There is a range of tools and support available to help you assess the information security arrangements of third parties and ensure that they meet the requirements of the University and your division, department or faculty.
To start with, you need to record the details of any third parties who access, store or process University information, and what that information is.
Each information type (information asset) has a set of handling rules associated with it (see Information Asset Management). These rules, alongside the University's Information Security Policy and any specific requirements your division, department or faculty has (see Management of Information Security), form the basis of the third-party information security arrangements you will need to put in place.
Third Party Security Assessment (TPSA)
Due diligence, as it relates to information security, is the process through which you assess the information security control arrangements of any prospective third-party partners or suppliers. These arrangements must provide assurance that University information will be appropriately secured and comply with the handling rules for the information. The Information Security Team has developed a self-assessment tool for third parties, called the Third Party Security Assessment (TPSA), along with a user manual.
Much of the process is self-service but the Information Security GRC Team can help you interpret the results. The process can take many weeks to complete, depending on the complexity of the service and co-operation of the supplier, so please make sure you plan your assessment in good time and prior to selecting your supplier.
When the University buys IT services from a commercial supplier, there is typically an agreement placing certain obligations on the supplier to ensure security of the services. If the University obtains software under such an agreement there will usually be some level of assurance regarding the maintenance and security of the software. Where software is available free of charge, there may be no such obligation to maintain the code.
If you are considering using software that does not come under such a contractual agreement, you should assess the risk associated with its use. Please consult our detailed guidance on when and how to carry out a software risk assessment.
It is important that any contractual arrangements you make with third parties clearly stipulate the information security measures they are required to have in place. A set of standard information security contractual clauses has been developed and is incorporated into any relevant purchasing process led by the University Purchasing Department. For other non-central procurement, please contact Purchasing for the appropriate clauses and further guidance, as well as Information Compliance when personal data is involved.
Contractual arrangements with existing third parties should be reviewed to ensure they are fit for purpose. If following review these are found to be inadequate, renegotiate them as soon as possible.
Owing to the increasing use of cloud-based services, the University has developed a toolkit to assess the suitability of cloud or hosted IT services. This toolkit relates to legal, commercial and technical assessments of third-party providers.
The element of the toolkit that relate specifically to information security is:
Monitoring of third-party compliance is important because it provides assurance that University information is being appropriately secured. This should be carried out periodically through:
- Third-party self-assessment against the requirements and contractual arrangements
- A remote audit of the third party's control environment, or
- An on-site audit of the third party's control environment
The most suitable mechanism for gaining this assurance depends on the information type and information security requirements. The Information Security Team can advise on this and facilitate assessment and audit activities.