From: ISO/IEC 27002:2005, Reference 6.2.3 Addressing security in third party agreements
"Control: Agreements with third parties involving accessing, processing, communicating or managing the organization's information or information processing facilities, or adding products or services to information processing facilities should cover all relevant security requirements.
Implementation guidance: The agreement should ensure that there is no misunderstanding between the organization and the third party. Organizations should satisfy themselves as to the indemnity of the third party.
The following terms should be considered for inclusion in the agreement in order to satisfy the identified security requirements (see 6.2.1):
a) the information security policy;
b) controls to ensure asset protection, including: 1) procedures to protect organizational assets, including information, software and hardware; 2) any required physical protection controls and mechanisms; 3) controls to ensure protection against malicious software (see 10.4.1); 4) procedures to determine whether any compromise of the assets, e.g. loss or modification of information, software and hardware, has occurred; 5) controls to ensure the return or destruction of information and assets at the end of, or at an agreed point in time during, the agreement; 6) confidentiality, integrity, availability, and any other relevant property (see 2.1.5) of the assets; 7) restrictions on copying and disclosing information, and using confidentiality agreements (see 6.1.5);
c) user and administrator training in methods, procedures, and security;
d) ensuring user awareness for information security responsibilities and issues;
e) provision for the transfer of personnel, where appropriate;
f) responsibilities regarding hardware and software installation and maintenance;
g) a clear reporting structure and agreed reporting formats;
h) a clear and specified process of change management;
i) access control policy, covering: 1) the different reasons, requirements, and benefits that make the access by the third party necessary; 2) permitted access methods, and the control and use of unique identifiers such as user IDs and passwords; 3) an authorization process for user access and privileges; 4) a requirement to maintain a list of individuals authorized to use the services being made available, and what their rights and privileges are with respect to such use; 5) a statement that all access that is not explicitly authorized is forbidden; 6) a process for revoking access rights or interrupting the connection between systems;
j) arrangements for reporting, notification, and investigation of information security incidents and security breaches, as well as violations of the requirements stated in the agreement;
k) a description of the product or service to be provided, and a description of the information to be made available along with its security classification (see 7.2.1);
l) the target level of service and unacceptable levels of service;
m) the definition of verifiable performance criteria, their monitoring and reporting;
n) the right to monitor, and revoke, any activity related to the organization's assets;
o) the right to audit responsibilities defined in the agreement, to have those audits carried out by a third party, and to enumerate the statutory rights of auditors;
p) the establishment of an escalation process for problem resolution;
q) service continuity requirements, including measures for availability and reliability, in accordance with an organization's business priorities;
r) the respective liabilities of the parties to the agreement;
s) responsibilities with respect to legal matters and how it is ensured that the legal requirements are met, e.g. data protection legislation, especially taking into account different national legal systems if the agreement involves co-operation with organizations in other countries (see also 15.1);
t) intellectual property rights (IPRs) and copyright assignment (see 15.1.2) and protection of any collaborative work (see also 6.1.5);
u) involvement of the third party with subcontractors, and the security controls these subcontractors need to implement;
v) conditions for renegotiation/termination of agreements: 1) a contingency plan should be in place in case either party wishes to terminate the relation before the end of the agreements; 2) renegotiation of agreements if the security requirements of the organization change; 3) current documentation of asset lists, licenses, agreements or rights relating to them.
Other information: The agreements can vary considerably for different organizations and among the different types of third parties. Therefore, care should be taken to include all identified risks and security requirements (see also 6.2.1) in the agreements. Where necessary, the required controls and procedures can be expanded in a security management plan. If information security management is outsourced, the agreements should address how the third party will guarantee that adequate security, as defined by the risk assessment, will be maintained, and how security will be adapted to identify and deal with changes to risks. Some of the differences between outsourcing and the other forms of third party service provision include the question of liability, planning the transition period and potential disruption of operations during this period, contingency planning arrangements and due diligence reviews, and collection and management of information on security incidents. Therefore, it is important that the organization plans and manages the transition to an outsourced arrangement and has suitable processes in place to manage changes and the renegotiation/termination of agreements. The procedures for continuing processing in the event that the third party becomes unable to supply its services need to be considered in the agreement to avoid any delay in arranging replacement services. Agreements with third parties may also involve other parties. Agreements granting third party access should include allowance for designation of other eligible parties and conditions for their access and involvement.
Generally agreements are primarily developed by the organization. There may be occasions in some circumstances where an agreement may be developed and imposed upon an organization by a third party. The organization needs to ensure that its own security is not unnecessarily impacted by third party requirements stipulated in imposed agreements."
Questions or comments? Contact us.
Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).