Contracting with External Suppliers and other Service Providers
Adequate security constraints may be in force for employees and contractors, but those same levels of safeguard maybe overlooked when dealing with third parties, such as hardware and software suppliers, consultants and other service providers.
Where third party agreements do not refer to your Information Security Policy, you may have difficulty in making a case if the breach of security should only become evident after the contract with the third party is completed.
Third parties should not be permitted access to the organisation's systems and information unless there is genuine need.
All contracts with third parties should state the requirement to adhere to the Information Security Policies of the organisation.
Where a contract with an external service provider does not refer to the Information Security Policies and Standards of your organisation, your information is at greater risk as their standards and safeguards are likely to differ.
Your contracts with service providers should include the Information Security requirements associated with the information which they will be handling. See Classifying Information and Data.
Establish a periodic review of these arrangements to ensure that their safeguards remain adequate and appropriate for the sensitivity and classification of the data concerned.