External Organization Information Security Agreement
ISO/IEC 20000 Toolkit Version 6 ©CertiKit 2016
External Organization Information Security Agreement
Implementation Guidance (The header page and this section must be removed from final version of the document)
Purpose of this document This document describes recommended areas to be addressed in an agreement with an external organization that involves access to the organization’s information.
Areas of the standard addressed The following areas of the ISO/IEC 20000 standard are addressed by this document: 6.6 Information security management 6.6.2 Information security controls
General Guidance This document sets out some of the areas you will need to agree with each external organization when including information security considerations in an agreement or contract. You will need to obtain legal advice to ensure that it is valid in the country/countries it will be used in. The wording used in this document is intended to give an indication only of the type of content to be included and will need to be amended to be legally acceptable if you decide to include it in a contract.
Review Frequency We would recommend that this document is reviewed annually.
Toolkit Version Number ISO/IEC 20000 Toolkit Version 6 ©CertiKit 2016.
Document Fields This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”. To update this field (and any others that may exist in this document): 1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name
Version 1
Page 1 of 16
[Insert date]
External Organization Information Security Agreement
2. Press Ctrl a on the keyboard to select all text in the document (or use Select, Select All on the ribbon) 3. Press F9 on the keyboard to update all fields 4. When prompted, choose the option to just update TOC page numbers If you wish to permanently convert the fields in this document to text i.e. so that they are no longer updateable, then you will need to click into each occurrence of the field and press Ctrl Shift F9. If you would like to make all fields in the document visible then go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check that you have updated all fields correctly. Further detail on the above procedure can be found in the Toolkit Completion Instructions within the Project Resources folder.
Copyright notice Except for any third party works included in this document, as identified in this document, this document has been authored by CertiKit, and is © copyright CertiKit except as stated below. CertiKit is a trading name of Public I.T. Limited, a company registered in England and Wales with company number 6432088 and registered office at 5 Falcons Rise, Belper, Derbyshire, DE56 0QN.
Licence terms This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence. If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third party copyright included in this document.
Disclaimer Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use. Therefore please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country. You should take all reasonable and proper legal and other professional
Version 1
Page 2 of 16
[Insert date]
External Organization Information Security Agreement
advice before using this document. CertiKit makes no claims, promises, or guarantees about the accuracy, completeness, or adequacy of our document templates, assumes no duty of care to any person with respect its document templates or their contents, and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.
Version 1
Page 3 of 16
[Insert date]
External Organization Information Security Agreement
[Replace with your logo]
External Organization Information Security Agreement
Document Ref. Version: Dated: Document Author: Document Owner:
Version 1
Page 4 of 16
SMS-DOC-066-7 1 [Insert date]
[Insert date]
External Organization Information Security Agreement
Revision History Version Date
Revision Author
Summary of Changes
Distribution Name
Title
Approval Name
Version 1
Position
Signature
Page 5 of 16
Date
[Insert date]
External Organization Information Security Agreement
Contents 1
INTRODUCTION ....................................................................................................................................... 7
2
INFORMATION SECURITY REQUIREMENTS .................................................................................. 8 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 2.9
3
INFORMATION TO BE PROVIDED ................................................................................................................ 8 CLASSIFICATION MAPPING........................................................................................................................ 8 LEGAL AND REGULATORY REQUIREMENTS .............................................................................................. 9 CONTROLS ................................................................................................................................................ 9 INCIDENT MANAGEMENT ........................................................................................................................ 10 AWARENESS TRAINING ........................................................................................................................... 10 RECRUITMENT AND SCREENING .............................................................................................................. 10 AUDIT AND REVIEW ................................................................................................................................ 10 SECURING THE SUPPLY CHAIN ................................................................................................................ 10
APPENDIX A - HANDLING REQUIREMENTS BY CLASSIFICATION ........................................ 12 3.1 LEVEL 0 – PUBLIC (OR UNCLASSIFIED) ................................................................................................... 12 3.1.1 Secure Processing ......................................................................................................................... 12 3.1.2 Storage .......................................................................................................................................... 12 3.1.3 Transmission ................................................................................................................................. 12 3.1.4 Declassification ............................................................................................................................ 12 3.1.5 Destruction ................................................................................................................................... 12 3.1.6 Chain of Custody .......................................................................................................................... 13 3.2 LEVEL 1 - PROTECTED ............................................................................................................................. 13 3.2.1 Secure Processing ......................................................................................................................... 13 3.2.2 Storage .......................................................................................................................................... 13 3.2.3 Transmission ................................................................................................................................. 13 3.2.4 Declassification ............................................................................................................................ 13 3.2.5 Destruction ................................................................................................................................... 13 3.2.6 Chain of Custody .......................................................................................................................... 14 3.2.7 Logging of Security-related Events ............................................................................................... 14 3.3 LEVEL 2 - RESTRICTED ............................................................................................................................ 14 3.3.1 Secure Processing ......................................................................................................................... 14 3.3.2 Storage .......................................................................................................................................... 14 3.3.3 Transmission ................................................................................................................................. 14 3.3.4 Declassification ............................................................................................................................ 14 3.3.5 Destruction ................................................................................................................................... 15 3.3.6 Chain of Custody .......................................................................................................................... 15 3.3.7 Logging of Security-related Events ............................................................................................... 15 3.4 LEVEL 3 - CONFIDENTIAL ........................................................................................................................ 15 3.4.1 Secure Processing ......................................................................................................................... 15 3.4.2 Storage .......................................................................................................................................... 15 3.4.3 Transmission ................................................................................................................................. 16 3.4.4 Declassification ............................................................................................................................ 16 3.4.5 Destruction ................................................................................................................................... 16 3.4.6 Chain of Custody .......................................................................................................................... 16 3.4.7 Logging of Security-related Events ............................................................................................... 16
List of Tables TABLE 1 - INFORMATION TO BE PROVIDED ................................................................................................................. 8 TABLE 2 - CLASSIFICATION MAPPING ......................................................................................................................... 8 TABLE 3 - ADDITIONAL CONTROLS REQUIRED ............................................................................................................ 9
Version 1
Page 6 of 16
[Insert date]
External Organization Information Security Agreement
1 Introduction This document summarises the information security-related areas that should be included in agreements with external organizations in order to protect the confidentiality, integrity and availability of [Organization Name] information. Such external organizations may include suppliers, partners, regulators, customers and other types of interested parties. The exact contractual terms will of course vary according to the subject, scope and nature of the arrangement but care should be taken that the issues referred to in this document are considered for inclusion in each case. This template agreement should be read in conjunction with the following documents which give more detail in specific areas:
Information Security Policy Risk Treatment Plan Supplier Management Policy
These documents are available within the SMS.
Version 1
Page 7 of 16
[Insert date]
External Organization Information Security Agreement
2 Information Security Requirements 2.1
Information to be Provided
As part of this agreement the following information assets of [Organization Name] will be made available to [External Organization Name] subject to appropriate security controls as defined below: Asset Name Customer database
Asset Description Personal Information Type Data Classification Information Names and addresses Yes Protected of all customers from the last 5 years
Table 1 - Information to be provided
2.2
Classification Mapping
Although the underlying principles are the same, different organizations often use varying schemes to classify the security requirements of their information. In order to reduce the possibility of confusion when information that is protectively marked is transferred between organizations, the mapping of [Organization Name] scheme onto that of the supplier is shown below. Level
1 2 3 4
[Organization Name] Classification Public Protected Restricted Confidential
[Supplier Name] Classification
Comments
Table 2 - Classification mapping
For more details about the [Organization Name] classification scheme, please refer to Information Classification Procedure (if available). Where appropriate, procedures should be put in place to attach additional marking on information when it is transferred if it would help in the correct and secure treatment of it within the other organization.
Version 1
Page 8 of 16
[Insert date]
External Organization Information Security Agreement
2.3
Legal and Regulatory Requirements
[Organization Name] is required to operate within the legal and regulatory framework set out below and remains responsible for the management of its compliance with this framework at all times.
European Union General Data Protection Regulation Sarbanes-Oxley Act 2002 (USA) Health and Safety legislation Payment Card Industry – Data Security Standard compliance Financial Services legislation National and international standards e.g. ISO9001 Consumer protection legislation [Specify laws and regulation relevant to your organization]
[Organization Name] will expect [External Organization Name] to comply with these laws and regulations when handling its information assets. 2.4
Controls
In general the controls required will depend upon the classification of the information concerned as defined in Appendix A of this document. Based on a comprehensive risk assessment the following set of specific additional controls has been identified in the risk treatment plan as being required to achieve the level of security necessary to protect [Organization Name] information. Ref.
Control
Control Description
1.
Access Control
2.
Performance review
3.
Monitoring
4.
Reporting
5.
Auditing
6.
Policies
Procedure for the authorisation and deauthorisation of access to information Regular meetings to identify security improvements and review risks Continual monitoring of key information security logs Production of regular reports on the performance of security controls Independent audits of the effectiveness and application of security controls Definition and publication of policies in key areas of information security
Procedural Reference PROC 1234
PROC 1235 PROC 1236 PROC 1237 PROC 1238
Table 3 - Additional controls required
These controls must be in place prior to the start of the relationship.
Version 1
Page 9 of 16
[Insert date]
External Organization Information Security Agreement
2.5
Incident Management
[External Organization Name] will notify [Organization Name] in the event of a security breach being discovered within its organization affecting Protected or higher classification information belonging to [Organization Name]. Both parties will provide full co-operation during the incident management process with a view to limiting the impact whilst preserving evidence. 2.6
Awareness Training
Both parties will conduct information security awareness training for all employees and contract staff involved in the relevant activities within their respective organizations. This should ensure that everyone involved is aware of the need to protect [Organization Name] information assets and the policies and procedures used to do so. Employees and contractors using the organization’s information systems and services shall be required to note and report any observed or suspected information security weaknesses. 2.7
Recruitment and Screening
[External Organization Name] will carry out an agreed level of screening of all employees and contract staff engaged or recruited to take part in the agreed activities. This may include but is not limited to: 2.8
Personal references Work references Confirmation of academic and profesional qualifications CV work history verification Criminal records check Drug and substances testing Audit and Review
[Organization Name] reserves the right to perform a second party audit of the information security aspects of the arrangement in order to establish the effectiveness of the controls employed to protect its information. 2.9
Securing the Supply Chain
In the event that the supplier makes use of further sub-contracted organizations within the supply chain, it is a [External Organization Name] responsibility to ensure that these organizations protect [Organization Name] information in accordance with this agreement.
Version 1
Page 10 of 16
[Insert date]
External Organization Information Security Agreement
[External Organization Name] will not share classified [Organization Name] information with third parties without written permission. This permission should not be unreasonably withheld.
Version 1
Page 11 of 16
[Insert date]
External Organization Information Security Agreement
3 Appendix A - Handling Requirements by Classification For each [Organization Name] security classification level a set of handling controls must be in place by [External Organization Name] to ensure that the information asset involved is appropriately protected at all times. The following sections set out the main procedural components of these controls. Level 0 – Public (or Unclassified)
3.1
This classification describes information which is in the public domain or is freely published by the organization. 3.1.1
Secure Processing
In general there are no specific controls that must be placed on the processing of such information although in should be borne in mind that items such as headed stationery and their electronic equivalents should not be made freely available. 3.1.2
Storage
Level 0 information may be stored in unsecured areas accessible to the public. However some controls should be placed on large quantities of such information such as leaflets which could still be subject to theft or misuse. Information of this classification may be stored on electronic media such as backup tapes, DVDs and CDs without encryption or other forms of protection. 3.1.3
Transmission
In general, Level 0 information may be sent in the clear over unencrypted connections or distributed freely in hard copy. 3.1.4
Declassification
Level 0 information will not be subject to declassification as it is already at the lowest level. 3.1.5
Destruction
Information falling within the Level 0 classification may be disposed of via normal waste routes without need for controls such as shredding. Where possible, items should be recycled.
Version 1
Page 12 of 16
[Insert date]
External Organization Information Security Agreement
3.1.6
Chain of Custody
Level 0 information assets will be freely distributed amongst organization employees, customers and members of the public where required, without the need to keep records (unless for operational purposes). 1.1.1
Logging of Security-related Events
There is generally no need to log security incidents relating to Level 0 classification items unless subject to criminal activity such as large scale theft of material. 3.2
Level 1 - Protected
Level 1 is the lowest level of classification to which protection is applied. 3.2.1
Secure Processing
Information at this level of classification will be subject to access controls involving either physical security or an authorised use logon or both. Access should not generally be granted in public areas and output such as printouts should be to areas where public access is prevented. 3.2.2
Storage
Information of this classification may be stored on electronic media such as backup tapes, DVDs and CDs. These media should be subject to secure storage such as in a locked room in an area where there is no public access. 3.2.3
Transmission
In general, Level 1 information may be sent in the clear over unencrypted connections in small quantities, such as when dealing with an individual customer. However the use of file encryption is strongly recommended for items such as email attachments particularly where they contain significant quantities of Level 1 data. 3.2.4
Declassification
Level 1 information may be declassified to “Public� with the permission of the asset owner at which time the controls specified in section 2.1 above will apply. 3.2.5
Destruction
Level 1 information should be destroyed securely so that it cannot be reconstituted e.g. via shredding for paper or full deletion for electronic files.
Version 1
Page 13 of 16
[Insert date]
External Organization Information Security Agreement
3.2.6
Chain of Custody
No specific controls are placed on the chain of custody for Level 1 information although reasonable precautions should be taken to ensure that it stays within the organization at all times. 3.2.7
Logging of Security-related Events
Incidents where Level 1 information has been compromised should be recorded and investigated in accordance with the organization’s security incident management procedures. 3.3
Level 2 - Restricted
Level 2 is the second level of classification to which protection is applied. 3.3.1
Secure Processing
Information at this level of classification will be subject to strict access controls involving both physical security and authorised use logon. Access will not be granted in public areas and output such as printouts must be to areas where public and unauthorised employee access is prevented. 3.3.2
Storage
Information of this classification may be stored on electronic media such as backup tapes, DVDs and CDs. These media must be subject to secure storage such as in a locked room in an area where there is no access to unauthorised personnel. Procedures must be in place for the management of keys to such areas. 3.3.3
Transmission
Restricted information may not be sent in the clear over unencrypted connections and the use of file encryption is mandatory for items such as email attachments. 3.3.4
Declassification
Restricted information may be declassified to “Protected” or “Public” with the permission of the asset owner at which time the controls specified in the relevant section above will apply.
Version 1
Page 14 of 16
[Insert date]
External Organization Information Security Agreement
3.3.5
Destruction
Level 2 information must be destroyed securely so that it cannot be reconstituted e.g. via shredding for paper or full deletion for electronic files. Where possible, secure destruction should be verified by a second authorised individual. 3.3.6
Chain of Custody
The chain of custody for Level 2 information should be clearly defined and tracked via formal handovers including signatures for acceptance. 3.3.7
Logging of Security-related Events
Incidents where Level 2 information has been compromised should be reported immediately and flagged as a major incident. Such incidents will be recorded and investigated in accordance with the organization’s security incident management procedures. 3.4
Level 3 - Confidential
Level 3 is the highest level of classification to which protection is applied. 3.4.1
Secure Processing
Information at this level of classification will be subject to very strict access controls involving both physical security and authorised use logon with additional security measures in place. Access will not be granted in public areas and output such as printouts must be to areas where only those organization staff who are authorised to the information asset can reach it. 3.4.2
Storage
Information of this classification must not be stored on removable electronic media such as DVDs and CDs. Backups may be taken as long as this provides no more access than when the information is within the computer system. Backup media must be subject to secure storage such as in a locked room in an area where there is no access to unauthorised personnel. Procedures must be in place for the management of keys to such areas. Additional controls such as encryption must be used where it is practical. Hardcopy information must not be removed from its home office unless with the express approval of the information asset owner.
Version 1
Page 15 of 16
[Insert date]
External Organization Information Security Agreement
3.4.3
Transmission
Level 3 information must not be sent in the clear over unencrypted connections and the use of file encryption is mandatory for items such as email attachments (although the use of email is to be discouraged). 3.4.4
Declassification
Confidential information may be declassified to “Restricted”, “Protected” or “Public” with the permission of the asset owner at which time the controls specified in the relevant section above will apply. 3.4.5
Destruction
Level 3 information must be destroyed securely so that it cannot be reconstituted e.g. via shredding for paper or full deletion for electronic files. Where possible, secure destruction should be verified by a second authorised individual. 3.4.6
Chain of Custody
The chain of custody for Level 3 information should be clearly defined and tracked via formal handovers including signatures for acceptance. Where possible, copies of the information should be numbered and its possession tracked at all times. 3.4.7
Logging of Security-related Events
Incidents where Level 3 information has been compromised should be reported to senior management immediately and flagged as a major incident. Such incidents will be recorded and investigated in accordance with the organization’s security incident management procedures.
Version 1
Page 16 of 16
[Insert date]