IT Third Party Security Policy
1. Background and purpose:
The purpose of this policy is to establish a consistent and effective approach for addressing the risks associated with the handling of the Melbourne Racing Club’s (MRC) Information Technology Assets and access to the MRC’s information by external suppliers.
This policy aligns with relevant clauses of ISO 27001: A.15: Supplier Relationships.
2.Scope:
This policy applies to the MRC and all related corporate entities, including the Pegasus Leisure Group, and the term “MRC” shall be deemed to apply to all such entities.
This policy’s scope applies to all information technology assets, information processing facilities owned by MRC, and information technology services provided by a third party.
This policy applies to:
- MRC Staff responsible for managing IT Third Party relationships; and
- Suppliers, Contractors, and IT Third Parties who provide IT related services or have access to MRC’s Information and Information Technology assets, collectively referred to as IT Third Party Services.
3. Third Party Security Management
The following practices must be complied with when engaging IT Third Parties:
3.1. Contracting with third parties
Third parties must contractually and operationally commit to meeting MRC commercial, security and any regulatory compliance obligations. The following requirements must be included in third party agreements unless otherwise agreed by the Executive Director – Legal, Risk & Compliance:
- confidentiality provisions which explicitly state that persons with access to MRC facilities or proprietary information are not to disseminate any information about MRC, its capabilities or activities without written authorisation from MRC, unless otherwise required by law or to their professional advisers.
- The obligation of the third party to notify MRC in cases of security incidents occurring within the third party, which may affect MRC (e.g. third-party malware/ransomware outbreak, successful third-party network/data breach etc).
- The obligation of the third party to maintain confidentiality integrity and availability of MRC information.
- The possibility of renegotiating or MRC terminating the contract if the terms and conditions are not satisfied, for example an undisclosed security incident or third party failing to meet agreed service levels.
- Sub-contracting issues in case the third parties (e.g. Cloud Service Providers) make use of other suppliers for the delivery of the services and these suppliers maintain direct or indirect access to MRC’s data. The third party must commit that any suppliers meet MRC security and regulatory compliance obligations.
- All outsourcing contracts must include an agreement on acceptable security controls and a requirement that the outsourcer provide an ISAE 3402 or equivalent document (e.g., ISO27001 certification) on an annual basis.
- Controls must be in place to ensure the security of remote connections between the parties. The third party must utilise the existing MRC security infrastructure and take responsibility for the maintenance of the respective security controls that have been established by MRC.
- The third party must ensure that any suppliers they utilise to fulfil contract requirements meet MRC security and regulatory compliance obligations.
- Ownership of licensing and intellectual property, including escrow agreements must be clearly defined.
- To the extent possible, a "right to Audit" clause ensuring that management and / or an authorised representative may physically and or logically evaluate a third party’s control environment.
- The type, volume and frequency of any files and/or reports that will be exchanged between the two parties.
- The business continuity and disaster recovery arrangements for the resumption of the thirdparty services in case of service interruption or data loss/destruction.
MRC IT procurement team or individuals responsible for the selection and approval of third-party IT services where necessary, engage a legal review of contracted information services agreements.
MRC IT Procurement to base all third-party agreements on a templated third-party contract where possible. The template, third party contract must be reviewed by the MRC GM of Technology.
3.2. Ongoing third-party risk management
All third parties classified as “high risk” must be subject to annual security review by MRC security team or an authorised representative. The security review must be conducted against the security requirements and respective controls depicted in the MRC Information Security Policy and other security related policies.
The results of the annual review must be communicated to the third party and the third party must commit to specific dates for remediating any identified security issues.
4. Information Security Requirements
4.1. Information Security Policy
All third parties who are given access to MRC information or information systems must comply with the MRC’s information security policies and associated documentation where appropriate.
4.2. Third Party Organisation
Third parties must establish a management framework for information security and risk which is signed off at the appropriate level and ensures the necessary resources to provide required controls.
Documented procedures must be in place to authorise significant changes to agreed MRC
Information processing procedures and to ensure relevant information security contracts and controls are maintained.
4.3. Human Resources Security
Third party personnel must be subject to appropriate background and vetting checks, depending upon their roles and access levels.
Third parties must provide suitable information security awareness, training, and education to ensure that their employees understand their responsibilities in maintaining the confidentiality, integrity, and availability of MRC information.
The security of MRC Information must not be compromised as a result of termination of employee or supplier contract, or a change of roles.
4.4. Supply Chain Management
Third parties may use suppliers as part of their service to MRC. Any third-party supplier access to MRC Information must be in a controlled and secure manner as required by this policy as well as the MRC Information Security Policy.
4.5. Physical & Environmental Security
MRC Information or systems processing MRC’s Information must be protected against unauthorised physical access, damage or theft.
4.6. Facilities & Equipment Security
Equipment must be secured to prevent loss, damage, theft or compromise of MRC’s information assets.
4.7. Communications & Operations Management
- Operating procedures for information security management and controls related to MRC’s Information must be documented, maintained and made available to users involved in processing MRC’s Information.
- Development, test, and production facilities processing MRC’s Information must be separated to reduce risks of unwanted changes or unauthorised access to production or live MRC Information.
- Production data must not be used in development or test facilities. Conflicting duties and areas of responsibility must be segregated to reduce opportunities for unintentional or unauthorised modification or misuse of MRC’s information.
- Controls must be in place to prevent, detect, eradicate and recover from malware threats.
- The third party must have appropriate processes in place to recover from the loss or damage of MRC’s Information or facilities used to process MRC’s Information.
- MRC’s Information held in or connected to third party networks including the network infrastructure itself must have appropriate protection.
- Hardware and software used for processing MRC’s information must provide appropriate protection as per MRC Information Security Policy. Technical security standards for applications used in processing MRC information must be defined, documented and maintained.
- Systems security measures must be in place to guard against the accidental, deliberate or unauthorised disclosure, access, manipulation, alteration, destruction, corruption of information through processing errors, damage or loss or misuse of MRC’s Information.
- A documented policy must be in place to protect against the risk of using mobile computing, teleworking activities and communication facilities where these are used to deliver Services to MRC.
- Controls to safeguard the availability, integrity and confidentiality of MRC’s Information being exchanged, transferred or stored must be established. Any transfer or exchange of MRC’s Restricted Data must be carried out in a secure manner in compliance with the MRC’s Cryptography Policies and the Information Security Policy.
- Procedures must be in place to actively monitor for review and act on any unauthorised processing of MRC’s Information.
- Auditing of activities and information security events related to the processing of MRC’s Information must be kept securely, retained as agreed, protected against unauthorised alteration or deletions and backed-up in line with the back-up policy.
4.8. Access Control
All access to MRC Information and relevant processing facilities must be in a secure and controlled manner.
Password controls must be implemented for all accounts with access to MRC Information or processing facilities.
MRC information must be encrypted in line with the MRC Cryptography Policy.
4.9. Information Systems acquisition, development and maintenance
- New information systems or enhancements to existing systems must have agreed business requirements which must specify security controls to maintain or protect MRC’s Information.
- The business requirements must be agreed by the MRC GM of Technology.
- Technical security standards for applications and systems used in processing MRC’s Information must be defined, documented and maintained. New systems and applications must comply with these standards.
- Capacity requirements must take into account the business criticality of the system. Procedures must require information systems to be designed to cope with current and predicted information processing requirements. Regular monitoring and tuning must be applied to ensure required system performance.
- Procedures for the use of cryptography and key management must be in line with the MRC Cryptography Policy.
- The security of applications and systems used to process MRC’s Information must be maintained.
- Any changes to systems or applications processing MRC’s Information must be reviewed and tested to ensure there is no adverse impact on business operations or information security.
- Any major changes must be communicated to the MRC GM of Technology.
- A policy document to outline a secure process for development of software and systems processing MRC’s Information, whether in-house or outsourced, needs to be defined and maintained.
- Access to program source code must be restricted and strictly controlled.
4.10. Technical Vulnerability Management
Risks from exploitation of published technical vulnerabilities affecting applications and systems processing MRC’s Information need to be managed.
Independent third parties must carry out vulnerability scans and penetration tests on the IT infrastructure used to process MRC’s Information using a risk-based approach. The results of these tests and any remediation plans must be communicated to the MRC GM of Technology.
Risk-based procedures for applying security patches and software updates to systems processing MRC’s Information must be formalised and implemented across the infrastructure.
4.11 Incident Management
A documented information security incident response procedure must be established.
Security incidents, issues and control weaknesses related to MRC’s Information and processing facilities must be identified and communicated in a timely manner to allow for corrective action to be taken.
4.12. Business Continuity Management
A Business Continuity Plan in relation to the provision of services to the MRC must be established and as a minimum and should meet the requirements set out by MRC.
4.13. Compliance with MRC Policies and Standards
Information processing systems processing MRC’s Information must be checked on an annual basis to ensure they comply with relevant security procedures including this policy.
An annual report on the compliance of MRC’s Information processing systems against the relevant information security policies and this policy must be provided to the GM of Technology.
In order to ensure compliance and to detect misuse of MRC information systems and or breach of Acceptable Use Policies. All users of MRC’s Information and processing facilities must fully cooperate with any MRC initiated audit activity; this includes audits conducted by third parties on behalf of the
MRC.
5. Applicability of other policies
- Information Security Policy
- Access Control Policy
- IT Asset Management Policy
- Cryptographic Controls and Key Management Policy
6. Key Legislation, Acts & Standards
- ISO/IEC 27002:2013 standards – Information Technology security techniques – Code of practice for information security controls - https://www.iso.org/standard/54533.html;
- ISO/IEC 27036-2:2014 standards – Information Technology – Security techniques –Information Technology – Security techniques – Information security for supplier relationship -- Part 1: Overview & Concepts - https://www.iso.org/standard/59648.html;
- ISO/IEC 27036-2:2014 standards – Information Technology – Security techniques –Information Technology – Security techniques – Information security for supplier relationships -- Part 2 – Requirements - https://www.iso.org/standard/59680.html;
- Australia Cyber Security Centre (ACSC) – Guidelines for Outsourcing – March 2023 – https://www.cyber.gov.au/acsc/view-all-content/advice/guidelines-outsourcing.
7. Enforcement
Violations by Staff may result in disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment. Violations by IT Third Parties may result in MRC taking action as prescribed under the applicable contractual terms. Where illegal activities are suspected, MRC may report such activities to the applicable authorities.
If any provision of this policy is:
- inconsistent with any term of an agreement with an IT Third Party, then the terms of the agreement shall prevail to the extent of any inconsistency; or
- found to be unenforceable or voided for any reason, such invalidation will not affect any remaining provisions, which will remain in force.
8. Review[1]
This Policy is recommended to be reviewed by the IT Department every second year.
9. Further assistance
For advice and assistance on this policy please direct your enquiries to the IT Department via itsupport@mrc.net.au.
10. Glossary of terms/definitions
Term Definition
Access
Access is defined as the condition where the potential exists for information to flow between entities.
Availability
Ensuring that authorised users have access to information and associated assets when required
Confidentiality
Ensuring that information is accessible only to those authorised to have access to MRC IT Systems
External Entities /
Vendor / Provider /
Service Provider
Refers to an external company or organisation that stores, transmits, and/or processes MRC information assets.
Information security incident
A failure or omission in the operation of any security controls agreed upon between MRC and a Third Party (even if implemented by a subcontractor) which may affect the security of MRC systems, applications or data, or the security of MRC services.
Integrity
Safeguarding the accuracy and completeness of information and processing methods
Information Technology Assets
Information technology assets are defined as any IT hardware or software that enable MRC to perform its business processes.
Information Processing
Facilities
Information processing facilities refers to the system, infrastructure, or physical location that houses MRC’s information technology assets.
IT Third Party
A supplier-side person or organisation that is external to MRC which provides information technology services to MRC. This definition excludes individuals who are contractors to MRC.
IT Third Party Services
The services provided by Suppliers, Contractors, and IT Third Parties who provide IT related services or have access to MRC’s Information and Information Technology assets.
KPI
Key Performance Indicator is a measurable value that demonstrates how effectively a company is achieving key business objectives.
Outsource
Outsource refers to when an MRC application or infrastructure is not managed on-site.
Physical Access
Third-party using or being in close physical proximity to MRC ICT Infrastructure hosted in MRC premises, as part of their agreement with MRC.
SLA
Service Level Agreement is a commitment between a service provider and a client. Particular aspects of the service – quality, availability, responsibilities – are agreed between the service provider and the service user.
Staff (or staff member)
Includes MRC employees, volunteers, board and committee members and contractors (including consultants and temporary staff)
[1] Review date is recommended only. Should this Policy have not been reviewed or updated by its review date, this Policy shall still remain in force and does not expire.