OIT OPERATIONAL PROCEDURE
THIRD PARTY ACCESS POLICY
This document describes the policy under which third party persons or organizations connect to or access network resources on Hillsborough Community College (HCC) networks for the purpose of transacting business related to HCC or other approved business transactions.
All connections and network resources access between third parties that require access to non-public HCC resources fall under this policy, regardless of what technology is used for the connection. Connectivity to third parties such as the Internet Service Providers (ISPs) that provide Internet access for HCC or to the Public Switched Telephone Network does NOT fall under this policy.
3.1.1 Security Review
All new extranet connectivity will go through a security review with the Office of Information Technology (OIT). The reviews are to ensure that all access matches the business requirements in a best possible way, and that the principle of least access is followed.
3.1.2 Third Party Connection Agreement
All new connection requests between third parties and HCC require that the third party and HCC representatives agree to and sign the Third Party Agreement. This agreement must be signed by the Vice President of the Sponsoring department as well as a representative from the third party who is legally empowered to sign on behalf of the third party. By signing this agreement the third party agrees to abide by all referenced policies. The signed document is to be kept on file with the relevant extranet group. All non-publicly accessible information is the sole property of HCC.
3.1.3 Business Case
All extranet connections or network resource access must be accompanied by a valid business justification, in writing, that is approved by both the third party and the corresponding HCC contracting authority or rightful designee. Typically this function is handled as part of the Third Party Agreement.
3.1.4 Point Of Contact
The HCC contracting authority must designate a person to be the Point of Contact (POC) for the third party connection. The POC acts on behalf of the HCC contracting authority, and is responsible for those portions of this policy and the “Third Party Agreement” that pertain to it. In the event that the POC changes, the relevant third party person or organization, must be informed promptly.
3.2 Establishing Connectivity
All contracting authorities within HCC that wish to establish connectivity or network resource access to a third party are to file an Extranet connectivity request with OIT accompanied by a “Third Party Agreement” signed by the third party person, organization, or rightful designee. OIT will then engage the third party to address security issues inherent in the project. The sponsoring contract authority must provide full and complete information as to the nature of the proposed access to OIT, as requested.
All connectivity established must be based on the least-access principle, in accordance with the approved business requirements and the security review. All connectivity requests will have a specific beginning and ending date. In no case will HCC rely upon the third party to protect HCC's network or resources. OIT will grant access to all approved resources and reserves the right to refuse access on the basis of legitimate security concern as decided by the VP of Information Technology or designee.
3.3 Modifying or Changing Connectivity and Access
All changes in access must be accompanied by a valid business justification, and are subject to security review. The sponsoring contracting authority is responsible for notifying the third party person or organization and OIT when there is a material change in their originally provided information so that security and connectivity evolve accordingly. Extensions will be granted on a case by case basis and must be requested in writing by the sponsoring contracting authority.
3.4 Terminating Access
When access is no longer required, the sponsoring contracting authority within HCC must notify the OIT, which will then terminate the access. This may mean a modification of existing permissions up to terminating the circuit, as appropriate. OIT security teams must conduct an audit of their respective connections on an annual basis to ensure that all existing connections are still needed, and that the access provided meets the needs of the connection. Connections that are found to be deprecated, and/or are no longer being used to conduct HCC business or other approved business transactions will be terminated immediately. Should a security incident or a finding that a circuit has been deprecated and is no longer being used to conduct HCC business or other approved business transactions necessitate a modification of existing permissions, or termination of connectivity, OIT will notify the POC of the sponsoring contracting authority of the change prior to taking any action.
Any employee found to have violated third party access policy may be subject to disciplinary action, up to and including termination of employment.