Close
This page supports policy statement 6.5 in the new Information Security Policy
Introduction
Third-party access to UCL systems and information introduces additional risks that must be carefully assessed and controlled. UCL must ensure that third parties meet equivalent security standards and do not compromise the security of its information or infrastructure.
Summary of Policy Requirements
- A security risk analysis must be performed before granting third-party access.
- The assessment must consider the type and level of access required, sensitivity and value of information, as well as security measures implemented by the third party.
How to Comply
Contact ISG to ensure a due diligence is conducted before onboarding third parties: Risk Assessments & Audits - New Service security support.
- Ensure contracts include:
- Security requirements,
- Data protection obligations,
- Incident reporting requirements.
- Restrict third-party access to only what is necessary and have a clear approval process for granting privileged access.
- Monitor third-party activity and compliance with UCL policies and standards.
- Document and manage any risk associated with third-party access.
- Reassess risks periodically or when services change.
- Remove or restrict access where requirements are not met.
Further questions
If you have any questions that haven't been answered by the information on this page, please don’t hesitate to ask the Information Security Group.
Policy statement
Data Owners must ensure that third-party service providers with access to UCL’s information undergo a risk assessment to ensure they meet UCL’s information security standards.