PS-08-011 Third-Party Access

Issue Date:  3/20/2008

Effective Date: 3/20/2008

Review Date: 12/01/2023

PURPOSE

In almost every aspect of state government, there is a need to outsource services to individuals or companies that are external to state government.  The use of these outsourced services also known as third-parties, contractors or consultants introduces certain risks to the enterprise because they have not been vetted through the state human resources and recruiting process.  As such, their trustworthiness has not been established.  However, for these individuals to be able to provide the services requested of them, there must be a level of trust granted to them that allows access to state facilities and state information assets.  This policy addresses the need to identify and address those risks.

SCOPE and AUTHORITY

O.C.G.A 50-25-4(a)(10) – State Government, Georgia Technology, General Powers

O.C.G.A 50-25-4(a)(21) - State Government, Georgia Technology, General Powers

PM-04-001 – Information Technology Policies, Standards and Guidelines

PS-08-005 – Enterprise Information Security Charter

TERMS and DEFINITIONS

Third-Party - contractor, service provider, consultant or any other individual or organization external to state government providing services on behalf of, for, or as an agent of state government or otherwise requiring access to non-public state facilities and/or information resources.

POLICY

Any unescorted, physical and/or logical access to non-public state facilities and/or information assets granted to third parties shall be associated with a signed contract.

When utilizing the services of a third party, the sponsoring agency shall be responsible for assessing and managing the risks associated with the accesses granted to the third party. 

The sponsoring agency shall ensure that the third party is aware of and complies with all applicable state, federal, local and agency polices and standards.

RELATED ENTERPRISE POLICIES, STANDARDS, GUIDELINES

Access Control (PS-08-009)

Authorization and Access Management (SS-08-010)

Third-Party Security Requirements (SS-08-013)

Outsourced IT Services and Third-Party Interconnections (SS-08-044)

Personnel Security (PS-08-014)