M1.3.7 - ADDRESSING SECURITY IN THIRD PARTY AGREEMENTS Implementation Guidance
The entity shall have agreements that cover all relevant security requirements with third parties to handle the entity’s information assets.
Back to M1.3.7 - P2 - ADDRESSING SECURITY IN THIRD PARTY AGREEMENTS
The agreement should ensure that there is no misunderstanding between the entity and the third party. Entities should satisfy themselves as to the indemnity of the third party.
The following terms should be considered for inclusion in the agreement in order to satisfy the identified security requirements:
A. The information security policy
B. Controls to ensure asset protection, including:
- 1- Procedures to protect organizational assets, including information, software and hardware
- 2- Any required physical protection controls and mechanisms
- 3- Controls to ensure protection against malicious software
- 4- Procedures to determine whether any compromise of the assets, e.g. loss or modification of information, software and hardware, has occurred
- 5- Controls to ensure the return or destruction of information and assets at the end of, or at an agreed point in time during, the agreement
- 6- Confidentiality, integrity, availability, and any other relevant property of the assets
- 7- Restrictions on copying and disclosing information, and using confidentiality agreements
C. User and administrator training in methods, procedures, and security
D. Ensuring user awareness for information security responsibilities and issues
E. Provision for the transfer of personnel, where appropriate
F. Responsibilities regarding hardware and software installation and maintenance
G. A clear reporting structure and agreed reporting formats
H. A clear and specified process of change management
Back to M1.3.7 - P2 - ADDRESSING SECURITY IN THIRD PARTY AGREEMENTS
