Secure your external IT services
Does your organization utilize external suppliers to help out with cloud services or server operation and maintenance? The supplier may have a great deal of insight into the flow of information. You need to have a legal agreement in place to govern how the service is used and where the information is located.
When procuring IT-related services, information security pertains to you being able to govern the process and ensuring that the supplier of the service protects your information, as stipulated by the requirements in the agreement. This means that your data must be protected from unauthorized insight or modification by the supplier. As a customer, you must also be able to examine how the data is being managed by the supplier.
Information security is achieved through a legally binding agreement which should, for example, govern the following:
- Who owns the data, how the data is used, if the data will be shared with a third party in any manner and how the data is safeguarded in all situations. As regards GDPR, there are special provisions in place for what is required if the data will be stored outside of the EU.
- How quickly the service or system is to be functional again after a disruption, and whether the supplier is to provide its own documented continuity plans.
- When and how security incidents are to be reported.
- That the supplier should have a specially designated contact person for information security issues, and that it should be possible to examine all aspects of the supplier’s security management.
- Which information at a minimum must be backed up, how often backups are created and how the information is restored, when required.
- In which manner information is protected through encryption and with which algorithm information is encrypted. If the organization stores information externally without protecting it with encryption, there should be a formal decision in place allowing this solution.
The data processors engaged by the data controller must be able to provide sufficient guarantees that processing satisfies the requirements stipulated by the General Data Protection Regulation (GDPR) as well as assurance that the rights of those registered are protected. The data controller and the data processor must draw up a data processing agreement. The General Data Protection Regulation specifies what a data processing agreement is to include.