Vendor and Third Party System Access | Lee's Summit IT Policies, Procedures and Standards

Policy Reference

Category	IT Asset and Risk Management
Approval Date	01-29-2010
Scope	All Personnel

Purpose

The purpose of this policy is to guard the safety and confidentiality of City data from third party service providers, contractors, vendors and other external entities (non city personnel).

Policy

ITS and department personnel will maintain an application specific list of authorized third party providers. The list will include identification of the role of the provider, contact information and the level of access necessary.
The city will require all third parties with access to confidential information to adhere to all pertinent laws, regulations, guidelines, and applicable policies.
The City must ensure that third parties acknowledge that they are being held responsible for the security and availability of City data in their possession.
The City must ensure the full cooperation on the part of third parties in the event of a security audit, or a review after a security intrusion or service continuity interruption.
ITS and department personnel must ensure that remote access accounts and userids utilized by third parties are only made activate when authorized.
1. All access must be pre-approved by the appropriate application owner, department or supervisor.
2. All access must be monitored by an approved ITS or Department employee.
3. All access must be provided using a standard ITS approved and secured method.
4. All accounts and userids must be disabled/deactivated after completion of the required task(s) by the third party.
ITS will do an annual verification of the security and pertinant regulatory compliance status of third party providers which host or manage confidential information on behalf of the city.

Compliance

Maintain a list of service providers § 12.8.1, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2
Third party access should be reviewed regularly to ensure the risks are still acceptable. The review should consider the sensitivity and criticality of the information, third party relationship, legal and regulatory requirements, third party security practices, type of connection, third party system vulnerabilities, lack of control over third party employees, type of data the third party is processing, and the effectiveness of the third party infrastructure. CB6.1.1, The Standard of Good Practice for Information Security
The organization should identify all supplier services and categorize them according to supplier type, significance and criticality. Maintain formal documentation of technical and organizational relationships covering the roles and responsibilities, goals, expected deliverables and credentials of representatives of these suppliers. DS2.1, CobiT 4.1
Hosting providers must ensure the organization's environment and cardholder data that it is sharing is protected. § 2.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2
Establish processes and procedures for engaging service providers, including proper due diligence prior to engagement. § 12.8.3, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance Imprint Machines or Stand-alone Dial-out Terminals Only, no Electronic Cardholder Data Storage, Version 1.2