• Table of Contents:
• Title Page
• Chapter 1: Security Policy
• Chapter 2: Security Organisation
• Chapter 3: Information Classification
• Chapter 4: Control of Classified Material
• Chapter 5: Personnel Security
• Chapter 6: Contractors and Other Third-Party Access
• Chapter 7: Physical and Environmental Security
• Chapter 8: Communications and Systems Security Management
• Chapter 9: Control of Access to Information Systems
• Cross-Reference to AS/NZ ISO/IEC 17799:2001
• Glossary of Abbreviations

Chapter 6: Contractors and Other Third-Party Access

Assessment of Risk from Third-Party Access

Types of Access

1. Access given to people outside the parent organisation deserves special attention, including:

• physical access, for example to offices, computer rooms or filing cabinets

• logical access, for example to an organisation's databases or information systems across a network connection.

Reasons for Access

2. Physical or logical access may be granted access to off-site providers for several reasons, including the need for:

• trading or joint-venture partners to exchange information, access information systems or share databases

• hardware and software support staff to access system or low-level application functionality.

3. Third-party access may put information at risk without adequate security management. Where there is a business need for third-party access, a risk assessment should be carried out first to see what controls are needed. The assessment should consider:

• types of access needed

• value of the information

• controls used by the third party

• implications of access on the organisation's information security.

Protection of Classified Material

4. The contracted parties must use appropriate security controls, approved by the contracting organisation, to protect classified material from deliberate or accidental compromise. Such arrangements should ensure:

• information or equipment used are at no greater risk than if handled by the organisation's own employees

• minimum standards outlined in Chapter 3 of this manual are maintained.

On-Site Contractors

5. Security weaknesses may arise from on-site, temporary, third-party contractors, such as:

• consultants

• cleaning, catering, security guards and other outsourced support services

• hardware and software maintenance and support staff

• student placement

• other casual, short-term appointments.

6. If contractors are engaged for any purpose, consider whether they need a security clearance for the information they use or the areas they access.

7. Unless contractors need to access classified material, the Chief Executive or head can usually decide their level of access based on:

• reference checks

• employment history checks

• criminal history checks through Department for Courts or NZ Police

• basic checks (see Chapter 5).

8. If a security clearance is needed, the contracting organisation should initiate the clearance process.

9. Pre-vetting procedures should still be followed as closely as possible.

10. The contract with the third party should include security requirements (see paragraph 0). For example, non-disclosure agreements should be considered to help maintain confidentiality.

11. Third parties must not have access to classified material or information-processing facilities until:

• appropriate checks are complete

• security clearances are granted

• contracts, defining the terms for connection or access, are signed.

Off-Site Contractors

12. With some contract work for government organisations, non-government contractors hold or produce classified information or equipment on their own premises.

13. Contracts from government organisations must specify that the contractor protects both classified and unclassified official information, following the levels outlined in Chapter 3 of this manual. The contracting organisation must decide how best to ensure that contractors know their responsibilities.

14. Where material classified CONFIDENTIAL must be released off-site, security arrangements are best managed by the contracting organisation. Security responsibilities should be clear and reinforced by formal or legal means such as contractual conditions.

15. Depending on its complexity, the contracting organisation may wish to seek security advice from the NZSIS and/or GCSB.

16. For contracts involving classified equipment, the contracting organisation should consider separating and directly controlling the classified aspects of the work.

17. Only the minimum quantity of classified equipment should leave government control, and only then with access limited to people with a "need to know".

Consultants

18. Often consultants work for government organisations under the terms of a specific contract. But sometimes consultants receive no direct pay from the contracting organisation, other than travel and subsistence payments; so security is not enforced by Standard Conditions of Contract.

19. When there is no direct contract, government organisations must draw up appropriate terms and conditions of appointment. These should detail the consultant's personal responsibilities for safeguarding classified material.

20. Consultants accessing material classified CONFIDENTIAL or above must receive written guidance on the relevant security controls and procedures.

21. Before a consultant receives classified material, the DSO of the government department or agency, State Owned Enterprise or Crown Entity must ensure that :

• the consultant is appropriately authorised

• where necessary, the consultant holds the appropriate level of clearance

• security measures are in place to ensure the material's physical protection.

Outsourcing

22. When the management or control of all or some of its information systems, networks or desktop environments is outsourced, security should be outlined in a contract agreed between the parties. For example, the contract should specify:

• how to meet legal requirements, such as data-protection legislation

• how to ensure that all parties, including subcontractors, know their security responsibilities

• how to maintain and test the integrity and confidentiality of operations

• what physical and logical controls restrict and limit access to the organisation's classified and business information

• what levels of physical security are provided for outsourced equipment

• the right of audit.

23. The contract should allow for expanded security requirements and procedures, based on a security management plan agreed by both parties.

24. Outsourcing contracts can pose some complex security questions. A good starting point for the structure and content of a security management plan is the controls outlined in AS/NZS ISO/IEC 17799:2001Information Technology - Code of Practice for Information Security Management.

Security Requirements in Third-Party Contracts

25. Third-party access to a government organisation's information-processing facilities should be detailed in a formal contract.

26. The contract should contain or cite all requirements for complying with the organisation's security policies and standards.

27. The contract should ensure that there is no misunderstanding between the organisation and the third party. Consider putting these terms in the contract:

• the general policy on information security

• protection, including:

  • steps to protect official information, equipment and software
  • steps to determine whether information or data has been compromised (for example, lost or modified)
  • controls to ensure that information and equipment is returned or destroyed at a specified time after or during the contract
  • integrity and availability
  • restrictions on copying and disclosing information.

• a description of each service offered

• the target level of service

• unacceptable levels of service

• provision for transferring staff as appropriate

• the respective liabilities of parties to the agreement

• legal responsibilities, for example based on data-protection legislation, especially considering different national legal systems if foreign organisations are involved

• intellectual property rights (IPRs), copyright assignment and protection of any collaborative work

• control-of-access agreements to information systems, covering:

  • permitted access methods
  • the control and use of unique identifiers such as user IDs and passwords
  • an authorisation process for user access and privileges
  • an ongoing, accurate list of authorised users, specifying their rights and privileges
  • clearly defined and verifiable performance criteria, and steps for monitoring and reporting those criteria
  • the right to monitor and if necessary revoke user access
  • the right to audit or have third parties audit contractual responsibilities
  • an escalation process for problem resolution, including contingency arrangements where appropriate
  • responsibilities for installing and maintaining hardware and software
  • a clear reporting structure and agreed reporting formats
  • a clearly defined process of change management
  • physical protection controls, and mechanisms to enforce those controls
  • user and administrator training in methods, procedures and security
  • controls to protect against malicious software
  • arrangements for reporting, notifying and investigating security incidents and breaches
  • terms for third-party subcontractors.

28. People working for contractors, subcontractors and other organisations outside government have a duty of confidentiality when they are involved in handling classified or unclassified government information.

29. The duty to respect confidentiality must be clearly communicated, preferably by confidentiality agreements or contractual conditions. Contractors and subcontractors in particular should be told that their involvement in government contracts might increase the risk of their businesses being targeted for security incidents.

[ Previous | Next ]