M1.3.6 - ADRESSING SECURITY WHEN DEALING WITH CUSTOMERS Implementation Guidance
The entity shall address all identified security requirements before giving customers access to the entity’s information or assets.
Back to M1.3.6 - P2 - ADRESSING SECURITY WHEN DEALING WITH CUSTOMERS
The following terms should be considered to address security prior to giving customers access to any of the entity’s assets (depending on the type and extent of access given, not all of them might apply):
A. Asset protection, including:
- 1- Procedures to protect the entity’s assets, including information and software, and management of known vulnerabilities
- 2- Procedures to determine whether any compromise of the assets, e.g. loss or modification of data, has occurred
- 3- Integrity
- 4- Restrictions on copying and disclosing information
B. Description of the product or service to be provided
C. The different reasons, requirements, and benefits for customer access
D. Access control policy, covering
- 1- Permitted access methods, and the control and use of unique identifiers such as user IDs and passwords
- 2- An authorization process for user access and privileges
- 3- A statement that all access that is not explicitly authorized is forbidden
- 4- A process for revoking access rights or interrupting the connection between systems
E. Arrangements for reporting, notification, and investigation of information inaccuracies (e.g. of personal details), information security incidents and security breaches;
F. A description of each service to be made available
G. The target level of service and unacceptable levels of service
H. The right to monitor, and revoke, any activity related to the entity’s assets
I. The respective liabilities of the entity and the customer
J. Responsibilities with respect to legal matters and how it is ensured that the legal requirements are met, e.g. data protection legislation, especially taking into account different national legal systems if the agreement involves co-operation with customers in other countries
K. Intellectual property rights (IPRs) and copyright assignment and protection of any collaborative work
Back to M1.3.6 - P2 - ADRESSING SECURITY WHEN DEALING WITH CUSTOMERS
