Skip to Content

9-4 Information Technology Professionals Policy - Section XIII: Third Party Security Policy

Information Systems Department

XIII. Third Party Security Policy

This Policy establishes information security requirements for Third Party agreements and access to Local Agency IT resources and data.

  1. Third Party Access
    1. The Data Owner/Steward or designee must authorize physical or logical access by third parties in advance. This access must adhere to the Principle of Least Privilege, which allows only the access needed to perform their duties.
    2. Third party devices must be configured to all applicable Local Agency and County policies and standards before being allowed to connect to a Local Agency network.
    3. Third party personnel requiring access to Local Agency IT resources and data must adhere to all applicable Local Agency and County policies
  2. Third Party Service Delivery Agreements
    To implement and maintain the appropriate level of information security and service delivery, agreements with third parties must be established and include the following:
    1. Necessary controls to ensure Local Agency IT resource and/or data protection;
    2. A clear and specific process of change management;
    3. Agreements for reporting, notification and investigation;
    4. Levels of acceptable/unacceptable service and service continuity;
    5. Definitions of verifiable performance criteria;
    6. Rights to monitor and audit activities;
    7. Problem resolution processes, including escalation steps;
    8. Intellectual property rights and ownership of data;
    9. Policies regarding subcontractors;
    10. Conditions for renegotiation/termination and
    11. Establishment of Third Party agreements must also adhere to guidelines set forth in County of Sonoma Purchasing policies (7-1 & 7-2) and procedures.
  3. Third Party Exchange of Information Agreements
    To maintain the security of information exchanged with any Third Party, agreements must be established and include the following:
    1. Evaluate the sensitivity of the Local Agency data to be released or shared;
    2. Identified responsibilities of each party for protecting the Local Agency data;
    3. Identified responsibility and liability of each party in the event of an information security incident;
    4. Minimum security controls required to transmit and use the Local Agency data;
    5. Security measures that each party has in place to protect the Local Agency data;
    6. Methods for compliance measurements;
    7. A schedule and procedure for reviewing the security controls.
  4. Insurance Requirements
    Third Party agreements must incorporate insurance requirements as determined by County of Sonoma Risk Management standards.
  5. Background Checks and Non-Disclosure Agreements
    1. All third party personnel must sign a Non-Disclosure Agreement.
    2. As required, Local Agency verification of a background check for all third party personnel accessing Confidential or Restricted data.

Back to top