Third party access and management policy

Purpose

This policy aims to ensure that access to council facilities, systems and information assets by third parties is appropriately controlled so that confidentiality, integrity, availability and accountability of information remain intact.

Any loss, compromise or misuse of council information systems or information assets, however caused, could have potentially devastating consequences for the council, could impact on the services the council is responsible for providing, and could result in legal action or financial loss.

Access to council systems, facilities and information by third parties poses a potential threat to the council and as such needs to be controlled.

Introduction

A third party is an organisation or individual (non-permanent employee) external to the council. This will include:

The policy covers the following aspects of third-party relationships:

It is applicable to all council activity, locations and employees and includes all council information assets and infrastructure.

Compliance with this policy is required for all council employees responsible for negotiation, initiation, authorisation, implementation and maintenance of third-party relationships and services pertaining to the council.

Factors relating to:

Security policy requirements

The following documents should be read in conjunction with this policy:

Accounts and remote access

All account and access management will adhere to the Access Control Policy

Access to LBE systems, and systems used to manage LBE systems, will only be granted based on defined operational roles.

All role-based access will provide the minimum access and privileges required to perform the responsibilities required of the designated role.

Access will only be granted on confirmation (or approval) by direct line-management and by the role-owner (if applicable) that the user has been assigned to the identified role.

Changes to role-based access (affecting all persons within that role) must be made via a formal change control, and be approved by the role-owner, and all affected account managers.

Allocation, modification, deactivation/reactivation or removal of role-based access will only be processed as part of the following processes:

In the case of support accounts all access will be granted for the minimum period required to execute duties as outlined as part of an incident response or pre-planned piece of work. Details of such duties must be submitted prior to approval of access if the work is pre-planned or included in the incident record if in response to an incident call.

User access to LBE systems, and systems used to manage LBE systems, will only be allocated at the user-level (access will not be granted based on IP address or other non-user-based identification).

All access will be revoked once the access is no longer required – this will be carried out by the disabling of accounts within Active Directory.

All user accounts will conform to LBE account and password standards.

Support accounts will be granted to personnel for individual use only – no generic shared accounts will be authorised, unless the third party is able to produce a full audit record of users who are accessing LBE systems remotely and only after approval by the DS Security team or DS Service Desk.

Allocation of accounts (and associated tokens) will be recorded, and a scheduled review of account will be performed to ensure that all accounts are still required.

Initial passwords will conform to relevant password standards and be changed by the user at first use.

User accounts will be disabled/deactivated for a set period prior to deletion to enable consistency with current audit and protective monitoring activity.

User accounts will be disabled after a pre-defined and agreed period of inactivity.

Records will be made of all account, and account access modifications, deactivations, and deletions.

All 3rd-party, contractor and temporary accounts will be flagged (or named) to allow easy identification (as per section 4 of this document).

All account management activities will be performed by a designated team(s) within service delivery.

All third parties must have accepted and agreed to the Acceptable Use Policy as well as reading and accepting any role-specific security responsibilities, before the account can be used.

All third parties must confirm that they understand their responsibilities for maintenance of the account and password/token, and that they understand the relevant processes and procedures around the management and maintenance of the account, before the account can be used.

Passwords and account resets must only be performed upon verification of the users’ identity.

All remote access will be via 2-Factor authentication made via Microsoft MFA, RSA or Secure Envoy Token.

User account creation and naming conventions

3rd-party accounts are to take the following naming convention forms:

Where XXX is a 3-letter organisation code representing the 3rd-party (for example, CAN for Canon), and <name> is the username as per the Active Directory Design Document. Where multiple organisations have the same initial 3 letters then the 3rd-letter will be replaced by a single incremental digit (for example, CA2) or, at the discretion of the DS Security team, an alternate code (that should be documented as referring to the third party in question during the account creation process and noted in the comments field of the user).

In circumstances where generic accounts are permitted the account name must include a pre-fix identifier of ‘GEN’ or ‘EX’ that shows the account is generic, for example:

The following information fields in Active Directory must be entered for all accounts:

For 3rd-party accounts, the line manager information must be the primary 3rd-party contact point (and not necessarily the line manager of the person).

The information/detail will include the following:

Physical access

Should any third party require physical access to any area deemed business critical (that could include any of the following: communications rooms, server rooms or document storage facilities) they must be accompanied by a member of LBE staff or personnel responsible for maintaining that business area (for example, a member of the Enfield IT network team when a third party requires access to a communications room).

In circumstances where this is not possible approval for access should be sought from the DS Security team or DS Service Desk.

Should access be required in an emergency, approval for access can be made by Facilities Management, Architectural Services or the Building Controller.

At all times an audit log of entry should be kept (this can be in the form of electronic entry monitoring or physical logbook held at the location).

Access to rooms where locked communications and server cabinets are located can be made without the need to consult Enfield IT as long as entry audit logs are maintained.

Identification of risk related to external parties

Where there is a requirement for a third party to access council facilities, information or information systems, a security risk assessment shall be conducted by the DS Security Team to identify any additional security requirements or additional controls required. The risk assessment shall be performed before the granting of additional services/connectivity and should take into account the following issues:

Addressing security when dealing with customers

The following terms should be considered to address security before giving customers access to any of the council’s information and information assets:

Third party service delivery management

The council will nominate an individual to liaise with appropriate third parties to ensure that services are being operated in accordance with service level agreements and that any security incidents affecting the council are reported in a timely manner. The nominated representative should consider the following:

Changes to council systems

Changes to council information systems by third parties must adopt the council’s DS Strategy, policies and processes.

Security policy requirements

All third parties must follow the following information security requirements. These set out the security measures that must be implemented and maintained by the council in relation to all aspects of information security and all associated supporting processes. They determine the minimum level of security the council requires to be achieved by the third party.

All third parties must ensure that they do not breach any of the information security management system statements at any time during their contract with the council.

Staff screening

Confirmation of identity and qualifications of permanent, temporary or contact staff, when requiring access to council buildings, systems and information, is the responsibility of all third parties. In addition, the third party is responsible for ensuring that all permanent, temporary or contract staff sign a confidentiality/non-disclosure agreement that protects the confidentiality of council information, and information provided to the council by other third parties.

The council reserves the right to request that third parties provide the appropriate evidence to show that the activities have been undertaken and also to undertake occasional audits of agencies to verify that adequate checks are taking place.

End point anti-virus and malware management

All workstations, desktop computers and servers with access to the council’s network must be installed with appropriate and virus software, active and kept up to date. This includes all third party’s own equipment.

The responsibility for the provision of antivirus measures for council owned assets should be clearly established.

Laptop users and third-party staff who use PCs for work off site must be supplied with virus detection software and regular updates.

Any employee or third party who attempts to disable, defeat or circumvent applicable security controls will be subject to immediate dismissal or contract termination.

All virus outbreaks infecting the council environment must be reported immediately to the DS Service Desk.

Any PC or laptop that might be infected by a virus must be disconnected immediately from all council networks. Infected machines may not be reconnected to the network until security administrators can verify that the virus has been removed.

Security incident management

All third parties are required to report any potential or actual breach of security affecting council information or information systems. A breach of security is unauthorised access to premises, information and information systems connected with the council.

Examples of possible security incidents may include, but not limited to:

Any third party who becomes aware of a security breach or attempted breach of council information or information systems must report it immediately to the relevant system administrator and copy to the Information Security Officer and/or designated security personnel.

The council will investigate all security breaches.

The Information Security Manager will collate information about security incidents and ensure trends are analysed, so that further controls can be implemented if required.

Information confidentiality

All third parties are required to handle council information in accordance with the Information Handling and Protection Policy. In particular, employees shall not discuss or disclose council information with any non-council employee or third party without explicit authorisation from the council.

All third parties will sign confidentiality/non-disclosure agreements integrated within their contract of employment with the council and/or third-party organisation.

All information developed by or on behalf of the council will remain the property of the council and shall in no way be sold, copied or used without the express permission of the council or authorised designate.

Media handling

To protect information from loss, unauthorised disclosure and loss of integrity, all third parties are to create all council documents and records under version control and adhere to the council’s AUP, including the statements on clear screen and desk policy. Where appropriate, the document should also contain a security classification in line with the council's security classification scheme as documented in the Information Classification and Protection Policy.

All media used for data import, export and storage shall be clearly labelled - this includes but is not limited to back up tapes, CDs and USB storage devices.

All media containing council information that is transported off site must be encrypted to AES 256 bit standard as a minimum and stored in a suitable container. Media that is to be posted should be put into a suitable disk mailer envelope and then into a padded envelope.

Advice should be sought from the DS Security Team if there are any doubts as to the validity of encryption methods or media being used to transport data.

Media containing council information shall be disposed of securely either by physical destruction of the paper or media or by secure erasure of stored data using methods documented in the council’s Records Management Policy Policy.

Removal of property

No equipment (hardware or software) shall be removed from council premises by a third party without prior written authorisation from the appropriate council manager.

Clear desk and clear screen policy

A Clear Desk Policy must be adopted for all third parties encountering council information. See Clear Desk, Clear Screen Policy.

Use of council internet and email systems

All electronic mail messages composed, sent or received using council systems remain the property of the council.

Third parties with access to the council’s Internet systems and email systems must adhere to the council's internet and email Usage Policy (included in the council’s Code of Conduct).

Further guidance can be found in the Acceptable Use Policy.

Audit and monitoring

The council has deployed comprehensive security systems with the capability of monitoring and recording all Internet and email usage. The council reserves the right to monitor and intercept any email activity over its network for any of the following reasons:

In addition, council employees have the ability to inspect any information processed and stored on the council network or local disk storage by third parties.

Policy compliance

The council expects that all employees will achieve compliance to the directives presented within this policy. This policy may be included within the Information Security Internal Audit Programme, and compliance checks may take place to review the effectiveness of its implementation.

Exceptions

In the following exceptional cases compliance with some parts of the policy may be relaxed. The parts that may be relaxed will depend on the particular circumstances of the incident in question:

In such cases, the staff member concerned must take the following action:

In addition, the DS Security Team maintains a list of known exceptions and non-conformities to the policy. This list contains:

The council will not take disciplinary action in relation to known, authorised exceptions to the information security management system.

Penalties

Non-compliance is defined as any one or more of the following:

Any violation or non-compliance with this policy may be treated as serious misconduct.

Penalties may include termination of employment or contractual arrangements, civil or criminal prosecution.


Policy details

Author – Information Governance Manager
Owner – Information and Data Governance Board
Version – 1.6
Reviewer – Information and Data Governance Board
Classification – Official
Issue status – Final
Date of first issue – 25.04.2014
Date of latest re-issue – 30.05.2024
Date approved by IGB – 19.05.2024
Date of next review – 30.04.2025

Council news directly to you

The latest news in your inbox every week. Council news, community updates, local events and more.

Sign up Sign up