T4.2.2 - AGREEMENTS ON INFORMATION TRANSFER Implementation Guidance
The entity shall establish agreements for the exchange of information and software between the entity and external parties.
Back to T4.2.2 - P3 - AGREEMENTS ON INFORMATION TRANSFER
Exchange agreements should consider the following security conditions:
- A. Management responsibilities for controlling and notifying transmission, dispatch, and receipt;
- B. Procedures for notifying sender of transmission, dispatch, and receipt;
- C. Procedures to ensure traceability and non-repudiation;
- D. Minimum technical standards for packaging and transmission;
- E. Escrow agreements;
- F. Courier identification standards;
- G. Responsibilities and liabilities in the event of information security incidents, such as loss of data;
- H. Use of an agreed labeling system for sensitive or critical information, ensuring that the meaning of the labels is immediately understood and that the information is appropriately protected;
- I. Ownership and responsibilities for data protection, copyright, software license compliance and similar considerations;
- J. Technical standards for recording and reading information and software;
- K. Any special controls that may be required to protect sensitive items, such as cryptographic keys.
Policies, procedures, and standards should be established and maintained to protect information and physical media in transit (refer to T4.2.3 - PHYSICAL MEDIA IN TRANSIT Implementation Guidance), and should be referenced in such exchange agreements.
The security content of any agreement should reflect the sensitivity of the business information involved.
