Method Statement - Managing third party access

1. Introduction

1.1 This method statement describes the steps that must be taken to provide a third party with access to University information or IT services that the third party has contracted to provide as a service to the University. It forms part of the University Information Security Policy.

2. Managing third party access policy statements

2.1 Privileged access by third parties to University data or systems should be approved by the Head of Department responsible for the data or system. The Head of Department must also name the member of University staff who will manage access by the third party.

2.2 The third party must specify which members of its staff will be involved in handling or accessing the University’s IT systems. The number of staff involved must be kept to a minimum necessary to deliver the service.

2.3 Access must only be given to the minimum set of data required for the third party to fulfil their contract. Test, dummy or sample data must be used unless there is compelling reason not to do so.

2.4 A member of University staff, named by the Head of Department, must be responsible for managing the access provided in terms of scope, level and duration and must ensure the activities of the third party are monitored in person and logged either electronically or manually.

2.5 Privileged remote access arrangements must only take place via secure encrypted network protocols from nominated remote (IP) addresses for the minimum required amount of time.

2.6 Changes made by a third party organisation to a University IT Service must follow the same change management procedure that would apply if those changes were being made by University staff.

2.7 If a third party makes use of a privileged account access must be removed as soon as the work is complete.

2.8 Any data transferred to the third party must be either returned or destroyed when specified by the agreed service contract.

2.9 The third party must immediately notify the University of any information security incidents which might impact on its service to the University or affect the security or confidentiality of any University data.

2.10 Third party access arrangements must be reviewed on an annual basis to ensure information security risks are being managed effectively and to validate that access is still required. Evidence of the review should be retained by the Head of Department for three years.

3. Oversight

3.1 The Information Security Board, chaired by the Director of Information, will monitor the effectiveness of this method statement and carry out regular reviews.

Document history and status

12 September 2012 Approved by Information Policy Executive
08 October 2012 Approved by Information Security Board
29 January 2016 Reviewed and approved by Information Security Board

Status

Review cycle: Three yearly

Date of next review: January 2019