Supersedes Version:
Issuing Department: Administrative Computing
Responsible Officer: Chief Information Officer
School
of Visual Arts is hereinafter referred to as “the company.”
1.0
Overview
Direct connections to
external entities are sometimes required for business operations. These connections are typically to provide
access to vendors or customers for service delivery. Since the company’s security policies and
controls do not extend to the users of the third parties’ networks, these
connections can present a significant risk to the network and thus require
careful consideration.
2.0 Purpose
The policy is intended
to provide guidelines for deploying and securing direct connections to third
parties.
3.0 Scope
The scope of this
policy covers all direct connections to the company’s network from non-company
owned networks. This policy excludes
remote access and Virtual Private Network (VPN) access, which are covered in
separate policies.
4.0 Policy
4.1
Use of Third Party Connections
Third party
connections are to be discouraged and used only if no other reasonable option
is available. When it is necessary to
grant access to a third party, the access must be restricted and carefully
controlled. A requester of a third party
connection must demonstrate a compelling business need for the connection. This request must be approved and implemented
by the IT Manager.
4.2 Security of Third Party Access
Third party
connections require additional scrutiny.
The following statements will govern these connections:
• Connections to third parties
must use a firewall or Access Control List (ACL) to separate the company’s
network from the third party’s network.
• Third parties will be provided
only the minimum access necessary to perform the function requiring
access. If possible this should include
time-of-day restrictions to limit access to only the hours when such access is
required.
• Wherever possible, systems
requiring third party access should be placed in a public network segment or
demilitarized zone (DMZ) in order to protect internal network resources.
• If a third party connection is
deemed to be a serious security risk, the IT Manager will have the authority to
prohibit the connection. If the
connection is absolutely required for business functions, additional security
measures should be taken at the discretion of the IT Manager.
4.3 Restricting Third Party Access
Best practices for a
third party connection require that the link be held to higher security
standards than an intra-company connection.
As such, the third party must agree to:
• Restrict access to the
company’s network to only those users that have a legitimate business need for
access.
• Provide the company with the
names and any other requested information about individuals that will have
access to the connection. The company
reserves the right to approve or deny this access based on its risk assessment
of the connection.
• Supply the company with
on-hours and off-hours contact information for the person or persons
responsible for the connection.
• (If confidential data is
involved) Provide the company with the names and any other requested
information about individuals that will have access to the company’s
confidential data. The steward or owner
of the confidential data will have the right to approve or deny this access for
any reason.
4.4 Auditing of Connections
In order to ensure
that third-party connections are in compliance with this policy, they must be
audited annually.
4.5 Applicability of Other Policies
This document is part
of the company’s cohesive set of security policies. Other policies may apply to the topics
covered in this document and as such the applicable policies should be reviewed
as needed.
5.0
Enforcement
This policy will be
enforced by the IT Manager and/or Executive Team. Violations may result in
disciplinary action, which may include suspension, restriction of access, or
more severe penalties up to and including termination of employment. Where
illegal activities or theft of company property (physical or intellectual) are
suspected, the company may report such activities to the applicable
authorities.
6.0 Definitions
Access Control List
(ACL) A list that defines the permissions for use
of, and restricts access to, network resources.
This is typically done by port and IP address.
Demilitarized Zone (DMZ) A
perimeter network, typically inside the firewall but external to the private or
protected network, where publicly-accessible machines are located. A DMZ allows higher-risk machines to be
segmented from the internal network while still providing security controls.
Firewall A security system that
secures the network by enforcing boundaries between secure and insecure
areas. Firewalls are often implemented
at the network perimeter as well as in high-security or high-risk areas.
Third Party Connection A direct
connection to a party external to the company.
Examples of third party connections include connections to customers,
vendors, partners, or suppliers.
7.0
Revision History
Revision 2.0, 1/1/2015