Overview of the Third Party Assurance Policy

The Third Party Assurance Policy exists to protect an organization's data and systems when engaging with third parties. It outlines the necessary steps and requirements to ensure that third parties meet the organization's security expectations and comply with relevant regulations. The policy addresses the full lifecycle of third-party engagement, from initial screening and due diligence to access management and service delivery.

Here are the key points of the Third Party Assurance Policy, as outlined in the table of contents:

1. Description This section explains the purpose of the policy, which is to ensure third parties meet security requirements.

2. Third Party Screening This part of the policy outlines the procedures for vetting third parties before granting them access to sensitive data or systems.

3. Third Party Agreements This section details the requirements for written agreements with third parties, including security controls and responsibilities.

4. Third Party Access This part specifies the conditions under which third parties are granted access to the organization's data and systems.

5. Third Party Service Management This section focuses on the ongoing management of third-party services, including service level agreements and monitoring.

6. Third Party Change Management This part addresses how changes in third-party services or relationships should be managed to maintain security.

7. Third Party Disclosure This section outlines the procedures for handling requests for disclosure of sensitive data by third parties.

Each of these sections is crucial for maintaining a secure and compliant operational environment when working with third parties. The policy ensures that all parties involved are aware of their responsibilities and the standards they must meet to protect the organization's interests.

Detailed Breakdown of Key Points

Let's delve into each key point of the Third Party Assurance Policy to understand its components and significance:

1. Third Party Screening

   • Access Establishes that access is contingent on due diligence and written agreements.

   • Due Diligence Describes the due diligence process for evaluating third parties.

   • Screening Mandates screening of third-party users before access is granted.

   • Contractors Requires clear agreements for contractor responsibilities and screening procedures.

   • Risk Assessment Calls for a risk assessment to determine security requirements for third parties.

   • Security Requirements Stipulates that security requirements must be documented and validated.

2. Third Party Agreements

   • Standard Agreement Ensures third parties are bound by agreements that reflect security policies.

   • Agreements Between Third-Parties Clarifies the need for clear agreements to avoid misunderstandings.

   • Responsibility Acknowledgment Requires third parties to acknowledge their security responsibilities.

   • Information Security Risks Includes provisions for addressing security risks in agreements.

   • Security Provisions Outlines specific security provisions that must be included in agreements.

   • Terms and Conditions Details the terms and conditions related to access and working arrangements.

   • HIE Third-Party Relationships Specifies provisions for Health Information Exchange (HIE) third-party relationships.

3. Third Party Access

   • Obligations and Rights Informs third parties of their obligations and rights before access is granted.

   • Minimally Necessary Limits third-party access to the minimum necessary for their role.

   • Roles and Responsibilities Establishes security roles and responsibilities for third-party users.

   • User Identity Requires formal authentication of third-party user identities.

   • Remote Access Connections Mandates encryption for remote access connections.

   • Terms of Use and Privacy Policy Requires terms of use and privacy policies to be accessible to third parties.

4. Third Party Service Management

   • Business Considerations Emphasizes the need to consider security in new system or service acquisitions.

   • Service Level Agreements Details the requirements for service level agreements with third parties.

   • SLA Monitoring Calls for annual monitoring of third-party services against service level agreements.

   • Progress Meetings Requires regular meetings to review various aspects of third-party service delivery.

   • Network Services Stipulates periodic audits of network services provided by third parties.

   • Information Supply Chain Review Mandates annual reviews of the information supply chain.

   • Identified Issues Addresses the need to resolve issues identified during service management monitoring.

5. Third Party Change Management

   • Outsourced Development Covers the security and ownership aspects of outsourced software development.

   • Outsourced Development Monitoring Requires monitoring and independent reviews of outsourced development.

6. Third Party Disclosure

   • Disclosure Requests Outlines how to handle individual requests for data disclosure.

   • Restriction Requests Allows individuals to request restrictions on data disclosure.

   • Healthcare Treatment Specifies conditions under which disclosure restrictions do not apply.

The Third Party Assurance Policy is a comprehensive guide that ensures third parties are thoroughly vetted, monitored, and managed to maintain the security and integrity of the organization's data and systems. It is an essential tool for any organization that relies on external entities to conduct its business.

For those interested in implementing this policy within their organization, we have a template available for purchase. This template can help streamline the process of creating a robust Third Party Assurance Policy tailored to your organization's specific needs.