party connections are explicitly written into business contracts in accordance with the guidelines published within this policy.
  • To seek explicit authorisation from the Information Security Office and IT Director for any third party network interconnections before they occur and their user authentication devices.
  • To ensure that connections that are no longer required by the business are terminated as early as possible and in an authorised and systematic manner in line with this policy.
  • To implement and monitor this policy within their areas of responsibility and for ensuring that those for whom they are responsible, including visitors and contractors, are aware of and comply with this policy and associated guidelines.
  • To notify and seek guidance from the Information Security Office of all breaches of this policy.
General Guidelines
When developing a relationship with a third party a risk assessment should be completed, taking the following factors into account:
  • All third party companies should have a registered UK office, and therefore comply with UK Data Protection Laws. If the company does not have a UK registered office, an office within the EU is acceptable, though the contract must include reference to adherence of the UK Data Protection Act and other relevant laws.
  • Where private or sensitive data is shared, for example sharing Cardholder data with a fraud screening agency, the contract must contain provisions requiring adherence to the Data Protection Act, the ICO’s data handling guides and PCI DSS requirements. Additionally, the contract must contain provision for acknowledgement by the third party of their responsibility for securing private or sensitive data. Where a third party is unable to make this assurance, a clause must be included in the contract which allows the Company to conduct audits as they see appropriate.
  • All Company business partners, suppliers, customers, and other business associates must be made aware of their information security responsibilities through specific language appearing in contracts that define their relationship with the Company.
  • Private or sensitive information in the Company’s custody must not be disclosed to third parties unless these third parties have signed an explicit chain of trust agreement approved by the relevant IT Director.
  • All disclosures of secret, confidential, or private Company information to third parties must be accompanied by an explicit statement describing exactly what information is restricted and how this information may and may not be used.
  • All agreements with information systems outsourcing organisations must stipulate that the Company will receive annually a report expressing an independent opinion about the adequacy of the controls in use at that outsourcing organisation. If a third party is unable to provide an independent report as to their compliance with standards required in the contract or SLA then, where appropriate, the Company must be able to conduct audits as it seems necessary.
  • All third party companies providing critical services to the Company must provide an agreed Service Level Agreement.
  • When placing orders for products or services, or when establishing any new or modified business relationship, Company staff must notify third party vendors that they must not publicly reveal either the nature or existence of their relationship with us without written approval from one of the Company’s corporate officers.
  • Third party organisations must not use our Company name in its advertising or marketing materials unless explicit written permission has first been obtained from the Company’s legal counsel.
  • If a privacy policy prevents the Company from performing a certain act or taking a certain course of action, it must not hire one or more third parties to perform this action instead.
  • If the Company terminates its contract with any third party organisation that is handling the Company’s private information, this same third party organisation must immediately thereafter destroy or return all of the Company’s private data in its possession, and return a certificate to that effect.
  • All information systems related outsourcing contracts must be reviewed and approved by the relevant IT Director who is responsible for ensuring that these contracts sufficiently define information security responsibilities, how to respond to a variety of potential security problems and the right to terminate the contract for cause, if it can be shown that the outsourcing organisation does not abide by the information security related contractual terms.
A comprehensive list of all third party companies connected to any of Company’s networks must be held and maintained by the Information Security Office. Due diligence must be conducted prior to connection and the entity must:
  • Adhere to the PCI-DSS or PA-DSS security requirements and be PCI-DSS or PA-DSS compliant.
  • Adhere to, and be compliant to, other standards relevant to the contract.
  • Acknowledge their responsibility for securing the Cardholder data.
  • Acknowledge that the Cardholder data must only be used for assisting with the completion of a transaction, providing a fraud control service or for other uses specifically required by law.
  • Have appropriate provisions for business continuity in the event of a major disruption, disaster or failure.
  • Provide full cooperation and access to a Payment Card industry representative, or a Payment Card industry approved third party, to conduct a thorough security review after a security intrusion or data breach.
  • Acknowledge that these agreed obligations to safeguard the confidentiality of the Cardholder and other sensitive data shall survive the termination of any other contractual agreements with the Company.
As a condition of gaining access to the Company’s computer network, every third party must secure its own connected systems in a manner consistent with the Company’s requirements and following the VPN Technical Standards Policy. The Company reserves the right to audit the security measures in effect on these connected systems without prior warning. The Company also reserves the right to immediately terminate network connections with all third party systems. Such a disconnection would be warranted if the Company believes the third party is not meeting these requirements, or if the third party is providing an avenue of attack against the Company’s systems.

Before a user ID can be issued to a third party, documentary evidence of an information security system or process must be provided to, and approved by,the Company’s Information Security Office and the third party must agree inwriting to maintain this system or process to prevent unauthorised and improper use of the Company’s systems.

Decisions about who will be granted access to both Company information and Company information systems must be made by Company management and never by outsourcing organisation personnel.

All contracts with web site hosting organisations, application service providers, managed systems security providers, and other information systems outsourcing organisations, must include both a documented backup plan and a periodic third party testing schedule.

A formal process for connecting and disconnecting entities must be in place and the connected entity list must be reviewed on at least a 6 monthly basis by the Networks and Security Team and Information Security Office.
Monitoring
Responsibility for monitoring changes and updates is that of the CEO. Updates are reviewed at the Board meetings as required. With each update an action is assigned by the relevant person to ensure the updates are reflected in Policy / Procedure and communicated as required.
COMPLIANCE
Compliance Measurement
{{company_name}} will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.
Exceptions
Any exceptions to the policy must be approved by the CEO in advance.
Non-Compliance
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
RELATED STANDARDS, POLICIES AND PROCESSES
  • All