Solved

best practice documentation for letting 3rd party vendors into environment

Posted on 2012-03-20
2
515 Views
Last Modified: 2012-03-21
I have some 3rd party vendors coming into work on various systems for varying lengths of time. I need to produce documentation on what procedures to follow and what restrictions to place on them in AD,group policies, remote access rights etc... any help on finding some existing documentation would be great

thanks
0
Comment
Question by:davidm27
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 11

Accepted Solution

by:
slemmesmi earned 500 total points
ID: 37746598
Dear davidm27,

I am not aware of any such documents available on the Internet, but let me see if I can assist you.

It all depends on what the need of the 3rd party vendors is and you should  as "guideline" only grant privileges on a "least need to have/know basis".

First of all I recommend you contact your organizations own legal department (if you have a such) and ask for their assistance, e.g. in terms of a NDA (Non Disclosure Agreement) for the visitors of the 3rd party vendors to "sign".

Also as a minimum, you should ensure that the 3rd party vendors adhere to your organizations written IT policy.

For any changes to be done by the 3rd party vendors, they should follow your existing(?) Change Management process, and you should ensure they document any changes done. You should ask yourself what their deliverables are, and how you determine if a delivery has been completed.

You should also consider setting up a ruleset for how/when they access your premises and systems and you should ask yourself if they should have unlimited access, or time-constrained.

Concerning AD, GPO's and remote access rights, I'd recommend you first on a "logical basis" identify the needs of the 3rd party vendors, and then based upon this and the "least need to have/know basis", implement accordingly.

Let me strongly advice you not to allow the use of "generic user accounts" (credentials being shared amongst multiple persons) but "personal" such, also for personnel of 3rd party vendors. Only that way you will have some control of who does what. You can then of course make those users member of groups and assign privileges to the groups.

Last but not least, already up front prepare an exit strategy - i.e. how to terminate the cooperation with each 3rd party vendor, both at the end of a project, but also premature (how to exit a relationship before end of a project, e.g. following a breach of confididentiality etc).

While not being able to give you "documents" I still hope you can use my points.

Kind regards,
Soren
0
 

Author Closing Comment

by:davidm27
ID: 37747786
Thank you very much, think i should be able to create my own doc out of all that lots of things i hadnt even thought about :)
0

Featured Post

SendBlaster Pro 4 - Bulk Email Sending Software

SendBlaster 4 Pro - Best Bulk Emailing Sending Software
Automatic Subscribe / Unsubscribe Processing
Great for Newsletters & Mass Mailings
Optional HTML & Text Composition
Integration with Google Features
Built in Spam Score Checking
Free Professional Templates - Feature Packed!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Are client relationship the only driver of a successful MSP? While important, client relationships are only one component. Learn how else MSPs can broaden their horizon and differentiate themselves.
IT certifications are a concrete representation of continual learning on the part of the candidate.  Continual learning is necessary for the long term success of an IT professional, but are IT certifications the right path for you?
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question