best practice documentation for letting 3rd party vendors into environment

I have some 3rd party vendors coming into work on various systems for varying lengths of time. I need to produce documentation on what procedures to follow and what restrictions to place on them in AD,group policies, remote access rights etc... any help on finding some existing documentation would be great

thanks
davidm27Asked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
slemmesmiConnect With a Mentor Commented:
Dear davidm27,

I am not aware of any such documents available on the Internet, but let me see if I can assist you.

It all depends on what the need of the 3rd party vendors is and you should  as "guideline" only grant privileges on a "least need to have/know basis".

First of all I recommend you contact your organizations own legal department (if you have a such) and ask for their assistance, e.g. in terms of a NDA (Non Disclosure Agreement) for the visitors of the 3rd party vendors to "sign".

Also as a minimum, you should ensure that the 3rd party vendors adhere to your organizations written IT policy.

For any changes to be done by the 3rd party vendors, they should follow your existing(?) Change Management process, and you should ensure they document any changes done. You should ask yourself what their deliverables are, and how you determine if a delivery has been completed.

You should also consider setting up a ruleset for how/when they access your premises and systems and you should ask yourself if they should have unlimited access, or time-constrained.

Concerning AD, GPO's and remote access rights, I'd recommend you first on a "logical basis" identify the needs of the 3rd party vendors, and then based upon this and the "least need to have/know basis", implement accordingly.

Let me strongly advice you not to allow the use of "generic user accounts" (credentials being shared amongst multiple persons) but "personal" such, also for personnel of 3rd party vendors. Only that way you will have some control of who does what. You can then of course make those users member of groups and assign privileges to the groups.

Last but not least, already up front prepare an exit strategy - i.e. how to terminate the cooperation with each 3rd party vendor, both at the end of a project, but also premature (how to exit a relationship before end of a project, e.g. following a breach of confididentiality etc).

While not being able to give you "documents" I still hope you can use my points.

Kind regards,
Soren
0
 
davidm27Author Commented:
Thank you very much, think i should be able to create my own doc out of all that lots of things i hadnt even thought about :)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.