• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 522
  • Last Modified:

best practice documentation for letting 3rd party vendors into environment

I have some 3rd party vendors coming into work on various systems for varying lengths of time. I need to produce documentation on what procedures to follow and what restrictions to place on them in AD,group policies, remote access rights etc... any help on finding some existing documentation would be great

thanks
0
davidm27
Asked:
davidm27
1 Solution
 
slemmesmiCommented:
Dear davidm27,

I am not aware of any such documents available on the Internet, but let me see if I can assist you.

It all depends on what the need of the 3rd party vendors is and you should  as "guideline" only grant privileges on a "least need to have/know basis".

First of all I recommend you contact your organizations own legal department (if you have a such) and ask for their assistance, e.g. in terms of a NDA (Non Disclosure Agreement) for the visitors of the 3rd party vendors to "sign".

Also as a minimum, you should ensure that the 3rd party vendors adhere to your organizations written IT policy.

For any changes to be done by the 3rd party vendors, they should follow your existing(?) Change Management process, and you should ensure they document any changes done. You should ask yourself what their deliverables are, and how you determine if a delivery has been completed.

You should also consider setting up a ruleset for how/when they access your premises and systems and you should ask yourself if they should have unlimited access, or time-constrained.

Concerning AD, GPO's and remote access rights, I'd recommend you first on a "logical basis" identify the needs of the 3rd party vendors, and then based upon this and the "least need to have/know basis", implement accordingly.

Let me strongly advice you not to allow the use of "generic user accounts" (credentials being shared amongst multiple persons) but "personal" such, also for personnel of 3rd party vendors. Only that way you will have some control of who does what. You can then of course make those users member of groups and assign privileges to the groups.

Last but not least, already up front prepare an exit strategy - i.e. how to terminate the cooperation with each 3rd party vendor, both at the end of a project, but also premature (how to exit a relationship before end of a project, e.g. following a breach of confididentiality etc).

While not being able to give you "documents" I still hope you can use my points.

Kind regards,
Soren
0
 
davidm27Author Commented:
Thank you very much, think i should be able to create my own doc out of all that lots of things i hadnt even thought about :)
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now