This document describes the policy under which third-party organizations connect to YOUR COMPANY networks for the purpose of transacting business related to YOUR COMPANY.
Connections between third parties that require access to non-public YOUR COMPANY resources are governed by this policy, regardless of whether a telco circuit (such as Frame Relay or ISDN) or VPN technology is used for the connection. Connectivity to third parties such as the Internet service Providers (ISPs) that provide Internet access for YOUR COMPANY or to the Public Switched Telephone Network does NOT fall under this policy.
Prerequisites, Security Review
All new extranet connectivity must undergo a security review with the YOUR COMPANY Information Security department. This review ensures reviews that all third-party network access serves a legitimate business need.
Third-Party Connection Agreement
All new connection requests between third parties and YOUR COMPANY require the signature of a Third-Party Agreement by the vice president of the sponsoring organization and a representative who is legally empowered to sign on behalf of the third party. The signed document will be kept on file with of team responsible for extranet agreements. Documents pertaining to connections into YOUR COMPANY labs are to be kept on file with the of team responsible for lab security.
All production extranet connections must be accompanied by a valid written business justification, which is approved by a project manager in the extranet group. Lab connections must be approved by the of team responsible for lab security. This business case is typically included as part of the Third-Party Agreement.
Point Of Contact
The sponsoring organization must designate a person to be the Point of Contact (POC) for the extranet connection. In the event that the POC changes, promptly inform the relevant extranet organization.
4. Establishing Connectivity
Sponsoring organizations within YOUR COMPANY that wish to establish connectivity to a third party must submit a new site request, including complete information about the proposed access, to the extranet group. The extranet group will address potential security issues raised by the project. If the proposed connection is to terminate within a lab, the sponsoring organization must also engage the of team responsible for lab security.
All extranet connectivity must be based on the least-access principle, in accordance with the approved business requirements and the security review. In no case will YOUR COMPANY rely upon the third party to protect YOUR COMPANY’s network or resources.
5. Modifying or Changing Connectivity and Access
All changes in access must be accompanied by a valid business justification, and are subject to security review. Implement changes via the YOUR COMPANY change management process. The sponsoring organization is responsible for notifying the extranet management group and/or YOUR COMPANY when there is a material change in their original access request so that security and connectivity evolve accordingly.
6. Terminating Access
When access is no longer required, the sponsoring organization must notify the extranet team responsible for that connectivity, which will then terminate the access. This may mean modifying existing permissions up to terminating the circuit, as appropriate. The extranet and lab security teams must audit their respective connections on an annual basis to ensure that all existing connections are still needed, and that the access provided meets the needs of the connection. Connections that are no longer used to conduct YOUR COMPANY business, will be terminated immediately. Should a security incident or review determine that a circuit has been compromised or is no longer used to conduct YOUR COMPANY business, YOUR COMPANY and/or the extranet team will attempt to notify the POC or the sponsoring organization prior to modifying permissions or terminating the connection.
Any employee violating this policy may be subject to disciplinary action, up to and including termination of employment.
Circuit - For the purposes of this policy, circuit refers to the method of network access, and may include ISDN, Frame Relay, etc., or VPN/encryption technologies.
Sponsoring Organization - The YOUR COMPANY organization that requested third-party access to YOUR COMPANY networks.
Third Party - A business that is not a formal or subsidiary part of YOUR COMPANY.