Solved

best practice documentation for letting 3rd party vendors into environment

Posted on 2012-03-20
2
516 Views
Last Modified: 2012-03-21
I have some 3rd party vendors coming into work on various systems for varying lengths of time. I need to produce documentation on what procedures to follow and what restrictions to place on them in AD,group policies, remote access rights etc... any help on finding some existing documentation would be great

thanks
0
Comment
Question by:davidm27
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 11

Accepted Solution

by:
slemmesmi earned 500 total points
ID: 37746598
Dear davidm27,

I am not aware of any such documents available on the Internet, but let me see if I can assist you.

It all depends on what the need of the 3rd party vendors is and you should  as "guideline" only grant privileges on a "least need to have/know basis".

First of all I recommend you contact your organizations own legal department (if you have a such) and ask for their assistance, e.g. in terms of a NDA (Non Disclosure Agreement) for the visitors of the 3rd party vendors to "sign".

Also as a minimum, you should ensure that the 3rd party vendors adhere to your organizations written IT policy.

For any changes to be done by the 3rd party vendors, they should follow your existing(?) Change Management process, and you should ensure they document any changes done. You should ask yourself what their deliverables are, and how you determine if a delivery has been completed.

You should also consider setting up a ruleset for how/when they access your premises and systems and you should ask yourself if they should have unlimited access, or time-constrained.

Concerning AD, GPO's and remote access rights, I'd recommend you first on a "logical basis" identify the needs of the 3rd party vendors, and then based upon this and the "least need to have/know basis", implement accordingly.

Let me strongly advice you not to allow the use of "generic user accounts" (credentials being shared amongst multiple persons) but "personal" such, also for personnel of 3rd party vendors. Only that way you will have some control of who does what. You can then of course make those users member of groups and assign privileges to the groups.

Last but not least, already up front prepare an exit strategy - i.e. how to terminate the cooperation with each 3rd party vendor, both at the end of a project, but also premature (how to exit a relationship before end of a project, e.g. following a breach of confididentiality etc).

While not being able to give you "documents" I still hope you can use my points.

Kind regards,
Soren
0
 

Author Closing Comment

by:davidm27
ID: 37747786
Thank you very much, think i should be able to create my own doc out of all that lots of things i hadnt even thought about :)
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Your data is at risk. Probably more today that at any other time in history. There are simply more people with more access to the Web with bad intentions.
Recovering from what the press called "the largest-ever cyber-attack", IT departments worldwide are discussing ways to defend against this in the future. In this process, many people are looking for immediate actions while, instead, they need to tho…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question