Back to M1.3.5 - P1 - IDENTIFICATION OF RISKS RELATED TO EXTERNAL PARTIES
Where there is a need to allow an external party access to the information systems or information of an entity, a risk assessment should be carried out to identify any requirements for specific controls. The identification of risks related to external party access should take into account the following issues:
- A. The information systems an external party is required to access
- B. The type of access the external party will have to the information and information systems, e.g.
1- Physical access, e.g. to offices, computer rooms, filing cabinets
2- Logical access, e.g. to an entity’s databases, information systems
3- Network connectivity between the entity’s and the external party’s network(s), e.g. permanent connection, remote access
4- Whether the access is taking place on-site or off-site
- C. The value and sensitivity of the information involved, and its criticality for business operations
- D. The controls necessary to protect information that is not intended to be accessible by external parties
- E. The external party personnel involved in handling the entity’s information
- F. How the entity or personnel authorized to have access can be identified, the authorization verified, and how often this needs to be reconfirmed
- G. The different means and controls employed by the external party when storing, processing, communicating, sharing and exchanging information
- H. The impact of access not being available to the external party when required, and the external party entering or receiving inaccurate or misleading information
- I. Practices and procedures to deal with information security incidents and potential damages, and the terms and conditions for the continuation of external party access in the case of an information security incident
- J. Legal and regulatory requirements and other contractual obligations relevant to the external party that should be taken into account
- K. How the interests of any other stakeholders may be affected by the arrangements
Access by external parties to the entity’s information should not be provided until the appropriate controls have been implemented and, where feasible, a contract has been signed defining the terms and conditions for the connection or access and the working arrangement. Generally, all security requirements resulting from work with external parties or internal controls should be reflected by the agreement with the external party. It should be ensured that the external party is aware of their obligations, and accepts the responsibilities and liabilities involved in accessing, processing, communicating, or managing the entity’s information and information systems.
Back to M1.3.5 - P1 - IDENTIFICATION OF RISKS RELATED TO EXTERNAL PARTIES
