It is University Policy that:
- all relevant information security requirements of the University and your division, department or faculty are covered in agreements with any third-party partners or suppliers
- third party’s compliance again these requirements is monitored
In order to ensure that third-party partners and suppliers meet the standards of information security required by the University and your division, department or faculty, you must:
- maintain an up-to-date record of all third parties that access, store or process University information on behalf of your division, department or faculty
- ensure that, for all new agreements with third parties, due diligence is exercised around information security and that contractual arrangements are adequate
- ensure that information security arrangements contained in existing agreements are reviewed and are adequate
- monitor the compliance of third parties against your information security requirements and contractual arrangements
There is a range of tools and support available to help you assess the information security arrangements of third parties and ensure that they meet the requirements of the University and your division, department or faculty.
To start with, you need to record the details of any third parties who access, store or process University information, and what that information is. The Information Security Team has developed a Third Party inventory template you can use to record these details.
Each information type (information asset) has a set of handling rules associated with it (see Information Asset Management). These rules, alongside the University's Information Security Policy and any specific requirements your division, department or faculty has (see Management of Information Security), form the basis of the third-party information security arrangements you will need to put in place.
Third Party Security Assessment (TPSA)
Due diligence, as it relates to information security, is the process through which you assess the information security control arrangements of any prospective third-party partners or suppliers. These arrangements must provide assurance that University information will be appropriately secured and comply with the handling rules for the information. The Information Security Team has developed a self-assessment tool for third parties, called the Third Party Security Assessment (TPSA), along with a set of guidance notes on its use. The Information Security Team can facilitate use of this tool on your behalf and help you interpret the results.
It is important that any contractual arrangements you make with third parties clearly stipulate the information security measures they are required to have in place. A set of standard information security contractual clauses has been developed and is incorporated into any relevant purchasing process led by the University Purchasing Department. For other non-central procurement, please contact Purchasing for the appropriate clauses and further guidance, as well as Legal Services for advice on Data Protection when personal data is involved.
Contractual arrangements with existing third parties should be reviewed to ensure they are fit for purpose. If following review these are found to be inadequate, renegotiate them as soon as possible.
Owing to the increasing use of cloud-based services, the University has developed a toolkit to assess the suitability of cloud or hosted IT services. This toolkit relates to legal, commercial and technical assessments of third-party providers.
The elements of the toolkit that relate specifically to information security are:
Monitoring of third-party compliance is important because it provides assurance that University information is being appropriately secured. This should be carried out periodically through:
- third-party self-assessment against the requirements and contractual arrangements
- a remote audit of the third party's control environment, or
- an on-site audit of the third party's control environment
The most suitable mechanism for gaining this assurance depends on the information type and information security requirements. The Information Security Team can advise on this and facilitate assessment and audit activities.