The Council is engaged in business where council data is collected, transmitted, or processed under contracted third-party arrangements. In many of these situations, a network accessible service is developed by a third party supplier to collect, transmit, or process data on behalf of a council department. The Council may also send data collected by the Council for further processing or storage by a contracted third party supplier.
Approved third parties may also be provided access to council systems to support business processes, systems or applications.
The Council's ICT department has created this assessment to assist purchasing project sponsor(s), third party suppliers or council system owners in addressing risk management, contract review, and ongoing third party supplier management, with the goal of minimizing the risk to council data and systems.
The systems used to process, transmit, or store data must be reviewed prior to formalising the agreement. The Council business case process must be adhered to. References from other clients should be obtained prior to formalizing the agreement. The purchasing project sponsor(s), third party supplier or council system owner is responsible for ensuring that a system security assessment is conducted.
Determining the need for a security assessment
A security assessment or review is required to be conducted if any of the following apply to the project/system:
- the project/business/system involves transferring any council data classified as confidential, or otherwise sensitive, from a council-owned device to a third-party contracted device
- the project/business/system involves contracting with a third party supplier who will create a network-accessible service on behalf of council to collect, transmit, or process any council data classified as confidential, or otherwise sensitive
- the project/business/system requires that a contracted third party collect or process any council data classified as confidential, or otherwise sensitive, that will later be transmitted for use by the Council
- the project/business/system requires that a third party process payment card information on behalf of the council.
The purchasing project sponsor(s), council system/application owner must complete the assessment in conjunction with the third party supplier. The Council's ICT Security Manager may be contacted for guidance: ICTSecurity@hackney.gov.uk.
At a minimum, the security assessment should consider all applicable provisions of our information security policy and ICT security standards.
Assess compliance with council policies
The purchasing project sponsor(s), third party supplier or Hackney Council system owner shall review the council's information security policy and ICT security standards.
The following policies and standards should also be reviewed, as needed:
- information security policy
- business application security policy
- ICT security standard
- information governance framework policy
- data classification guidelines
- network security policy
- password policy
- patch management policy
- removable media policy
The purchasing project sponsor(s), third party suppliers of Hackney Council system owners should note that certain types of data require the Council to comply with external mandates. Such mandates include, but are not limited to:
- Data Protection act 1988
- Regulation of Investigatory Powers Act 2000
- Computer Misuse Act 1990
- Freedom of Information Act 2000
- International Standard for Information Security Management (ISO27001)
- HMG security policy framework
- Public services network (PSN)
- Payment Card Industry data security standard (PCI:DSS)
Information security management plans must conform to all applicable mandates. If there are any questions regarding policy interpretation or compliance, please contact the council ICT Security Manager: ICTSecurity@hackney.gov.uk.
Review of tender requirements
The council requires that the following statements are included in invitations to tender:
Review of contract details
The ICT Security Manager can assist in the review of contract details upon request and based on priority and availability. The purchasing office, legal, or internal audit departments may require an assessment, and may require specific language in a contract. In general, the following items must be assessed as a minimum:
- Data Protection Act 1988
- management of information security in accordance to international standard ISO27001
Non disclosure agreements (NDA)
The Council requires that individuals or companies (third parties) sign a NDA where a contract is not in place that adequately covers confidentiality of information. The following documents need to be completed:
Third party information security compliance status
Third party information security assessments are generally conducted during contract negotiation and then at regular intervals during the life of the contract.
Third party access to council systems
Where approved by the council a third party may be provided access to council information systems. Third party access may be required to provide a business function, support systems or applications etc. Access to council systems will only be provided through the council's VPN solution.
Third parties are responsible for:
- ensuring access is assigned to individuals (generic accounts are not allowed)
- immediately notifying the council when staff leave so that access to systems can be removed
- immediately notifying the council of all information security incidents