NCI Third Party Security Policy

Paul Hughes
Paul Hughes
  • Updated

mceclip2.png

Document Information

Prepared By:

 

Document Version No:

 

Title:

 

Document Version Date:

 

Reviewed By:

 

Review Date:

August 2022

 Distribution List

To  Action Due Date Phone/Fax/Email
       
       

 Document Version History

Version Number

Version Date

Revised By

Description

      For External Use
       
       

 

 

 

 

*Enter document details in the in the tables above and make sure to update as changes are made

Contents

1. Introduction.

1.1 To whom does this document apply?

1.1.1 Who is a Business Owner?

1.1.2 Who is a Super User?

1.2 What are the consequences if I do not abide by this policy?

1.3 References.

2. Working with Third Parties.

2.1 Third party responsibilities.

2.2 NCI responsibilities.

Introduction

NCI places great importance on the protection of its people, information, property, business processes, systems, and networks. The security policies in place show that security is integral to the way we work and is essential to the continued success of the College. 

Please ensure that you make yourselves familiar with the contents of this policy. Any concerns or queries should be raised to the Security Officer.

To whom does this document apply?

The policies contained in this document apply to the following:

  • Business Owners
  • Admin Users
  • Solutions Architects/Technical Design Leads
  • ICT Support Staff
  • Business partners or third-party suppliers

In this policy the terms “All Users” and “Users” refers to all types of users as listed above. The above user groups are responsible for reading the policies which are relevant to their area and familiarising themselves with the contents. Users outside of the above group do not need to be familiar with the policies communicated in this document and can review their obligations as a user of NCI’s systems and resources in the NCI User Security Policy.

Who is a Business Owner?

“Systems” may refer to servers, databases, applications, network elements or combination of such.  Every system must be defined and have a named Business Owner. A “Business Owner” (sometimes referred to as a “System Owner” or “Asset Owner”), is the person with overall responsibility over the system.

All Business Owners must be NCI employees, not a contractor or employee of a third party.

Who is a Super User?

The Super User would usually administer, or handle, a system on behalf of the Business Owner. They are likely to be the primary expert on the system, and could be a member of a support team, a line manager, a business partner, or third-party supplier.

What are the consequences if I do not abide by this policy?

This document communicates management directives, and the responsibilities of all users to ensure consistent and appropriate protection of NCI’s assets. Users who have contravened the requirements of this policy may face disciplinary action, up to and including dismissal.

References

  • NCI Operations Security Policy
  • NCI Data Protection Policy

Working with Third Parties

NCI works with many different third parties in order to deliver all the services and operations required of the College. All third parties, including vendors, business partners, contractors, or service providers that impact on NCI’s operations and the security of the College’s information must comply with these third-party policies and security requirements.

Third parties must demonstrate compliance by confirming in writing that they have read and understood these policies and requirements. It is the responsibility of the NCI Business Owner engaging with the third party to ensure that the policies and requirements have been attested to before any access is granted, or information exchanged. Any variations to the third party’s compliance with this policy and other relevant standards must be approved by NCI’s Security Officer, recorded in writing, and signed by both the third party and the responsible Business Owner.

Third party responsibilities

All third parties must:

  1. Have their own, well-defined security policies, which should be supported by documented procedures, and be in line with NCI’s policies.
  2. Comply with this policy and NCI’s Data Classifications and Handling Policy for all outsourced processing or exchange of information.
  3. Nominate a central point of contact for security related activities. The point of contact must be able to undertake the following on behalf of the College:
  • Assign security resources where required
  • Interface with NCI on security requirements
  • Ensure that all security requirements are implemented in accordance with this policy
  • Provide regular security reports to the Business Owner at agreed intervals
  • Co-ordinate the requirements of this policy with any sub-contractors or sub-processors utilised by the supplier (fourth parties)
  • Make available systems and personnel to enable NCI to perform internal and external audits of the supplier within the agreed parameters (right to audit)
  1. Provide NCI with the right, throughout the term of the agreement, to undertake security reviews and audits in order to determine that data and services have the appropriate levels of protection. These could be in the form of a penetration test, physical security assessment, or other service audit.
  2. Avoid, wherever possible, consecutive sub-contracting of the service they provide to the College. That is, efforts shall be made to avoid outsourcing to a sub-contractor who, in turn, outsources to another sub-contractor. The recommendation is for a maximum of one outsourcing per service provided. The third party shall have restrictions in place which prevents excessive third party outsourcing and must notify NCI of any sub-processing in line with Data Protection requirements.
  3. Allow NCI to recover all the College’s data, information, and media which is held by the third party at the conclusion of the contracted agreement for services. This also applies to third and fourth parties where the third party may have outsourced the processing or service, or part thereof.
  4. Ensure that there is no direct or indirect network connection or integration with the NCI network via their management/administration network infrastructure where remote administration and/or maintenance services is being provided.
  5. Any NCI Requests for Information/Proposal/Tender (RFI/RFP/RFT) that the third party responds to must refer to NCI’s security policies to ensure that they are built into the delivery of the service and included in any cost estimates. Compliance with all NCI security criteria and standards should be a requisite.

NCI responsibilities

The College must:

  1. Notify the third party of its intent to perform an audit or security review in advance and agree a time that is convenient for both parties. In the case of physical security assessments, an unscheduled physical security assessment may be required without prior notification to the third party.
  2. Ensure that, where there is a requirement to pass or provide NCI information classified as Internal-Use-Only or higher to a non-NCI person or company, a Non-Disclosure Agreement, or NDA (also known as a mutual confidentiality contract) is agreed and signed prior to the exchange of information.
  3. Ensure that all NCI data, information, and media held by the third party at the conclusion of the contracted agreement for services is recovered. This also applies to third and fourth parties where the third party may have outsourced the processing or service, or part thereof.
  4. Perform a security risk assessment of supplied services on an annual basis in line with NCI risk assessment procedures, and risks should be consolidated in line with the existing risk review process. This risk assessment should consider:
  • The type of information accessed (data classification and quantity, etc.)
  • The security controls implemented by the third party and any security related certifications they may have
  • Legal requirements and contractual obligations
  • The appropriateness of the agreements in place with third parties
  1. Any RFI/RFP/RFT that NCI issues must refer to the College’s security policies to ensure that they are built into the specification and included in any cost estimates. Compliance with all NCI security criteria and standards should be a requisite of any third-party engagement.
  2. All agreements and/or contracts with third parties must:
  • Be in writing and signed
  • Contain a statement of compliance with the security policies contained in this document
  • Have a specific contract clause stating that NCI has the right to audit any service delivered on their behalf with prior notification, and which includes the right to monitor compliance with the security requirements and controls of the agreement[1]
  • Include a suitable Non-Disclosure Agreement (NDA) and confidentiality agreement – preferably this should be NCI’s standard NDA and confidentiality agreement, where available
  • Include defined security responsibilities for the delivery of the service, including a central point of contact for security activities
  • Include notification and security incident management procedures
  • Include the requirement to return or destroy any NCI information on completion of the agreement
  • Include change management controls and procedures
  • Include a service level agreement (SLA) and the ability to monitor the agreed service levels
  • Include an agreed access control policy for information and the systems which process such information
  1. Where the development of a system is outsourced to a third party, the following must also be included in the written contract:
  • Clearly defined ownership, intellectual property rights, and licensing agreements of the developed software
  • Application security requirements
  • Monitoring of the applicable security requirements for compliance
  • A guarantee of the quality and security of the delivered software, making the third party responsible for any damages incurred by the College due to shortcomings in the software
  1. Where remote access by the third party is necessary for delivery of the services and contract, the following controls must apply:
  • Where permitted, remote access for supplier maintenance or diagnostics purposes into NCI should be strictly controlled so as to protect the security of the system. This must have prior authorisation by the Business Owner, and should be strictly limited to the time necessary to perform the required service

[1] Where the third party provides a service based on a multi-tenant environment, and auditing is limited, the third party provider must produce evidence of independent audits and testing.

Was this article helpful?

Comments

0 comments

Please sign in to leave a comment.