This document describes the policy under which third party organizations connect to eCuras networks to transact business related to eCuras.
Connections between third parties that require access to non-public eCuras resources fall under this policy, regardless of whether a telco circuit (such as frame relay or ISDN) or VPN technology is used for the connection. Connectivity to third parties such as the Internet Service Providers (ISPs) that provide Internet access for eCuras or to the Public Switched Telephone Network does NOT fall under this policy.
3.1.1 Security Review
All new extranet connectivity will go through a security review with the Information Security department (InfoSec). The reviews ensure that all access matches the business requirements in the best possible way and that the least access principle is followed.
3.1.2 Third-Party Connection Agreement
All new connection requests between third parties and eCuras require that the third party and eCuras representatives agree to sign the Third Party Agreement. This agreement must be signed by the Vice President of the Sponsoring Organization and a representative from the third party who is legally empowered to sign on behalf of the third party. The signed document is to be kept on file with the relevant extranet group.
3.1.3 Business Case
All production extranet connections must be accompanied by a valid business justification, in writing approved by a project manager in the extranet group. Typically this function is handled as part of the Third Party Agreement.
3.1.4 Point Of Contact
The Sponsoring Organization must designate a person to be the Point of Contact (POC) for the Extranet connection. The POC acts on behalf of the Sponsoring Organization and is responsible for those portions of this policy and the Third Party Agreement pertaining to it. If the point of contact changes, the relevant extranet Organization must be informed promptly.
3.2 Establishing Connectivity
Sponsoring Organizations within eCuras that wish to establish connectivity to a third party will file a new site request with the proper extranet group. The extranet group will engage InfoSec to address the security issues inherent in the project. The Sponsoring Organization must provide full and complete information about the nature of the proposed access to the extranet group and InfoSec, as requested.
All connectivity established must be based on the least-access principle, in accordance with the approved business requirements and the security review. In no case will eCuras rely upon the third party to protect eCuras’s network or resources.
3.3 Modifying or Changing Connectivity and Access
All changes in access must be accompanied by a valid business justification and are subject to security review. Changes are to be implemented via the corporate change management process. The Sponsoring Organization is responsible for notifying the extranet management group and/or InfoSec when there is a material change in their originally provided information so that security and connectivity evolve accordingly.
3.4 Terminating Access
When access is no longer required, the Sponsoring Organization within eCuras must notify the extranet team responsible for that connectivity, which will then terminate the access. This may mean a modification of existing permissions up to terminating the circuit, as appropriate. The extranet and lab security teams must audit their respective connections annually to ensure that all existing connections are still needed and that the access provided meets the connection’s needs. Connections that are found to be depreciated and/or are no longer being used to conduct eCuras business will be terminated immediately. Should a security incident or a finding that a circuit has been deprecated and is no longer being used to conduct eCuras business necessitate a modification of existing permissions or termination of connectivity, InfoSec and/or the extranet team will notify the POC or the Sponsoring Organization of the change before taking any.
4.1 Compliance Measurement
The Infosec team will verify compliance with this policy through various methods, including but not limited to business tool reports, internal and external audits, and feedback to the policy owner.
The Infosec team must approve any exception to the policy in advance.
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
Revised: March 14th, 2018