​​​​

Policy title:
Colt Third party SharePoint terms of use
Division:
CFO
Purpose:
The purpose of this policy is to provide a minimum requirement for access to Colt extranet environment and selected information assets.
Scope:
This policy applies to all logical access to Colt information irrespective of their location.
 
 
 

1         Definitions

 
 
1.1.          Information
 
All communications and all or any part of Colt highly confidential information, Colt confidential information, Colt internal information and/or unclassified information.

1.2.          Access

Access, in the context of these Third party SharePoint Terms of use, is defined as the authority to view or process informationusing one's own credentials.

1.3.          Personal data

Personal data means data that relates to a living individual who can be identified from that data or from that data and other information which is in the possession of, or is likely to come into the possession of, the data controller. It also includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual. Personal data includes personnel information and will also be included in customer information where an individual can be identified from that customer information.

1.4.          External user

The term external user refers to any customers, consultant, supplier, vendor or other individual who we want to share information and collaborate with on projects.  

1.5.          Colt information system

A system (e.g., application, operating system, database management system) on the Colt network that processes or stores Colt classified information.

1.6.          Information /asset owner

The individual who has created, or is ultimately responsible for, a Colt information asset. An information/asset owner may also be referred as  a SharePoint site owner who has the ability to manage Colt SharePoint information.

1.7.          Workspace

A Colt information asset that is owned by a site owner, also referred as a Microsoft SharePoint site.

1.8.          Colt classified information

In the context of this Terms of use, Colt classified information is as defined in the Colt information classification policy.

2          Introduction

 
Colt and its subsidiaries (collectively “Colt”) have formulated this Colt Third party SharePoint Terms of use to control and manage access to Colt’s information assets.
 
Sharing corporate information with third parties can result in various threats to Colt’s information assets especially when sharing this information online. Failing to take the appropriate actions or to manage these threats could result in loss  of confidentiality, integrity or availability  of Colt’s assets.
 
These Terms of use identifies controls and responsibilities for any sharing of Colt information  through Third party SharePoint. This Terms of use does not apply to Colt group companies irrespective of location where the Colt security policy already applies.

3          Responsibilities

3.1.          General

If you are unsure how to classify or handle classified information contact your line manager or group security for advice on current policy and protection requirements.
 
When an item of information is created it must be classified using the Colt classification scheme.
 
It is the responsibility of the creator to identify the appropriate classification and use standard Colt protocol for each new information asset such as a document or computer file. It is the responsibility of the creator to ensure that the appropriate measures are taken to protect this information and ensure it complies with the minimum standard for information protection. Recipients of customer proprietary information must handle it with due care and must respect the classification marked by the information originator.

3.2.          Site owners

No information or data that is marked as Colt confidential or Colt highly confidential as described in the information classification policy shall be uploaded, processed or stored on the Third party SharePoint extranet environment.
 
It is the responsibility of the site owner to control and manage access to sites, site content, archiving and are responsible for the account review and removal.
 
It is vital for the site owners to understand that they are responsible for all customer information and to ensure that this information must not be shared through Third party SharePoint.

4          Controls

4.1.          General conduct

The Third party SharePoint extranet environment must be used in a manner that is consistent with their intended purposes and may be only used for lawful purposes. Users may not use Colt’s network and extranet services in order to transmit, distribute or store inappropriate material that is of the following:
 
  •  In violation of any applicable law or regulation
  •  In a manner that will infringe copyright, trademark, trade secret or other intellectual property rights of others or the privacy, publicity or other personal rights of others
  •  That is fraudulent, obscene, defamatory, libellous, threatening, abusive or hateful or contains a virus, worm, trojan horse or other harmful components
  •  Containing fraudulent offers for goods or services or any promotional materials that contain false, deceptive or misleading statement, claims or representations; or
  •  Generally in a manner that may expose Colt or any of its personnel to criminal or civil liability.

4.2.          Ownership of user accounts

4.2.1.  Accountability for access

It is the responsibility of the Colt site owner to maintain access control to content stored within the extranet sites they’ve agreed responsibility for.
 
Under no circumstance should a third party user be liable for site ownership. Passing site ownership can only be from one Colt Internal user to another and should ownership be passed; the new site owner should be made fully aware of their responsibilities.
 
All users can be held accountable for the correct protection of data, documents and other information. If users are unsure how to handle classified data they should the site owner (for external users) a Colt manager, security & operational risk group or use minimum standard of information for further information.
 
All access to Colt’s information assets that are located on the Third party SharePoint will be recorded in audit logs and retained for a minimum period of 90 days or longer if stipulated following a security risk assessment.

4.2.2.  Third party access to Colt information systems

Access to Third party SharePoint is only provided to those third parties Colt have a formal relationship with, this could be through a contract between a company and Colt or, if no contract exists, this should relationship needs to be formalised through a non-disclosure agreement, see 4.3 for more information.
 
Each external user is required to have a separate user identity and the user identities are prohibited from being shared or transferred between individuals.
 
Prior to establishing an account for an external user, it is required that sufficient information about the external user be collected such that the user can be authenticated using the collected information should the user's account credential (e.g., password) need to be reset or re-issued. Collection of information must be within the bounds of what applicable laws allow.
 
Any external user granted access to Third party SharePoint is required to be restricted to accessing only information directly related to the tasks outlined in the contract or agreement.
 
 
Any facility with which an extranet connection is established is required to have a secure firewall deployed and configured in accordance with industry best practices.
 
To ensure that third party access remains valid, all access must be repeatedly used within a three month period. If an account is not used within a three month period, third party user accounts are immediately made dormant from the system without notification.

4.2.3.  Review access

To ensure continued valid access, all logical access shall be the subject of regular reviews.  These reviews are described by the individual Logical access policy which the records of such reviews shall be retained.
 
Site Owners are responsible for access to all information on their site and thus, have the right to review access for the following reasons:
 
  •  Communicate inappropriately or violate the general conduct in any manner
  •  Upload, share or collaborate with materials that are deemed highly sensitive, cause severe damage to the company, inappropriate or be offensive to others
  •  Distribution of data or metadata that would cause severe damage to the organisation or inflict damages to others
  •  Breach of policies: information classification policy, external acceptable use policy, access control policy and other Colt recognised policy and procedures.

4.2.4.  Removal of extranet access rights

A process shall exist to ensure that access is removed for a specified user from selected sites immediately.
 
In the event of a security breach incident such as a leakage of data, the Colt site owner will reserve the right to isolate the site from access, investigate and remove those that are responsible for the inappropriate behaviour.
 
A process shall exist to ensure that access is put in a dormant state for a specified user from specified sites immediately.
 
Accounts under review can result in the removal of access to sites. Colt will not guarantee the re-activation of user account following a breach of policy or conduct.
 
Account requests can be denied to specific sites where there is a claim of inappropriate behaviour. For example:
 
  •  Material and data may be too sensitive or confidential for the requestor to view such as assets or metadata that could inflict damage, harm to Colt or other users
  •  Requestor is under investigation for a previous incident
  •  Personal information that a user can become in possession of is likely to inflict damage or harm to Colt or other users using the site.
 

4.2.5.  Password reset

If an account credential needs to be reset, it is required that the reset be performed only at the request of the user for whom the account was established, or a Colt-authorized agent, and the user is required to be authenticated prior to the credential being reset.
 
It is prohibited for all Colt and third party users to avoid the password standards guidelines  Any password to access the SharePoint Extranet environment must meet the password standard guidelines which users are able to refer to within the security portal. For example:
 
  •  Contains a minimum of eight characters in an alphanumeric combination. Letters should contain at least one uppercase and one lowercase letter
  •  May optionally contain special characters (e.g., !@#$%^&*()_+|~-=\`{}[]:";'<>?,./)
  •  Must not contain Family names, pet names, computer terms, birthdays, addresses or any derivation.
    •  
The Password Reset Tool is only available for third party user accounts. Should any Colt Employee wish to reset their passwords, the standard password reset process should be followed

4.3.          Ownership and administration of sites

4.3.1.  Site creation

Extranet site may only be created if the Colt site owner has agreed to this Terms of Use and has agreed to protect the information to the same level as that required by Colt as stated in the Colt Minimum Standards for Information Protection policy. 

4.3.2.  Site deletion

Site owners are responsible for the creation and ownership of sites. Colt can take active steps to monitor all users’ compliance to these Terms of use. In the event of the following actions, sites can be removed without notification:
 
  •  Incidental or maliciously sharing of Information, documentation, metadata or other materials that are Colt highly confidential;
  •  Any matters of protest or communication that may inflict damage to Colt or any of its customers;
  •  Breach of policies: Information Classification Policy, External Acceptable Use Policy, Access Control Policy and other Colt recognised policies and procedures;
  •  Sites no longer serve the required purpose or requirement;
  •  Failure to maintain adequate protection and handling of requirements for information classification;

4.4.          Non-disclosure agreements (NDA)

If there is no contractual relationship and prior to being given access to any Colt information or information system, an external party is required to sign an NDA with Colt and agree to these Terms of use (The NDA may be signed by an authorized agent of the external party's company, on behalf of the company and its employees.).
 
Please note: It is the responsibility of the site owner to ensure that no Information or data that is marked as Colt Confidential or Colt highly confidential as described in the Information Classification Policy shall be uploaded, processed or stored on the Third party SharePoint extranet environment.

4.5.          General correspondence

Users must not use the Third party SharePoint environment for improper or unlawful purposes or to receive or send message which are, in reason opinion, offensive, indecent, obscene, menacing, malicious or defamatory or which infringe any intellectual property right (including, without limitation, trademarks, copyright, or rights relating to domain names), nor allow others to do so.
 
Users may have access to the Third party SharePoint environment to search engines subscription web services, chat areas, bulletin boards, web pages, or another service through Colt Extranet SharePoint services that promulgate rules, guidelines or agreements to govern their use. Users who post messages in forums, blogs, bulletins, and other modes of SharePoint social media are responsible for becoming familiar with any written charter or FAQ governing use are complying therewith.

4.6.          Disruption of service and network security breaches

Under no circumstance should users access or manage any information or metadata on Third party SharePoint that is business critical. Users can store any documents however they must be aware the level of service that will be available.

4.7.          Consistent application of controls

Information security requirements levied on Colt employees and Colt information systems to protect Colt’s classified information are required to be applied in a consistent manner to external parties who have been granted access to Colt classified information or Colt information system

4.8.          Least privilege

Access to Colt systems and information will be strictly controlled on the basis of least privilege. A clear need to need-to-have or need-to-know must be demonstrated before access will be granted. Every action, transaction or business function performed by an external party on a Colt information system is required to be traceable to an individual.

4.9.          Contractual, regulatory and legal clauses

All Third party users with access to Colt information must have a contract (through their company) or and non-disclosure agreement that specify controls, to include but not limited to, the controls listed below, as applicable for the particular outsourcing arrangement.
 
Users who breach the Third party SharePoint Terms of use should be aware that they maybe in breach of any pre-exisiting contract or agreement, confidentiality agreements, data protection act or the non-disclosure agreement.
 
Contracts are required to include firewall requirements if an extranet connection is to be established.
 
Contracts are required to identify any security configurations and/or software that are required or prohibited for non-Colt desktops and/or systems
 
Contracts are required to preclude the external party from further sub-contracting the service or sharing Colt information with a downstream processor/service provider without prior explicit approval from Colt.
 
Prior to granting an external party access to any Colt information, the business unit requesting the access is required to ensure that the access is in compliance with any information security requirements defined or directed by legal or regulatory bodies that govern protection and handling of the information (such as EU data protection requirements or national telecommunications regulations).

4.10.       Violation of this SharePoint extranet policy

Colt can to take active steps to monitor user compliance with these Terms of use. In the event that Colt becomes aware of a breach of these Terms of use, Colt may take any or all of the following actions:
  •  Colt may inform the Colt site owner of an issue or incident
  •  Colt may remove the user account from a site
  •  Colt may require help from a customer in resolving a breach where that customers system(s) may have been involved
  •  Colt may charge the offending party for the time and resources used in dealing with the breach; or
  •  Collt may, without notice, suspend or terminate a network connection or connections.