Working with third parties

A safe pair of hands or the weakest link? Before you entrust sensitive information to any partner or supplier, you need to be sure they can and will keep it safe from attack.

As a Head of Division, Head of Department or Faculty Board Chair, you have a responsibility to ensure third-parties who deal with University data don’t expose the University and your division, department or faculty to unnecessary information security risks.

REQUIREMENTS

In order to ensure that third-party partners and suppliers meet the standards of information security required by the University and your division, department or faculty, you must:

  1. Maintain an up-to-date record of all third parties that access, store or process University information on behalf of your division, department or faculty
  2. Ensure that, for all new agreements with third parties, due diligence is exercised around information security and that contractual arrangements are adequate
  3. Ensure that information security arrangements contained in existing agreements are reviewed and are adequate
  4. Monitor the compliance of third parties against your information security requirements and contractual arrangements
HOW TO COMPLY

There is a range of tools and support available to help you assess the information security arrangements of third parties and ensure that they meet the requirements of the University and your division, department or faculty.

To start with, you need to record the details of any third parties who access, store or process University information, and what that information is.

Each information type (information asset) has a set of handling rules associated with it (see Information Asset Management). These rules, alongside the University's Information Security Policy and any specific requirements your division, department or faculty has (see Management of Information Security), form the basis of the third-party information security arrangements you will need to put in place.

Third Party Security Assessment (TPSA)

Due diligence, as it relates to information security, is the process through which you assess the information security control arrangements of any prospective third-party partners or suppliers. These arrangements must provide assurance that University information will be appropriately secured and comply with the handling rules for the information. The Information Security Team has developed a self-assessment tool for third parties, called the Third Party Security Assessment (TPSA), along with a user manual

Much of the process is self-service but the Information Security GRC Team can help you interpret the results. The process can take many weeks to complete, depending on the complexity of the service and co-operation of the supplier, so please make sure you plan your assessment in good time and prior to selecting your supplier.

Contracts

It is important that any contractual arrangements you make with third parties clearly stipulate the information security measures they are required to have in place. A set of standard information security contractual clauses has been developed and is incorporated into any relevant purchasing process led by the University Purchasing Department. For other non-central procurement, please contact Purchasing for the appropriate clauses and further guidance, as well as Information Compliance when personal data is involved.

Contractual arrangements with existing third parties should be reviewed to ensure they are fit for purpose. If following review these are found to be inadequate, renegotiate them as soon as possible.

Cloud-based services

Owing to the increasing use of cloud-based services, the University has developed a toolkit to assess the suitability of cloud or hosted IT services. This toolkit relates to legal, commercial and technical assessments of third-party providers.

The element of the toolkit that relate specifically to information security is:

Assurance

Monitoring of third-party compliance is important because it provides assurance that University information is being appropriately secured. This should be carried out periodically through:

  • Third-party self-assessment against the requirements and contractual arrangements
  • A remote audit of the third party's control environment, or
  • An on-site audit of the third party's control environment

The most suitable mechanism for gaining this assurance depends on the information type and information security requirements. The Information Security Team can advise on this and facilitate assessment and audit activities.

POLICY

It is University Policy that:

  • All relevant information security requirements of the University and your division, department or faculty are covered in agreements with any third-party partners or suppliers
  • Third party’s compliance against these requirements is monitored