This policy explains the risk assessments and access arrangements that are required to ensure effective information security when third parties need access to University information and systems.
It applies to University staff who are responsible for the specification and management of University IT services that are supported or accessed via third parties.
1.1 Third parties may be provided with access to University information and IT Services where there are business reasons to do so. Data protection and information security risks associated with such access will be managed through the use of risk assessments, Data Protection Impact Assessments and contractual agreements, to ensure the University meets its legal obligations.
1.2 Third parties can be involved in providing support and maintenance of University IT Services either on site or via remote access. Such arrangements will be delivered via a formal contract which includes binding requirements to ensure security of the University’s information and IT systems and to protect the confidentiality of its data. If the access involves transfer of personal data outside the European Economic Area the access is to be governed by a contract which provides for the transfer and security of the data in line with the General Data Protection Regulation requirements.
1.3 In some third party arrangements high levels of privilege might be needed for the third party to be able to carry out their activities. To ensure that security risks are identified and controlled, such access, whether on site or remote, must be managed in accordance with the “Method Statement - Managing third party access”.
1.4 Third parties might occasionally require physical access to areas where University IT equipment is located such as data centres and wiring centres. Such access must be agreed in advance with the relevant University manager and is subject to formal risk assessment. Access controls must be used and logs maintained.
1.5 For any third party access, the University and third party must agree in advance a code of practice, a data sharing arrangement and non-disclosure agreement to protect University information and working practices.
2.1 This policy applies to University staff who are responsible for the specification and management of University IT services that are supported or accessed via third parties.
2.3 This policy supplements University policy relating to procurement of goods and services including the University’s Financial Regulations and Purchasing Procedures.
3.1 The Information Security Board, chaired by the Deputy Registrar, will monitor the effectiveness of this policy and carry out regular reviews.
4.1 All information users are responsible for protecting and ensuring the security of the information to which they have access.
4.2 University Officers, Heads of Departments and Section Heads are responsible for ensuring that all information in their area is managed in conformance with this policy.
4.3 Staff, students, contractors, consultants, visitors and guests who act in breach of this policy, or who do not act to implement it, may be subject to disciplinary procedures or other appropriate sanctions.
4.4 Any breach of information security or violation of this policy must be reported to the Deputy Registrar who will take appropriate action and inform the relevant authorities.
5.1 This document, together with related method statements is available at: http://www.york.ac.uk/.
External organisations, or individuals, involved in providing or accessing a University information or IT service other than the University’s own staff or students.
Services which are either provided directly by University departments and managed by University staff OR provided to the University by third parties under bilateral outsourcing or cloud computing arrangements. Examples include:
|12 September 2012||Approved by Information Policy Executive|
|08 October 2012||Approved by Information Security Board|
|29 January 2016||Reviewed and approved by Information Security Board|
|31 July 2019||Reviewed and approved by Information Security Board|
Review cycle: Three yearly
Date of next review: July 2022