Third-Party Access (PS-08-011)
Topics:
PS-08-011 Third-Party Access
Issue Date: 3/20/2008
Review Date: 08/30/2024
PURPOSE
In almost every aspect of state government, there is a need to outsource services to individuals or companies that are external to state government. The use of these outsourced services also known as third-parties, contractors or consultants introduces certain risks to the enterprise because they have not been vetted through the state human resources and recruiting process. As such, their trustworthiness has not been established. However, for these individuals to be able to provide the services requested of them, there must be a level of trust granted to them that allows access to state facilities and state information assets. This policy addresses the need to identify and address those risks.
SCOPE and AUTHORITY
O.C.G.A 50-25-4(a)(10) – State Government, Georgia Technology, General Powers
O.C.G.A 50-25-4(a)(21) - State Government, Georgia Technology, General Powers
PM-04-001 – Information Technology Policies, Standards and Guidelines
PS-08-005 – Enterprise Information Security Policy
TERMS and DEFINITIONS
Third-Party - contractor, service provider, consultant or any other individual or organization external to state government providing services on behalf of, for, or as an agent of state government or otherwise requiring access to non-public state facilities and/or information resources.
POLICY
Any unescorted, physical and/or logical access to non-public state facilities and/or information assets granted to third parties shall be associated with a signed contract.
When utilizing the services of a third party, the sponsoring agency shall be responsible for assessing and managing the risks associated with the accesses granted to the third party.
The sponsoring agency shall ensure that the third party is aware of and complies with all applicable state, federal, local and agency polices and standards.
RELATED ENTERPRISE POLICIES, STANDARDS, GUIDELINES
Authorization and Access Management (SS-08-010)
Third-Party Security Requirements (SS-08-013)
Outsourced IT Services and Third-Party Interconnections (SS-08-044)
Personnel Security (PS-08-014)