Third Party Contracts Agreement Recommendations
An FRSecure Self-Help Document of Guidelines and Best Practices
Information Security Contractual Agreement Recommendations
The following topical areas should be considered for inclusion in third party agreements to satisfy information security requirements:
- A description of information that will be provided or accessed and approved methods for access to and transmission of that information;
- The classification of information according to the organization’s classification scheme. Consider mapping the organization’s classification scheme with the classification scheme of the third party;
- Any legal and/or regulatory requirements related to the information;
- Obligation of each contractual party to implement an agreed set of controls to manage the information including access control, performance review, monitoring, reporting and auditing;
- Rules of acceptable and unacceptable use of the information;
- Information security policies and procedures;
- Risk management requirements;
- Incident management requirements and procedures (especially notification and collaboration during incident remediation);
- Training and awareness requirements for specific procedures and information security requirements;
- An explicit list of third-party personnel authorized to access or receive the organization’s information. If an explicit list is not feasible, documented procedures or conditions for authorization, and removal of the authorization, for access to or receipt of the organization’s information by third party personnel;
- Relevant controls around sub-contracting;
- Relevant agreement partners, including a contact person for information security issues;
- Screening requirements for third party personnel with access to the organization information commensurate with the organizations screening program.
- Right to audit the third-party processes and controls related to the management of the organization’s information;
- Third party’s obligations to comply with the organization’s security requirements.
- Defect resolution and conflict resolution processes;
- Third party’s obligation to periodically obtain an independent assessment or audit on the effectiveness of their controls and agreement on timely correction of relevant issues identified in the assessment or audit.
This is not an exhaustive list and each organization should consider their own Information Security policies as well as legal and regulatory requirements when setting up agreements with third parties.
- ISO 27002: 17
- NIST CSF: ID.BE, PR.IP, RS.RP, RS.CO, RS.IM, RS.RP, RC.IM, RC.CO
- FRSecure Information Classification and Handling Policy
Waivers from certain policy provisions may be sought following the FRSecure Waiver Process.
Personnel found to have violated this policy may be subject to disciplinary action, up to and including termination of employment, and related civil or criminal penalties.
Any vendor, consultant, or contractor found to have violated this policy may be subject to sanctions up to and including removal of access rights, termination of contract(s), and related civil or criminal penalties.