Access Control Policy - Risk Management


The role of Partner Access in Risk Management is to provide a secure environment where partners can access information and tools to help them manage risk. This includes a secure login, password recovery, and access to a variety of resources. 


Third-Party Access

  • Third-Party Vendor Access – Third-party vendors requiring access to Business systems are required to adhere to all policies and user accounts provisioned to third-party users shall be disabled or deactivated when not in use.

  • Guest Account Authorization – Guest/anonymous, shared/group, emergency, and temporary accounts are specifically authorized, and use is monitored by the Security Officer or their designee.

  • Third-Party Connectivity – Any third-party needing interconnectivity with Business systems must be formally approved by Management and participate in the full vendor management process (see Vendor Management Policy). All connections to external parties will be documented and formal agreements in place documenting the interface characteristics, security requirements, and the nature of the information being communicated. Upon establishing a new connection, the network diagram shall be updated.


Provisioning New Access to Third-Party Vendors and/or Business Partners

  • Third-party Vendor/Business Partner’s management or designee shall complete and forward documentation for the need for access to Security Officer or designee.

  • If appropriate, the Security Officer will execute a Business Associate Agreement.

  • The third-party or third-party contact will complete and sign the Third-Party Confidentiality Agreement and/or Business Associate Agreement (if appropriate) and forward the completed form to the Security Officer or designee.

  • A User Access Request Form shall be completed.

  • The Security Officer or designee will establish access and provide users with a one-time use password for initial access which will be required to be changed upon the user’s first login.


Changing Access to Computer/Network Systems for Third-Party Vendors or Business Partners

  • An appropriate management representative shall complete and submit a User Access Request Form to the Security Officer or designee specifying the access changes that need to be made.

  • The Security Officer or designee will make the appropriate access changes to the user’s account.