Security – ISMS – Third Party Relationships

Third Party Relationships

Requirements

Most companies have relationships with third parties, such as suppliers and service providers, to perform functions that support the core activities of the company. These relationships will generally involve sharing information between the organisations. In some cases, this could include providing access to your technology systems, either indirectly or directly, on a permanent or temporary basis.

Providing third party organisations with access to your technology without sufficient understanding of your company’s information security framework has the potential to accidentally expose your sensitive data. Improper use of access could also open up your technology to threats, eg if the appropriate steps to protect your systems are not followed. So, controls for managing third party access to information and systems should be identified and included in the ISMS.

Security conscious organisations may already have special controls built into their systems to allow third parties to access only what they need. However, setting up limited access on its own is not enough to protect your systems or your information. There must be a set of policies and measures included in your ISMS specifically for third party access to ensure appropriate arrangements are fully understood.

Key topics to address in the ISMS are:

• Third party awareness of organisation’s security stance
• Third party obligations in relation to organisation’s security
• Organisation’s policies and measures applicable to third parties
• Special policies and measures specific to third parties
• Handling breaches caused by third parties
• Third Party Agreements

Policy Explanation

Making your partners and other third party organisations aware of your organisation’s stance on security will alert them of the need to align their activities with elements of your framework. Details of what aspects of your framework are shared with them should be documented in your ISMS for clarity. This material can be used to guide all employees who engage with suppliers and service providers in their conversations about security.

The partners’ obligations in relation to protecting your information and systems also need to be clarified. This means education material may need to be supplied and, depending on the situation, regular updates delivered to ensure knowledge is current.

Certain details of your own ISMS policies may need to be shared with your partners to illustrate how you operate within the security framework. This does not mean sharing the entire ISMS with your partners, but providing them with enough to understand your security regime and help them gauge their involvement.

There may also be specific policies and measures for third party access that are different from those used by your employees, eg closing partner access to systems at certain times of the day; using different access channels, etc. These too need to be documented and shared.

Your organisation should retain visibility of security activities that involve third parties through the standard processes of change management, vulnerability identification, incident reporting and responses to security events. In the event of a security breach believed to have been caused by authorised third-party activity, your security incident response plan must highlight the steps to be taken to resolve the situation. This may include additional elements in your standard security incident response plan over and above the standard process.

Finally, a Third Party Agreement would normally be negotiated to manage the commercial  relationship with suppliers, service providers, etc. Any requirements by partners to view, process, store, communicate or provide details to your organisation should be defined and agreed with reference to all applicable information security requirements and should be included in agreements to ensure clarity. These agreements should also contain provisions to mitigate information security risks associated with the service(s) provided by the partner.

Organisations should monitor, review and audit the provision of service by third parties on a regular basis. This will ensure respect for the terms and conditions of information security and enable management of incidents and issues in this area. There should always be appropriate technical expertise and resources to track compliance with the requirements of the agreement with reference to information security.