Third-Party Information Security Policy

Purpose

This policy outlines how access to our information and technology systems by external individuals and organisations is managed; and defines the responsibilities of those granted access. The purpose of the policy is to ensure the security, integrity, and responsible use of our information and information systems.

Scope

This policy applies to all external users, including vendors, contractors, health service delivery providers, consumers, and any other stakeholders requiring access to our information systems and data.

Policy

All external individuals or organisations given access to EMPHN’s information or information systems and data are to maintain the security of EMPHN’s systems and data, and use all information and data they access responsibly; and in line with the requirements of this policy, as well as EMPHN’s Information Security Policy and Privacy Policy.

Third-party access and authorisation

Access to our information systems is granted on a need-to-know and least-privilege basis.

  • Access must be approved by the sponsoring employee
  • Access may be revoked or modified at any time for security or business reasons.
  • Access is reviewed every 3 months and revoked where there is no activity

Termination of access

The sponsoring employee is responsible for notifying EMPHN’s IT Security Team to revoke access at the end of the project/contract or when termination is required for any security or business reason, or in response to a breach of this policy.

Where the contract expires access for relevant external users is revoked.

Where a sponsoring employee leaves, responsibility for external users fall under the existing handover plans or delegated as relevant.

Where termination is based on user inactivity, the IT Manager will flag to the sponsoring employee prior to revoking access.

Responsibilities

External users must:

  • Use EMPHN information and data solely for authorised purposes
  • Maintain the confidentiality and privacy of data and information accessed
  • Safeguard access credentials and report any unauthorised access
  • Promptly report any security incidents or vulnerabilities they discover
  • Use secure and up-to-date software and hardware when accessing EMPHN’s information systems
  • Comply with all relevant laws, regulations, and contractual agreements
  • Adhere to our password protocols and data protection requirements as instructed
  • Set up secure authentication methods such as two-factor authentication as prompted
  • Avoid unauthorised copying or distribution of data.

The internal employee sponsoring the external user must:

  • Ensure the external user has access to this policy
  • Ensure the external user understands their obligations and has read this policy, as well as EMPHN’s Information Security Policy, Privacy Policy and Business Ethics Statement
  • Request, modify, or revoke access permissions as needed
  • Monitor the external user’s activities and report any suspected policy violations
  • Ensure the external user’s access is terminated when no longer required
  • Ensure the external user’s access is restricted to sites set up to share externally
  • Ensure the external user’s access is limited to need to know

Compliance

Non-compliance may result in access termination, contract termination, legal action, or other remedies.

Exemptions

Any exemption to this policy must be approved by the Executive Director, Corporate Services and recorded in the IT Control Register. Exemption requests must set out the rationale, duration that the exemption is required, and mitigation needed to minimise risk.

Reporting

EMPHN’s compliance and risk reporting is reviewed at least quarterly by the Executive Leadership Team and Board. Reporting includes incidents of security and data breaches.

Testing this policy

The Executive Director, Corporate Services will assign testing of external access to EMPHN’s information systems as least annually. This involves auditing access by external users to ensure inactive users are being removed, and that existing access levels are appropriate.

Policy review

This policy will be periodically reviewed in line with EMPHN’s Policy Directory unless prompted earlier by changes at EMPHN, in technology, relevant legislation or in EMPHN’s external environment.

Where to get help?

  • For enquires about this policy, contact the policy owner: The Executive Director, Corporate Services
  • You can provide feedback on this policy via the feedback button on EMPHN’s website or intranet.

Was this content helpful to you?

Yes
No
Thanks for your feedback!

Subscribe to EMPHN news

Keep up to date with the latest news and publications, funding opportunities, careers and upcoming events at EMPHN.

Subscribe

Follow us on LinkedIn

Follow us on LinkedIn to stay informed with latest news, events and initiatives from our organisation and healthcare network.

Follow us