Add to collection(s) Add to saved
  1. Business
  2. Management

Vendor and Third Party Access Policy

advertisement 
Division of Information Technology
Policy Document No:
DIT Policy for Vendor
& Third-Party Access
Version
Version 1.4
TRIM file number
Short description
DIT Policy for Vendor & Third-Party Access
Relevant to
Approved by
Executive Director
Division of Information Technology
Responsible officer
Executive Director Information Technology
Responsible office
Office of Executive Director of the Division of
Information Technology
Date introduced
26 August 2009
Date(s) modified
14 September 2009
27 October 2009
14 December 2009
24 November 2011
Next scheduled review
date
24 November 2012
Related legislation
Privacy Act 1988
Key words
Vendor, security, privacy, information, access
Page 1 of 5
Division of Information Technology
Policy Document No:
DIT POLICY for Vendor & Third Party Access
Contents
1.
2.
3.
4.
Purpose...............................................................Error! Bookmark not defined.
Scope ................................................................................................................... 2
Policy .................................................................................................................. 2
Author History .................................................................................................... 5
1. Purpose
The DIT Vendor/Third Party Access Policy informs CSU management, business
owners, IT project teams and support staff of the CSU requirements for vendor access
to CSU Information Systems.
The policy defines vendor responsibilities for the protection of CSU information and
information systems.
2. Scope
The DIT Vendor Access Policy applies to all individuals and/or parties that are
responsible for the installation of new CSU Information System assets, and the
operations and maintenance of existing CSU Information Systems, and who do or
may allow vendor access for support, maintenance, monitoring and/or
troubleshooting purposes.
3. Policy
a) Vendor access to CSU Information Resources is granted solely for the work
contracted and for no other purposes.
b) Vendors must comply with all applicable CSU policies, practice standards and
agreements, including, but not limited to:
Page 2 of 5
Division of Information Technology
Policy Document No:







OH&S Policies
Change Management Policies
Privacy Policies
Security Policies
Auditing Policies
Software Licensing Policies
CSU Code of Conduct
All relevant policies are available from the Division of Information Technology
website located here.

c) Vendor agreements and contracts must specify:





The CSU information the vendor should have access to. If, at the time of
contract negations this is unknown or ambiguous, mention of this should
be made in the agreement.
How CSU information is to be protected by the vendor. A copy of the
Vendor’s Security and Privacy Policy should be made available to CSU
where appropriate.
Acceptable methods for the return, destruction or disposal of CSU
information in the vendor’s possession at the end of the contract.
Agreement that the Vendor must only use CSU information and
Information Systems for the purpose of the business agreement.
Any other CSU information acquired by the vendor in the course of the
contract cannot be used for the vendor’s own purposes or divulged to
others.
d) Where applicable, DIT will provide a technical point of contact for the vendor.
The point of contact will work with the vendor to ensure the vendor is in
compliance with CSU policies.
e) Where applicable, the business owner will provide the vendor with a point of
contact from within the relevant School, Section or Division. The internal point of
contact is responsible for liaising with DIT for all relevant Change Management
processes.
f) Before the commencement of the agreement the appropriate implementation of
DIT change management processes will be determined by DIT in consultation
with the Vendor and the CSU business owner. This will include such things as the
definition of standard changes, level and type of communications around changes,
and responsibilities around technical vulnerability management and security
incident reporting.
Page 3 of 5
Division of Information Technology
Policy Document No:
g) At the commencement of the agreement, Standard Changes, as defined in the
context of the CSU change management system, must be clearly identified and
agreed upon by the Business Owner, The Vendor and DIT.
1
All work and changes that are identified as impacting on other CSU systems must
be entered into the DIT Change Management System by the DIT point of contact
or, where applicable, the Business Owner point of contact. Activities include, but
are not limited to, such events as software/operating system updates/patches,
password changes, project milestones, changes to deliverables, and
commencement and completion times, wherever possible.
h) Vendors work activities on CSU systems may be monitored and logged for
comparison to Change Management System records.
i) Before the commencement of the agreement, methods for:




The monitoring and review of service performance,
logging activities,
submission of vendor reports and,
roles and responsibilities regarding problem management
will be determined by DIT in consultation with the Vendor and the CSU business
owner.
j) Each vendor must provide DIT with a list of all employee names working on the
contract. The list must be updated and provided to DIT within 24 hours of staff
changes, wherever possible.
k) Vendor access must be uniquely identifiable and password management must
comply with the CSU Password Policy and the CSU Remote Access Policy.
l) If appropriate, regular work hours and duties will be defined in the contract. Work
outside of defined timeframes must be approved by the appropriate CSU business
owners
m) All vendor maintenance equipment on the CSU network that connects to the
internet via any means, and all vendor accounts, will remain disabled except when
in use for authorized maintenance.
n) Upon departure of a vendor or vendor employee from the contract for any reason,
the vendor will ensure that all sensitive information is collected and returned to
DIT or destroyed within 24 hours.
Page 4 of 5
Division of Information Technology
Policy Document No:
o) Upon termination of contract, or at the request of CSU, the vendor will return or
destroy all CSU information and provide written certification of that return or
destruction within 24 hours.
p) Upon termination of contract, or at the request of DIT, the vendor must surrender
all CSU access cards, badges, and equipment immediately. Equipment and/or
supplies to be retained by the vendor must be documented by authorized DIT
management.
q) Vendors are required to comply with all regulatory and CSU auditing
requirements, including the auditing of the vendor’s work.
r) All software used by the vendor in providing service to CSU must be properly
inventoried and licensed.
s) Each vendor granted access to any CSU Information System must sign the DIT
Vendor Security, Privacy, Copyright and Confidentiality Agreement Form which
stipulates that each individual:



Has read and understands the security policies
Understands the responsibility to comply.
Understands the consequences of an infraction.
Author History
Date
Author
26/8/09
14/9/09
L Weston
L Weston
Version No.
Pages
1
5
1.1
5
27/10/09 L Weston
14/12/09 L Weston
1.2
1.3
5
5
24/11/11 L Weston
1.4
5
Page 5 of 5
Description
Draft Document
Suggested changes by B
Roberson, P Roy, G Taylor
Suggested changes by R Paton
Changes re change
management process
Review for web publication
Related documents
AGENCY REQUEST FOR PROPOSAL STATE OF NEW JERSEY DEPARTMENT OF THE TREASURY
AGENCY REQUEST FOR PROPOSAL STATE OF NEW JERSEY DEPARTMENT OF THE TREASURY
Dr. Blake Rutherford ​ CSU Math Department PhD Alumni
Dr. Blake Rutherford ​ CSU Math Department PhD Alumni
Download
advertisement