Policy title: | Colt Third
party SharePoint terms of
use |
Division: | CFO |
Purpose: | The purpose of this policy is to provide a
minimum requirement for access to Colt extranet environment and selected
information assets. |
Scope: | This policy applies to all logical access to
Colt information irrespective of their
location. |
1 Definitions
1.1.
Information
All communications and all or any part
of Colt highly confidential information, Colt
confidential information, Colt internal
information and/or unclassified information.
1.2.
Access
Access, in the context of these Third party
SharePoint Terms of use, is defined as the authority to view or process
informationusing one's own credentials.
1.3.
Personal
data
Personal data means data that relates
to a living individual who can be identified from that data or from that data
and other information which is in the possession of, or is likely to come into
the possession of, the data controller. It also includes any expression of
opinion about the individual and any indication of the intentions of the data
controller or any other person in respect of the individual. Personal data
includes personnel information and will also be included in customer information
where an individual can be identified from that customer
information.
1.4.
External
user
The term external user refers to any
customers, consultant, supplier, vendor or other individual who we want to share
information and collaborate with on projects.
1.5.
Colt information system
A system (e.g., application, operating
system, database management system) on the Colt network that processes or stores
Colt classified information.
1.6.
Information /asset owner
The individual who has created, or is
ultimately responsible for, a Colt information asset. An information/asset owner
may also be referred as a SharePoint site owner who has the
ability to manage Colt SharePoint
information.
1.7.
Workspace
A Colt information asset that is owned
by a site owner, also referred as a Microsoft SharePoint
site.
1.8.
Colt classified information
In the context of this Terms of use, Colt
classified information is as defined in the Colt information classification
policy.
2
Introduction
Colt and its subsidiaries (collectively
“Colt”) have formulated this Colt Third party
SharePoint Terms of use to control and manage access to Colt’s information
assets.
Sharing corporate information with third
parties can result in various threats to Colt’s information assets especially
when sharing this information online. Failing to take the appropriate actions or
to manage these threats could result in loss of confidentiality,
integrity or availability of Colt’s assets.
These Terms of use identifies controls and
responsibilities for any sharing of Colt information through Third
party SharePoint. This Terms of use does not apply to Colt group companies
irrespective of location where the Colt security policy already applies.
3
Responsibilities
3.1.
General
If you are unsure how to classify or
handle classified information contact your line manager or group security for
advice on current policy and protection requirements.
When an item of information is created
it must be classified using the Colt
classification scheme.
It is the responsibility of the creator
to identify the appropriate classification and use standard Colt protocol for
each new information asset such as a document or computer file. It is the
responsibility of the creator to ensure that the appropriate measures are taken
to protect this information and ensure it complies with the minimum standard for
information protection. Recipients of customer proprietary information must
handle it with due care and must respect the classification marked by the
information originator.
3.2.
Site
owners
No information or data that is marked as Colt
confidential or Colt highly confidential as described in the information
classification policy shall be uploaded, processed or stored on the Third party
SharePoint extranet environment.
It is the responsibility of the site
owner to control and manage access to sites, site content, archiving and are
responsible for the account review and removal.
It is vital for the site owners to
understand that they are responsible for all customer information and to ensure
that this information must not be shared through Third party SharePoint.
4
Controls
4.1.
General
conduct
The Third party SharePoint extranet
environment must be used in a manner that is consistent with their intended
purposes and may be only used for lawful purposes. Users may not use Colt’s
network and extranet services in order to transmit, distribute or store
inappropriate material that is of the following:
- In
violation of any applicable law or regulation
- In a
manner that will infringe copyright, trademark, trade secret or other
intellectual property rights of others or the privacy, publicity or other
personal rights of others
- That is
fraudulent, obscene, defamatory, libellous, threatening, abusive or hateful or
contains a virus, worm, trojan horse or other harmful
components
- Containing fraudulent offers for goods or
services or any promotional materials that contain false, deceptive or
misleading statement, claims or representations; or
- Generally in a manner that may expose Colt or any
of its personnel to criminal or civil liability.
4.2.
Ownership of user
accounts
4.2.1.
Accountability for
access
It is the responsibility of the Colt
site owner to maintain access control to content stored within the extranet
sites they’ve agreed responsibility for.
Under no circumstance should a third
party user be liable for site ownership. Passing site ownership can only be from
one Colt Internal user to another and should ownership be passed; the new site
owner should be made fully aware of their
responsibilities.
All users can be held accountable for
the correct protection of data, documents and other information. If users are
unsure how to handle classified data they should the site owner (for external
users) a Colt manager, security & operational risk group or use minimum
standard of information for further information.
All access to Colt’s information assets that
are located on the Third party SharePoint will be recorded in audit logs and
retained for a minimum period of 90 days or longer if stipulated following a
security risk assessment.
4.2.2.
Third party access to Colt
information systems
Access to Third party SharePoint is only
provided to those third parties Colt have a formal relationship with, this could
be through a contract between a company and Colt or, if no contract exists, this
should relationship needs to be formalised through a non-disclosure agreement,
see 4.3 for more information.
Each external user is required to have a
separate user identity and the user identities are prohibited from being shared
or transferred between individuals.
Prior to establishing an account for an
external user, it is required that sufficient information about the external
user be collected such that the user can be authenticated using the collected
information should the user's account credential (e.g., password) need to be
reset or re-issued. Collection of information must be within the bounds of what
applicable laws allow.
Any external user granted access to Third
party SharePoint is required to be restricted to accessing only information
directly related to the tasks outlined in the contract or agreement.
Any facility with which an extranet
connection is established is required to have a secure firewall deployed and
configured in accordance with industry best practices.
To ensure that third party access remains
valid, all access must be repeatedly used within a three month period. If an
account is not used within a three month period, third party user accounts are
immediately made dormant from the system without
notification.
4.2.3.
Review
access
To ensure continued valid access, all logical
access shall be the subject of regular reviews. These reviews are
described by the individual Logical access policy which the records of such
reviews shall be retained.
Site Owners are responsible for access to all
information on their site and thus, have the right to review access for the
following reasons:
- Communicate inappropriately or violate the
general conduct in any manner
- Upload, share or collaborate with materials that
are deemed highly sensitive, cause severe damage to the company, inappropriate or be offensive to
others
- Distribution of data or metadata that would cause
severe damage to the organisation or inflict damages to
others
- Breach
of policies: information classification policy, external acceptable use policy,
access control policy and other Colt recognised policy and
procedures.
4.2.4.
Removal of extranet access
rights
A process shall exist to ensure that access
is removed for a specified user from selected sites immediately.
In the event of a security breach incident
such as a leakage of data, the Colt site owner will reserve the right to isolate
the site from access, investigate and remove those that are responsible for the
inappropriate behaviour.
A process shall exist to ensure that access
is put in a dormant state for a specified user from specified sites
immediately.
Accounts under review can result in the
removal of access to sites. Colt will not guarantee the re-activation of user
account following a breach of policy or conduct.
Account requests can be denied to specific
sites where there is a claim of inappropriate behaviour. For
example:
- Material
and data may be too sensitive or confidential for the requestor to view such as
assets or metadata that could inflict damage, harm to Colt or other
users
- Requestor is under investigation for a previous
incident
- Personal
information that a user can become in possession of is likely to inflict damage
or harm to Colt or other users using the site.
4.2.5.
Password
reset
If an account credential needs to be
reset, it is required that the reset be performed only at the request of the
user for whom the account was established, or a Colt-authorized agent, and the
user is required to be authenticated prior to the credential being
reset.
It is prohibited for all Colt and third
party users to avoid the password standards guidelines Any
password to access the SharePoint Extranet environment must meet the password
standard guidelines which users are able to refer to within the security portal.
For example:
- Contains a minimum of
eight characters in an alphanumeric combination. Letters should contain at least
one uppercase and one lowercase letter
- May optionally contain special characters (e.g., !@#$%^&*()_+|~-=\`{}[]:";'<>?,./)
- Must not contain Family
names, pet names, computer terms, birthdays, addresses or any
derivation.
The Password Reset Tool is only
available for third party user accounts. Should any Colt Employee wish to reset
their passwords, the standard password reset process should be followed
4.3.
Ownership and administration
of sites
4.3.1.
Site
creation
Extranet site may only be created if the Colt
site owner has agreed to this Terms of Use and has agreed to protect the
information to the same level as that required by Colt as stated in the Colt
Minimum Standards for Information Protection policy.
4.3.2.
Site
deletion
Site owners are responsible for the
creation and ownership of sites. Colt can take active steps to monitor all
users’ compliance to these Terms of use. In the event of the following actions,
sites can be removed without notification:
- Incidental or maliciously sharing of Information,
documentation, metadata or other materials that are Colt highly
confidential;
- Any matters of protest or communication that may
inflict damage to Colt or any of its customers;
- Breach
of policies: Information Classification Policy, External Acceptable Use Policy,
Access Control Policy and other Colt recognised policies and
procedures;
- Sites no longer serve the required purpose or
requirement;
- Failure to maintain adequate protection and
handling of requirements for information
classification;
4.4.
Non-disclosure agreements
(NDA)
If there is no contractual relationship and
prior to being given access to any Colt information or information system, an
external party is required to sign an NDA with Colt and agree to these Terms of
use (The NDA may be signed by an authorized agent of the external party's
company, on behalf of the company and its employees.).
Please note: It is the responsibility
of the site owner to ensure that no Information or data that is marked as Colt
Confidential or Colt highly confidential as described in the Information
Classification Policy shall be uploaded, processed or stored on the Third party
SharePoint extranet environment.
4.5.
General
correspondence
Users must not use the Third party
SharePoint environment for improper or unlawful purposes or to receive or send
message which are, in reason opinion, offensive, indecent, obscene, menacing,
malicious or defamatory or which infringe any intellectual property right
(including, without limitation, trademarks, copyright, or rights relating to
domain names), nor allow others to do so.
Users may have access to the Third
party SharePoint environment to search engines subscription web services, chat
areas, bulletin boards, web pages, or another service through Colt Extranet
SharePoint services that promulgate rules, guidelines or agreements to govern
their use. Users who post messages in forums, blogs, bulletins, and other modes
of SharePoint social media are responsible for becoming familiar with any
written charter or FAQ governing use are complying
therewith.
4.6.
Disruption of service and
network security breaches
Under no circumstance should users access or
manage any information or metadata on Third party SharePoint that is business
critical. Users can store any documents however they must be aware the level of
service that will be available.
4.7.
Consistent application of
controls
Information security requirements levied on
Colt employees and Colt information systems to protect Colt’s classified
information are required to be applied in a consistent manner to external
parties who have been granted access to Colt classified information or Colt
information system
4.8.
Least privilege
Access to Colt systems and information will
be strictly controlled on the basis of least privilege. A clear need to
need-to-have or need-to-know must be demonstrated before access will be granted.
Every action, transaction or business function performed by an external party on
a Colt information system is required to be traceable to an individual.
4.9.
Contractual, regulatory and
legal clauses
All Third party users with access to Colt
information must have a contract (through their company) or and non-disclosure
agreement that specify controls, to include but not limited to, the controls
listed below, as applicable for the particular outsourcing arrangement.
Users who breach the Third party SharePoint
Terms of use should be aware that they maybe in breach of any pre-exisiting
contract or agreement, confidentiality agreements, data protection act or the
non-disclosure agreement.
Contracts are required to include firewall
requirements if an extranet connection is to be established.
Contracts are required to identify any
security configurations and/or software that are required or prohibited for
non-Colt desktops and/or systems
Contracts are required to preclude the
external party from further sub-contracting the service or sharing Colt
information with a downstream processor/service provider without prior explicit
approval from Colt.
Prior to granting an external party access to
any Colt information, the business unit requesting the access is required to
ensure that the access is in compliance with any information security
requirements defined or directed by legal or regulatory bodies that govern
protection and handling of the information (such as EU data protection
requirements or national telecommunications regulations).
4.10.
Violation of this SharePoint
extranet policy
Colt can to take active steps to
monitor user compliance with these Terms of use. In the event that Colt becomes
aware of a breach of these Terms of use, Colt may take any or all of the
following actions:
- Colt may inform the Colt site owner of an issue
or incident
- Colt may remove the user account from a
site
- Colt may require help from a customer in
resolving a breach where that customers system(s) may have been
involved
- Colt may charge the offending party for the time
and resources used in dealing with the breach;
or
- Collt
may, without notice, suspend or terminate a network connection or
connections.