Punjab State Power Corporation Limited

(PSPCL)

Standard Operating Procedure SOP21:

Outsourcing and external Facilities

Management Procedure
SOP –Outsourcing & External Facilities Management Procedure

Document Control
Document Title: SOP21 – Outsourcing and External Facilities Management Procedure

Intern
Page
SOP –Outsourcing & External Facilities Management Procedure

Table of Contents
1. Purpose............................................................................................................................4
2. Scope...............................................................................................................................4
3. Responsibilities................................................................................................................4
4. Procedure.........................................................................................................................4
4.1 Guidelines for selecting Outsource Agency...............................................................4
4.2 Assessment of Risk related to Outsourcing................................................................4
4.3 Guidelines for Contract and Confidentiality Agreement with Third Party................5
4.4 Third Party Service Delivery Management................................................................6
4.5 Enforcement................................................................................................................7
5. Document Review...........................................................................................................7
6. Reference.........................................................................................................................7

Intern
Page
SOP –Outsourcing & External Facilities Management Procedure

Abbreviations

PSPCL Punjab State Power Corporation Limited

SOP Standard Operating Procedure

DCM Data Center Manager

ISC Information Security Council

Intern
Page
 SOP –Outsourcing & External Facilities Management Procedure

1. Purpose
The purpose of this document is to provide guidelines to reduce the Information Security
risks associated with outsourcing.

2. Scope
This policy applies to all third party / vendor employee who worked in PSPCL.

3. Responsibilities
PSPCL Management and concerned owner.

4. Procedure
4.1 Guidelines for selecting Outsource Agency
 The parameters for selecting outsource agency shall be clearly defined and documented
taken the following factors into consideration:
o Organization brand reputation and previous work history
o Quality of the service provided to its other clients
o Similar kind of experience in the past
o Financial stability of the company
o Competence of the company and its personnel in similar kind of job
o Level of Quality Assurance and security management standards

4.2 Assessment of Risk related to Outsourcing

 The concerned process owner or higher authority along with Risk assessment team (if
applicable) analyze the risks factors associated with outsourcing the task.
 Identify the nature of logical and physical access to PSPCL information assets and facilities
required by the third-party employee to fulfill the contractual obligations
 Review shall be done for the sensitivity, volume of the information assets shared by third
party employee.

Intern
Page
 SOP –Outsourcing & External Facilities Management Procedure
 Where there is a business need for access to PSPCL information assets by the third parties,
it shall be approved by the MR.
 Access Control Process shall be followed for providing access to the third parties and the
access shall be provided on a need to know basis.
 Third parties shall provide the list along with details of all its employees working with
PSPCL.
 Third parties shall be required to strictly follow the PSPCL Information Security policy.
 DCM / concerned process owner shall review the physical and logical access controls
implemented for third parties working at their respective locations at least once a quarter.
The report of the same shall be submitted to the ISMT.
 Physical access rights to the third-party employees at the data centers shall be reviewed
by the concerned Datacenter member and logical access rights by the Security
Administrator on a half-yearly basis. The report of the same shall be submitted to the
DCM.
 Upon termination of contract or changes of deployed resources(s), the access rights of the
third-party employees having access to information assets and information processing
facilities shall be revoked.
 Commercial risks shall also be analyzed such as falling of outsource business or fail to
meet the agreed service level agreement.
 Risk of conflict of interest shall also be analyzed if the same outsourcer company provides
the similar services to PSPCL competitors.

4.3 Guidelines for Contract and Confidentiality Agreement with Third Party
 A formal contract between PSPCL and concerned outsource company shall be signed to
safeguard the interest of both parties. Both the parties are bind with the Contract
Agreement
 The security requirements for third parties access to PSPCL information processing
facilities and information shall be addressed in a contract agreed between PSPCL and
respective third parties.

Intern
Page
 SOP –Outsourcing & External Facilities Management Procedure
 The contract with the third parties shall include the following (but not limited to):
o Adherence to the PSPCL information security measures
o Mechanism for security incident reporting for providing help in investigation, if required
o Background checks for all personnel deployed by third parties
o Details of NDA and/or confidentiality agreements to be signed by third parties
o Agreement on access control mechanism like permitted access (VPN etc.) shall be clearly
defined.
o The contract shall clearly define the type and purpose of information sharing.
 Upon termination of contract, the confidentiality agreement shall be reviewed to
determine whether the confidentiality has to be extended beyond the tenure of the
contract or not.

4.4 Third Party Service Delivery Management

ISC in consultation with Project Managers handling projects delivered by third parties are
responsible for implementation of these procedures.
Service Delivery
 PSPCL shall ensure that the service delivery agreement is implemented, operated and
maintained by third party.
 PSPCL shall ensure that the third party maintains sufficient service capability together
with workable plans designed to ensure that agreed service continuity levels are
maintained following major service failures or disaster.
Monitoring and Review of Third Party Services
 Monitoring and review of third party services shall ensure that the information security
terms and conditions of agreements are being adhered to, and information security
incidents and problems are managed properly.
 The responsibility of monitoring and review third party services shall be assigned to a
designated program management unit.
 Following checks (but not limited to) will be implemented–
o Monitor service management levels to check adherence to the agreements.

Intern
Page
 SOP –Outsourcing & External Facilities Management Procedure
o Review service reports provided by third party to ensure adherence to SLAs, and arrange
regular progress meetings as required.
o Review records of security events, operational problems, failures, tracing of faults and
disruptions related to service delivered.
o Resolve and manage any identified security problems.
Manage Changes to Third Party Services
 Changes to third party services shall follow change management process. Changes to the
provision of services shall be managed, taking into account the criticality of business
systems and processes, and re-assessment of risks.

4.5 Enforcement
 Any employee who is found to have violated this policy may be subject to disciplinary
action as per PSPCL Punishment & Appeal regulations.

5. Document Review
The document shall be reviewed after every year or as when required with the prior
approval from the competent authority.

6. Reference
PSPCL ISMS Policy for PO 21 Outsourcing and External Facilities Management Policy

Intern
Page