it-09 third party & contractor access policy

DOCUMENT NO:REVISION NO:EFFECTIVE DATE:PAGE NO:PREPARED BY:APPROVED BY:

IT-09 0 8-June-07 1 of 4 Hong Chan Chuen

THIRD PARTY & CONTRACTOR ACCESS POLICY

1.0 PURPOSE:

1.1 To establish and maintain a policy defining the requirements for allowing all third party and contractor access to CMM information systems.

1.2 To establish and maintain a policy defining the requirements for allowing temporary vendor access to Company information systems.

1.3 To establish and maintain a policy defining the requirements to allow CMM customers access to their own e-mail and networks while working on-site at CMM office

2.0 SCOPE:

2.1 This document applies to all Company information systems and networks.

3.0 REFERENCES:

3.1 IT-01 (Company Electronic Data Policy)

3.2 IT-02 (IT Password Standards)

3.3 IT-03 (System Administrator Policy)

3.4 IT-04 (Virus Protection Policy)

4.0 DEFINITIONS:

4.1 IT – Information Technology

5.0 EXHIBITS:

5.1 None

6.0 RESPONSIBILITIES:

6.1 Corporate IT Group- Ensuring that IT develops and implements appropriate policies, practices and

procedures on a company wide basis.- Ensuring that regional IT management implements and ensures compliance to this

policy and all related practices and procedures.- Ensuring that the policy, practices and procedures are maintained.

6.2 IT ManagementPRINTED COPY IS FOR REFERENCE ONLY AFTER 2-MAY-23



- Ensuring that the information security policies, practices and procedures are implemented and adhered to within their regions. This includes securing information systems and networks, and monitoring system usage for possible abuse.

- Ensuring that local procedures in support of the corporate policy are maintained.

6.3 Department Managers- Ensuring Confidentiality or Non-Disclosure Agreements are signed by all third

parties who require access to Company information systems- Ensuring that all third parties engaged are provided with Company security policies

and procedures, and understand their responsibility to follow them.

6.4 IT Security Administrators (Infrastructure & Application)- Creating, changing, and revoking third party user access on a timely basis.- Gaining approval for all security requests.- Maintaining a log of all security requests.- Conducting a yearly scheduled review of all system/application process.

6.5 IT Network Administrator- Configuring approved remote/vendor access to Company internal networks.- Provides monitoring and logging during temporary network connections by

approved vendors.

6.6 Business / Data Owners- Approving security requests for access to application data.

7.0 PROCEDURE:

7.1 Access to Company information systems will be assigned with only the rights required to do individual job functions.

7.2 Third party accounts (Consultants/Vendors/etc.) must only be assigned for a defined period of time (start date/end date) and accounts must be automatically reviewed following the end of this period, and either be revoked or renegotiated for another defined period.

7.3 Generic accounts or so-called ‘group logons’ are not permitted, as these could potentially allow several users to access IT resources without any clear individual accountability. Access must only be provided on an individual basis, with each user account being unique to a named person with only sufficient access to do what they need to do in the normal course of their duties.

7.4 Confidentiality or Non-Disclosure Agreements must be signed by all third parties who require access to Company information systems. It is the responsibility of the person who engaged the third party to ensure this happens.

7.5 Before granting third party access to Company information systems, the designated organizational sponsor must provide the third party with the Company’s security

PRINTED COPY IS FOR REFERENCE ONLY AFTER 2-MAY-23



policies and procedures and ensure the third party is aware that they are responsible for following them.

7.6 Any third party connecting to the CMM network must ensure that their computer has adequate virus protection. All third party systems must be virus scanned prior to connecting to the CMM network. The designated organizational sponsor should liaise with the local IT department to ensure compliance.

8.0 PRACTICE:

8.1 Acceptable Usage and Privacy8.1.1 Prior to setting up any Third Party access to Company information systems, all

above conditions must be met.

8.2 Remote Access8.2.1 Access to Company internal networks from remote locations must be approved

in advance by the CIO. Remote access may be revoked at any timed for security reasons; if a security threat is detected connectivity will be terminated immediately and without notice. Installation of any remote access equipment or software on any Company IT device is not permitted without the appropriate authorization and change control process.

8.2.2 All IT system network connections initiated from a location outside the Company internal network or crossing a non-Company network, and connecting to the Company internal network must employ approved authentication technology.

8.3 Vendor Remote Diagnostics and Maintenance Access8.3.1 Temporary remote access privileges for vendors may be established by an IT

infrastructure network administrator with prior approval from the CIO. All temporary connections will be allowed only for a pre-determined time period required to accomplish the approved task. All vendor activities must be monitored and logged during the time that the connection exists.

8.4 Transmission of Sensitive Data8.4.1 Links between the Company and authorized third parties that transmit sensitive

data must encrypt all data using Company approved protocols.

8.5 CMM Customer access to the Internet from CMM offices8.5.1 CMM customers working on-site as CMM locations will be allowed access to

the Internet to connect to their email, network systems. This access must be approved by the IT Management.

9.0 REVISION HISTORY:




Rev # Sec./PageNo Name Change

Date Changes

0 - Hong Chan Chuen 9-July-09 New


it-09 third party & contractor access policy

Documents