CPNI have recently become aware of instances where organisations have suspected that their business's information has been copied and removed from their premises without permission (exfiltrated). With the current public and press concern about theft and loss of personal data, the following advice is offered as a means of reducing the opportunities for onsite third parties or contractors exfiltrating data.
 
There are a number of ways in which commercially sensitive and personal data can be removed by third parties and contractors, which include:

• Carelessness of staff through the failure to implement policies
• Electronically; through malicious emails and phishing exploits
• Abuse of access privileges by third party suppliers or contractors, either working on site or remotely.

In many instances organisations already have policies and procedures that cover many of the issues highlighted below. Recent evidence has shown that problems arise with ineffective enforcement.

The advice is offered as a series of bullet points. If specialist or more detailed advice is required to backup and support these statements, please contact your CPNI advisor or see the relevant CPNI good practice protective guidance.

A wide range of legal measures surround personnel security. Advice should always be sought to ensure that all measures are legally compliant. For a summary of the legal requirements surrounding personnel security reference should be made to CPNI's document entitled 'Personnel Security: Threats, measures and challenges'. This document does not seek to provide legal advice.

Personnel:

• Legal requirements - any approach to personnel security must comply with the legal requirements as laid down in all employment, discrimination and data protection laws (this is not an exhaustive list) 
• Collect personal details of all third party or contractor staff working on site or have access to your network. For example: full name(s), place and date of birth, current address, nationality, passport number and issuing country (if available). 
• Undertake a Baseline Standard Check (if working for HMG or as an HMG Contractor) or equivalent identity background check on third party or contractor staff, before they arrive on site or ensure the third party company undertakes the checks and provides evidence prior to attendance. See CPNI guidance
  
• Ensure that third party or contractor staff have comparable screening to permanent employees for equivalent levels of access.
• Retain dates of when all third party or contractor staff attend and ensure they sign in and out (ideally electronically) every time on site.
• Retain log and audit records of when all third party or contractor staff access your system for a period appropriate to the length of an investigation.
• Ensure that all staff are aware of security issues, and any behaviour that appears to threaten security should be reported to the person responsible for security.
• Conduct random identity checks, including photo identity, e.g. driving licence on all external parties with site access. 

Procedural

• Review and enforce policy on access rights, for example; physical access to areas of a building or logical access to IT systems, applications, servers or switches.
• Perform a personnel risk assessment to determine that the level of access is appropriate to the job and the individual
• Educate and train employees who issue access rights and ensure they realise that a disciplinary penalty, for example a formal warning or dismissal for giving anyone excessive rights.
• Ensure that the issuing of access rights (physical and logical) is undertaken by a permanent employee.
• Devise job function or job role based access security models; create access profiles based on the job role. Allocate each third party or contractor staff a job role access profile.
• Educate all third party and contractor staff in use of passwords, and deny access to all those who abuse the password policy
• Introduce or enforce laptop policy - company (i.e. not third party or contractor) laptop connection only - locked down, regular (random) laptop check.
• Introduce or enforce a removable media policy, strictly controlling the copying of data onto removable, and its removal from the premises.
• Investigate all incidents of suspected misuse or abuse of systems, databases, laptops, etc.
• Ensure that all incidents of suspected misuse or abuse are reported to the third party's management
• Create a database of anonymous or fictitious test data for third party and contractor test purposes, and give it to third parties for testing purposes.
• Only conduct User Acceptance Testing with live data with permanent employees on a separate "pre-production system" to which neither third parties nor contractors have access.
• Develop a policy on coding standards and software testing and produce a developers' standards handbook.
• Undertake code and test audits by permanent staff or independent auditors to ensure all code and testing complies with the standards.
• Review contracts to see if it is possible to stop need for permanent links to countries or territories outside the European Economic Area (EEA) in order to prevent the passing of information to countries which may not have adequate levels of protection for the rights and freedoms of the individuals in respect of the processing of personal data (Data Protection Act Principle 8). Alternatively consider limiting or preventing links when setting up new contracts or renewing them.
• Control all links to third parties (especially countries or territories outside the UK or EEA which do not have adequate levels of protection for the information and for the rights of the individual). Make it an "as and when" link with senior permanent UK staff authorizing the creation and breaking of the link.
  
  Technical
  
• Ensure that system access, usage and database access auditing are activated, and that the logs so generated are managed and regularly and frequently monitored by permanent employees.
• Where appropriate, monitor for misuse of access rights such as multiple, simultaneous use of accounts, or chained access using different accounts.
• Install focused network intrusion detection systems looking for pushed or pulled data to specific locations. Exercise rigorous change control and configuration management of all software and infrastructure to which a third party or contractor has access.
• Undertake focused penetration tests of third party and contactor applications and peripheral software and environment on a regular basis, e.g. after each software change.