?
Solved

best practice documentation for letting 3rd party vendors into environment

Posted on 2012-03-20
2
Medium Priority
?
517 Views
Last Modified: 2012-03-21
I have some 3rd party vendors coming into work on various systems for varying lengths of time. I need to produce documentation on what procedures to follow and what restrictions to place on them in AD,group policies, remote access rights etc... any help on finding some existing documentation would be great

thanks
0
Comment
Question by:davidm27
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 11

Accepted Solution

by:
slemmesmi earned 1500 total points
ID: 37746598
Dear davidm27,

I am not aware of any such documents available on the Internet, but let me see if I can assist you.

It all depends on what the need of the 3rd party vendors is and you should  as "guideline" only grant privileges on a "least need to have/know basis".

First of all I recommend you contact your organizations own legal department (if you have a such) and ask for their assistance, e.g. in terms of a NDA (Non Disclosure Agreement) for the visitors of the 3rd party vendors to "sign".

Also as a minimum, you should ensure that the 3rd party vendors adhere to your organizations written IT policy.

For any changes to be done by the 3rd party vendors, they should follow your existing(?) Change Management process, and you should ensure they document any changes done. You should ask yourself what their deliverables are, and how you determine if a delivery has been completed.

You should also consider setting up a ruleset for how/when they access your premises and systems and you should ask yourself if they should have unlimited access, or time-constrained.

Concerning AD, GPO's and remote access rights, I'd recommend you first on a "logical basis" identify the needs of the 3rd party vendors, and then based upon this and the "least need to have/know basis", implement accordingly.

Let me strongly advice you not to allow the use of "generic user accounts" (credentials being shared amongst multiple persons) but "personal" such, also for personnel of 3rd party vendors. Only that way you will have some control of who does what. You can then of course make those users member of groups and assign privileges to the groups.

Last but not least, already up front prepare an exit strategy - i.e. how to terminate the cooperation with each 3rd party vendor, both at the end of a project, but also premature (how to exit a relationship before end of a project, e.g. following a breach of confididentiality etc).

While not being able to give you "documents" I still hope you can use my points.

Kind regards,
Soren
0
 

Author Closing Comment

by:davidm27
ID: 37747786
Thank you very much, think i should be able to create my own doc out of all that lots of things i hadnt even thought about :)
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article investigates the question of whether a computer can really be cleaned once it has been infected, and what the best ways of cleaning a computer might be (in this author's opinion).
Popular third-party chat platforms like Slack, Discord, and Telegram are just a few of the many new productivity applications that are being hijacked by cybercriminals to create command-and-control (C&C) communications infrastructures for their malw…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question