Problem solve Get help with specific problems with your technologies, process and projects.

Guidelines for allowing outside users access

Recently, I have seen more and more requests to allow non-company people access to our internal systems. Typically, these are contractors, working internally or externally, or support analysts with software vendors.

As business relationships and contracts with support providers become more complex, we are finding it harder and harder to 'just say no.'

Typically, our position has been 'must use a company asset (PC), must sign all the agreements, etc.'

I would like to know if there is any advice you can give for policies, or any other best practices information that can help guide us in this area.

Does the individual assigned to your company have to sign a non-disclosure in addition to their sponsoring company? When asked to sign a non-disclosure agreement does someone from security go over the document with them to assure all questions have been satisfactorily answered?

You must determine your approval process in order to assure proper access. Who can authorize a temporary, consultant or third-party vendor? Is it the sponsoring manager? What safeguards are in place to assure they receive only the information necessary in order to perform the job they were hired to do? Is there a different naming standard for non-employees? Are data owners and guardians involved in the approval process if the information is under their control?

Do you have an information security policy, which defines what information is classed at? Do non-employees who are granted access (such as electronic mail) automatically receive "Internal Use Only" information? Are third parties advised this information is not to be released outside of the company?

Where are the third parties physically located? Will development be at a remote site or on site? What controls are in place to assure information and development is secured?

Are consultants temporaries who develop or modify applications or documentation your company is the legal owner of? This should be clearly agreed upon in writing before any development is undertaken.

What kind of screening mechanisms does your company use to assure the third party is who they said they are? Vendors, consultants and contractors should have the same hire-on criteria used for employee selection (including background verifications) and should be held fully accountable for their actions and responsible on your systems.

This was last published in November 2001

Dig Deeper on Information security policies, procedures and guidelines

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.