Test Third Party

Third Party Access Policy City of Greensboro, NC Cyber Security Division

T ABLE OF C ONTENTS

DOCUMENTINFORMATION........................................................................................................................................ 2

PURPOSE....................................................................................................................................................................... 3

SCOPE............................................................................................................................................................................. 3

POLICY ........................................................................................................................................................................... 3

ACKNOWLEDGMENT................................................................................................................................................. 8

THIRD PARTY USER AGREEMENT – AUTHORIZED SIGNATURES............................................................11

Third Party Access Policy

1

D OCUMENT I NFORMATION Policy Name: Third Party Access Policy Document Reference Number: GSO-TPAP-001 Version : 1.3 Effective from : 4/1/2016 Document Change History and Revision Control Version Section s Revised Description of Revision

Changed By

Date

1.0 All Initial Document Creation Tasha Swann Holsey 8/13/2014 1.1 All Updated font and format Cyber Security Team 2/9/2018 1.2 All Reviewed and provided updates to entire policy Law & Compliance Team 7/6/2020 1.3 Updated Acknowledgment section page 10 and made policy fillable , Cyber Security Team 2/26/2021 Approval Details

Reviewed & Approved By

Role

Signature

Date

Jane Nickles Chief Information Officer Tasha Swann Holsey Cyber Security and Compliance Manager

5/17/2021 2/26/2021

Third Party Access Policy

2

P URPOSE The purpose of the City of Greensboro Third Party Access Policy is to establish the rules for third- party access to City of Greensboro information systems and the data center, third-party responsibilities, and protection of City of Greensboro information. S COPE The City of Greensboro Third Party Access Policy outlines responsibilities and expectations of any individual from an outside source (contracted or otherwise) who requires access to our information systems for the purpose of performing work. This policy also outlines the responsibilities and expectations of the City of Greensboro personnel responsible for the contracting and/or supervising of the third party. A third party could consist of, but is not limited to: software vendors, volunteers, suppliers, temporary staff, contractors, consultants, business partners, security companies, trainers and the like. P OLICY Data Center Third Party Policy Guidelines 1. All third-party access to the data center should be scheduled to occur during regular business hours. If this is not possible, a point person from the IT department will be scheduled after hours to accompany the third party. 2. When third parties are scheduled to have access to the data center, the Information Technology department staff must be notified in advance of the date, time, and type of work to be performed. 3. When the third party arrives, he/she will report to a staff contact that scheduled the visit. The staff contact will escort the third party to the Information Technology area. At this point, the third party is to be informed that he/she will take further direction from the IT staff point person in relation to their activity in the data center. 4. Prior to the onset of any work, the third party will describe the activities and/or actions that are planned.

Third Party Access Policy

3

5. The IT staff point person is responsible for explaining what measures need to be taken to protect the computer hardware and software, explain protective measures to the third party, and ensure that the measures are in place. In an attempt to offset delays in the work of the third-party individual(s), the IT staff will attempt to minimize the delays within the constraint of safeguarding the systems. The third party will need to clearly understand that they are to allow time for the IT staff to do what needs to be done to protect the computer systems before starting their work. 6. The third party will report to and receive instructions from the IT staff point person regarding their work in the data center. The IT staff point person will also be kept informed of the status of the work, as well as the notification that the work is completed before leaving the area. Information Systems Third Party Policy Guidelines 1. Any third-party agreements and contracts must specify: • The work that is to be accomplished and work hours. Also, any configuration information of any installed software as well as virus checking of that software • The City of Greensboro information that the third party should have access to • The minimum security requirements that the third party must adhere to and meet (i.e. method for remote access) • How City of Greensboro information is to be guarded by the third party. Signing of a non-disclosure agreement is typically required. • Strict use of City of Greensboro information and information resources for the purpose of the business agreement by the third party. Any other City of Greensboro information acquired by the third party in the course of the contract cannot be used for the third- party’s own purposes or divulged to others • Feasible methods for the destruction, disposal, or return of City of Greensboro information at the end of the contract • The return of City property such as a laptop, PDA, or cell phone after the completion or termination of the agreement 2. The third party must comply with all applicable City of Greensboro standards, agreements, practices and policies, including, but not limited to: • Acceptable use policies

• Network Access policies • Data Classification policies • Safety policies • Auditing policies

Third Party Access Policy

4

• Remote Access policies • Non-disclosure policies

• Privacy policies 3. City of Greensboro will provide an IT point of contact for the third party whether it is one person from the IT department or a departmental technology liaison. This point of contact will communicate with the third party to ensure they are in compliance with these policies. 4. The third party will provide the City of Greensboro with a list of all additional third parties working on the contract. The list must be updated and provided to the City of Greensboro within 24 hours of any staff changes. 5. Third party access to systems must be uniquely identifiable and authenticated, and password management must comply with the City of Greensboro Password Policy. Managing connectivity with partner networks can be handled different ways depending on what technologies are in place (i.e. encryption, intrusion detection, DMZ architecture). 6. Any third party computer/laptop/PDA/tablet PC that is connected to the City of Greensboro systems must have up-to-date virus protection and patches. The third party will be held accountable for any damage that has occurred to the City of Greensboro in the event that an incident occurs. 7. If applicable, each third party on-site employee must acquire a City of Greensboro ID badge that must be displayed at all times while on the premises. The badge must be returned to the City of Greensboro upon termination or completion of a contract. 8. Each third-party employee that has access to the City of Greensboro sensitive information should be cleared by the requesting department of the network access and IT to handle that information. 9. If applicable, an explanation of how City of Greensboro information will be handled and protected at the third party’s facility/site must be discussed and approved by the requesting department of the network access and IT. 10. Third-party employees must report all security incidences to the appropriate City of Greensboro personnel. 11. If third-party management is involved in City of Greensboro security incident management, the responsibilities and details must be specified in the contract. 12. The third party must follow all applicable change control procedures and processes. 13. All software used by the third party in providing service to the City of Greensboro must be properly inventoried and licensed.

Third Party Access Policy

5

14. All third-party employees are required to comply with all applicable auditing regulations and City of Greensboro auditing requirements, including the auditing of the third-party’s work. 15. Regular work hours and duties will be defined in the contract. Work outside of defined parameters must be approved in writing by the appropriate City of Greensboro management. 16. All third-party maintenance equipment on the City of Greensboro network that connects to the outside world via telephone lines, leased line, or the network will remain disabled except when in use for authorized maintenance. 17. The third party’s major accomplishments must be documented and available to City of Greensboro management upon request. Documentation should include, but is not limited to events such as: • Arrival and departure times 18. Upon departure of the third party from the contract for any reason, the third party will ensure that all sensitive information is collected and returned to the City or destroyed within 2 hours. The third party will also provide written certification of that destruction within 24 hours. All equipment and supplies must also be returned, as well as any access cards and identification badges. All equipment and supplies retained by the third party must be documented by authorized City of Greensboro management. 19. City of Greensboro will perform an impact analysis of other business-critical functions, once work has begun by the third party. 20. City of Greensboro will monitor system and network log files daily. 21. City of Greensboro will eliminate third-party physical access to facilities after the contract has been completed or terminated. The following steps must be performed: • Remove third party authentication and all means of access to systems • If needed, make sure that incoming e-mail is re-routed to an appropriate person as needed and requested • Archive any third-party software configuration, and transfer ownership to designated internal staff • Personnel changes • Password changes • Project milestones • Deliverables

Third Party Access Policy

6

• Get a written statement from the third party that any software created and/or installed by the third-party is free of viruses and any other malicious code 22. Third-party must comply with the handling of confidential data belonging to the City in the following manner: • Access to confidential data must be granted by City of Greensboro designated employees. Viewing and modification of confidential data must be restricted to authorized individuals only • Documents containing confidential data should only be printed when there is a legitimate business need and should not be left unattended on a printer or anywhere else • Copies of confidential data must be limited to individuals authorized to access the data • Documents containing confidential data cannot be transmitted via e-mail unless encrypted 23. To ensure that the City’s data and infrastructure are protected while under contract, the third party shall comply with the following information security requirements: • The third party shall strive to identify vulnerabilities, risks and threats, take all actions necessary to protect the City of Greensboro information regarding security issues and help limit the likelihood that vulnerabilities in systems and applications are exposed • The third party shall complete the City of Greensboro “Service Provider Information Security Questionnaire” and engage with the City of Greensboro Information Security Personnel to review the completed questionnaire. If deemed necessary, the City of Greensboro shall conduct security scans against the application, software or service. If critical security issues are identified after reviewing the security questionnaire and/or conducting the security scans, the third party shall resolve these issues as quickly as possible • The City of Greensboro shall not use the application, software or service until all critical security issues has been resolved • If the third party experiences a data breach that impacts the City of Greensboro’s information, the third party shall notify the City of Greensboro immediately or as quickly as possible so that certain measures can be taken to limit the impact of such a breach

Third Party Access Policy

7

N ON -C OMPLIANCE The third party agrees to indemnify the City for any loss, including but not limited to financial and reputational, that the City suffers as a result of the third party’s failure to comply with the terms and conditions of this policy. Notwithstanding the third party’s agreement to indemnify the City, the City may pursue any civil and/or criminal remedies to recover any loss suffered by the City as a result of the third party’s non-compliance with any of the terms and conditions of this policy. The venue for any legal action will be in Greensboro, Guilford County, North Carolina. A CKNOWLEDGMENT As the third party requesting network access, I have read and I understand and agree to the terms set forth in this policy, and so indicate by signing my name and entering the date below: Department Working Within at the City of Greensboro

Third Party’s Company Email Address

Printed Name

Signature

Date

NOTE: Each third party requesting network access must complete and submit this page. Each third party must possess his or her own network access; shared network access is not allowed and is strictly prohibited.

Third Party Access Policy

8

Attachment 1 THIRD PARTY CONNECTION REQUEST - INFORMATION REQUIREMENTS DOCUMENT

In accordance with the Information Technology Acceptable Use Policy, all requests for third party network access must be accompanied by this completed Information Requirements Document. This document should be completed by the City of Greensboro employee and/or department requesting the network access . A. Requester Contact Information (City of Greensboro) Name: Department: Manager's Name: Director's Name: Phone Number: Email Address: Technical Contact Information (City of Greensboro)

Name: Department: Manager's Name: Director's Name: Phone Number: E mail Address: Back-up Point of Contact (City of Greensboro) Name: Department: Manager's Name: Director's Name: Phone Number: Email Address:

Third Party Access Policy

9

B. Problem Statement/Purpose of Connection What is the desired end result? City of Greensboro employee and/or department must include a statement about the business needs of the proposedconnection. C. Scope of Needs (In some cases, the scope of needs may be jointly determined by the City of Greensboro and the ThirdParty) What services are needed? What type of access is required (i.e.. will the Third-party need VPN orCitrix access)? How long is the network access needed? Will the Third-party need a City-issued laptop? D. Third Party Information Third Party Name: Management contact (Name, Phone number, Email address): Location (address) of termination point of the Network Connection (including building number, floor and room number): Main phone number: Local Technical Support Hours (7X24, etc): Escalation List: E. What type of work will be done over the Network Connection? What applications will be used? Will any data transfers take place? If so, howmany files are involved? What are the estimated hours of use each week? What are peek hours? F. Are ther any known issues such as sp cial services that are required? Are there any unknown issues at this point, such as what internal the City of Greensboro services are needed? G. Are there any critical business needs associated with this network account access? H. What is the requested account creation date (Minimum lead-time is 3 business days)? I. What is the approximate duration of the network account access? J. Are there any existing network accounts at the City of Greensboro with this company?

Third Party Access Policy

10

K. Other useful information

Third Party User Agreement – Authorized Signatures IN WITNESS WHEREOF, the parties hereto have caused this Agreement to be duly executed. Each party warrants and represents that its respective signatories whose signatures appear below have been and are on the date of signature duly authorized to execute this Agreement. ( “Company” ) City of Greensboro _ Authorized Signature Authorized Signature (Director/Deputy) _ _ Name Name

Date

Date

Third Party Access Policy

11