Sample Third Party Security Awareness Standard:
Sample Third Party Security Awareness Standard
The <Your Company Name> (the "Company) Sample Security Awareness Policy defines objectives for establishing a formal Security Awareness Program, and specific standards for the education and communication of the Sample Information Security Program Charter and associated policies and standards.
This Third Party Security Awareness Standard builds on the objectives established in the Sample Security Awareness Policy, and provides specific instructions and requirements for providing security awareness education and training for third party personnel.
I. Scope
Third party personnel who have been granted access to Company information or systems are covered by this standard and must comply with associated guidelines and procedures.
Asset Owners refers to the managers of organizational units that have primary responsibility for information assets associated with their functional authority.
Asset Custodians refers to the managers, administrators and those designated by the Asset Owner to manage, process or store information assets.
Electronic Communication Systems refers to all Company information systems and equipment including Electronic Mail Resources, Internet Resources, and Telecommunications Resources.
Electronic Mail Resources are defined in the Sample Electronic Mail Acceptable Use Standard.
Information assets are defined in the Sample Asset Identification and Classification Policy.
Internet Resources are defined in the Sample Internet Acceptable Use Policy.
Telecommunications Resources are defined in the Sample Telecommunication Acceptable Use Standard.
Third party personnel include contractors, partners, consultants, and other personnel that are not Company employees.
II. Requirements
A. General
- 1. Third party personnel should receive information security awareness training that covers the following security areas prior to being granted access to Company facilities, Company Electronic Communications System, and/or Company information assets:
- Non-disclosure requirements
- Access limitations due to contractual agreement
- Company commitment to security
- Company information assets
- Confidentiality classification categories
- Information labeling
- User account and password requirements
- Physical access controls and requirements
- Virus prevention and detection
- Information Handling
- Proper use of software and Electronic Communications Systems
- Misuse Reporting
- Help Desk and Information Security contacts
- Non-disclosure requirements
B. Policies
- 1. Third party personnel should receive information security awareness training that covers the Information Security Program Charter and the following Company policies:
- 2. Third party personnel that are assigned Asset Owner or Asset Custodian responsibilities should receive information security awareness training that also covers the following Company policies:
C. Standards
- 1. Third party personnel should receive information security awareness training that covers the following Company standards:
- Sample Information Classification Standard
- Sample Information Labeling Standard
- Sample Access Control Standard
- Sample Physical Access Standard
- Sample Anti-Virus Standard
- Sample Encryption Standard
- Sample Information Handling Standard
- Sample Internet Acceptable Use Policy
- Sample Electronic Mail Acceptable Use Standard
- Sample Telecommunication Acceptable Use Standard
- Sample Software Acceptable Use Standard
- Sample Misuse Reporting Standard
- Sample Security Awareness Accessibility Standard
- Sample Information Classification Standard
- 2. Third party personnel that have been granted remote access to Company information or systems to meet an approved business need or perform prescribed job responsibilities should receive information security awareness training that also covers the Remote Access Standard.
- 3. Third party personnel that are assigned Asset Owner or Asset Custodian responsibilities should receive information security awareness training that also covers the following Company standards:
- Sample Integrity Protection Standard
- Sample Encryption Standard
- Sample Availability Protection Standard
- Sample Life Cycle Management Standard
- Sample Configuration Management Standard
- Sample System Development Life Cycle Standard
- Sample Change Control Standard
- Sample Vulnerability Assessment Standard
- Sample Vulnerability Management Standard
- Sample Threat Assessment Standard
- Sample Threat Monitoring Standard
- Sample Integrity Protection Standard
III. Responsibilities
The Chief Information Security Officer (CISO) approves the Third Party Security Awareness Standard. The CISO also is responsible for ensuring the development, implementation, and maintenance of the Third Party Security Awareness Standard.
Company management is responsible for ensuring employees within their area of responsibility cooperate with Company security awareness and training efforts; ensuring that third party personnel within their area of responsibility receive the proper Information Security awareness and training in accordance with the Sample Security Awareness Policy and associated standards and guidelines; and ensuring the effective communication of relevant security issues with the Information Security Department.
IV. Enforcement and Exception Handling
Failure to comply with the Third Party Security Awareness Standard and associated guidelines and procedures can result in disciplinary actions up to and including termination of contracts for contractors, partners, consultants, and other personnel. Legal actions also may be taken for violations of applicable regulations and laws.
Requests for exceptions to the Third Party Security Awareness Standard should be submitted to <Insert Title> in accordance with the Information Security Standards Exception Procedure. Prior to official management approval of any exception request, the individuals, groups, or organizations identified in the scope of this standard will continue to observe the Third Party Security Awareness Standard.
VI. Review and Revision
The Third Party Security Awareness Standard will be reviewed and revised in accordance with the Sample Information Security Program Charter.
Approved: _______________________________________________________
- Signature
- Signature
- <Insert Name>
- <Insert Name>
- Chief Information Security Officer
- Chief Information Security Officer