Guidelines for allowing outside users access
Recently, I have seen more and more requests to allow non-company people access to our internal systems. Typically, these are contractors, working internally or externally, or support analysts with software vendors.
As business relationships and contracts with support providers become more complex, we are finding it harder and harder to 'just say no.'
Typically, our position has been 'must use a company asset (PC), must sign all the agreements, etc.'
I would like to know if there is any advice you can give for policies, or any other best practices information that can help guide us in this area.
Does the individual assigned to your company have to sign a non-disclosure in addition to their sponsoring company? When asked to sign a non-disclosure agreement does someone from security go over the document with them to assure all questions have been satisfactorily answered?
You must determine your approval process in order to assure proper access. Who can authorize a temporary, consultant or third-party vendor? Is it the sponsoring manager? What safeguards are in place to assure they receive only the information necessary in order to perform the job they were hired to do? Is there a different naming standard for non-employees? Are data owners and guardians involved in the approval process if the information is under their control?
Do you have an information security policy, which defines what information is classed at? Do non-employees who are granted access (such as electronic mail) automatically receive "Internal Use Only" information? Are third parties advised this information is not to be released outside of the company?
Where are the third parties physically located? Will development be at a remote site or on site? What controls are in place to assure information and development is secured?
Are consultants temporaries who develop or modify applications or documentation your company is the legal owner of? This should be clearly agreed upon in writing before any development is undertaken.
What kind of screening mechanisms does your company use to assure the third party is who they said they are? Vendors, consultants and contractors should have the same hire-on criteria used for employee selection (including background verifications) and should be held fully accountable for their actions and responsible on your systems.
This was first published in November 2001