Third-party users of Agency information resources are required to adhere to the same standards as organizational users. Agreements with third-party organizations denote that failure to follow Agency standards will result in termination of access to Agency information resources and potential termination of contract.
Security is breached by employees, contractors or third party users that leverage access given after termination or change of their employment, contract or agreement.
The organization:
a. Establishes personnel security requirements including security roles and responsibilities for third-party providers;
b. Requires third-party providers to comply with personnel security policies and procedures established by the organization;
c. Documents personnel security requirements;
d. Requires third-party providers to notify [Assignment: organization-defined personnel or roles] of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges within [Assignment: organization-defined time period]; and
e. Monitors provider compliance.
Service level agreements (SLA’s) are be used to define the role of third parties specific to applicable information security policies and procedures.
The state organization establishes personnel security requirements including security roles and responsibilities for third-party providers and monitors provider compliance.
Obtain personnel security policy; procedures addressing third-party personnel security; list of personnel security requirements; acquisition documents; compliance monitoring process; other relevant documents or records and ascertain if :
(I)the organization establishes personnel security requirements, including security roles and responsibilities, for third-party providers (e.g., service bureaus, contractors, and other organizations providing information system development, information technology services, outsourced applications, network and security management).
(ii)the organization explicitly includes personnel security requirements in acquisition-related documents in accordance with NIST Special Publication 800-35.
(iii)the organization monitors third-party provider compliance with personnel security requirements.
