Are sub-contractor exit procedures and requirements included in the contract?
Does the sub-contractor termination process include the return or destruction of information and information processing assets used to process information?
Are information security self assessments (including vulnerability assessments or penetration tests) performed on a regular basis?
Is the responsibility of managing the security relationship with each of the sub-contractors allocated to a named staff member with accountability being at a senior management level?
Is access to information by sub-contractors only provided through pre-defined physical, logical and procedural controls defined in the agreements between the third party and sub-contractor?
When no longer required, is sub-contractor access to information terminated as promptly as possible?
Do management require the use of confidentiality or non-disclosure agreements for all thirdparties?
Has an information security manager been nominated to hold responsibility and accountability for the protection of information?
is there a process for the notification and reporting of unauthorized disclosure or confidential information breaches relating to information?
Do you undertake regular audits of your third parties to monitor comply with your information Security Policy and security standards