1 APPENDIX D: THIRD PARTY RISK ASSESSMENT FORM
As part of the council’s Third Party Access Policy, a risk assessment must be carried out before
allowing any administrative access to the council’s network or systems. It is the responsibility of the
sponsor of the relevant Islington council system to ensure that this risk assessment is undertaken.
This form must be filled out in conjunction with a Third Party Network Access Form – User, where
administrative access is required.
This form will be also checked against a signed Third Party Network Access Form –Sponsor.
Undertaking this risk assessment is to understand the following:
•
The sensitivity of the data accessed
•
The connection method used
•
The third party user has been identity checked
•
The endpoint used to connect to Islington council’s network
2. PARTICIPANTS IN THIS RISK ASSESSMENT
Role\Entity
Participant Name
Islington Sponsor
Third Party Company
Third Party User
2. SYSTEM INFORMATION
Digtial Services Contract Reference
System Common Name
System owner: Full name
System owner: telephone
System owner: email
Physical Location
Major Business Function
Other Relevant Information
IT System Description and
Components
IT System Interfaces
Page 1 of 4
Data types and examples
a
Confidential information
Information that the council would not
currently release under freedom of
Information. Some examples are:

b
Low risk personally identifiable
data
Commercially
confidential
information
 Information provided in confidence
(for example, as part of an
investigation)
 Legally privileged information
Lists of email addresses
Lists of addresses
Lists of staff names
(where these lists are not linked to more
sensitive data)
c
Sensitive personal data
Information that identifies a living person
and includes information about:







Ethnicity
Religion
Sexuality
Health
Political views
Trade Union membership
Commission/Alleged commission of
offence
Or which includes financial data.
Please scroll down to complete the risk assessment
Page 2 of 4
4. Risk Assessment Calculation
Data to be Accessed - Please click for guidance Impact Rating
Non-sensitive or public
1
Information held in confidencea OR Low
risk personally identifiable datab
3
Sensitive personal datac
5
Select an Impact Rating for Data
3
Connection Type Used
Likelihood Rating
Remote Working/PSN/N3
1
Site to Site VPN
2
Any Other
5
Select a Likelihood Rating for Connection
Device Type Used
1
Likelihood Rating
Islington Provided Device
1
Non-Islington Device with endpoint management
2
Non-Islington
management
5
Device
with
no
Select a Likelihood Rating for Device
User Vetting
endpoint
2
Likelihood Rating
Third Party User Identity Checked
2
Unknown
5
Select a Likelihood Rating User
5
Overall Risk Score
27
Page 3 of 4
Risk Score
Description
0 to 20
Risk is accepted and connection should be allowed without any special controls.
Regular reviews in accordance with Islington IT Security Policies apply.
21 to 33
Risk accepted with the following control measures –
Monthly review of administrative access by sponsor.
Digital Services to check accounts with sponsor on a monthly basis
Account disabled 1 week after review schedule where on-going justification of access has
not been given.
34+
Risk unacceptable. Connection will be denied.
RISK ASSESSMENT: Authorised by
Council Sponsor
(named person, please print clearly)
Job title
Telephone
Signature
___________________________________________________
Where does this form go?
Raise a work request on ICT Help Me. Choose ‘Network account creation (New starter)’ and
then select ‘Third Party). Please attach this form to the work request.
Page 4 of 4