Organisation must define
Customer groups or individual significant customers that are important to the organization's operations are usually one of the most important stakeholders, also from the point of view of information security. Other stakeholders are treated through other tasks.
A supplier agreement will be drawn up with all partners directly or indirectly involved in the processing of data. The aim is to ensure that there is no misunderstanding between the organization and the supplier of parties' obligations regarding to complying with security requirements.
The organization shall include in the supplier agreement, as appropriate:
The organization must maintain a list of partners who have access to confidential information. System vendors and processors of personal data are listed separately from other stakeholders because they play an active role in the processing of data.
The organization has included the service level requirements necessary for the continuity of operations as part of procurement requirements and contracts.
In particular, it is important to agree on the parts of the data processing environment that are necessary for critical functions (e.g. the information systems and partners that support these functions) in a way that guarantees sufficient availability of services. Contracts can include requirements, e.g. general service level (SLA) and recovery from problem situations (RPO, RTO).
The organization must communicate to suppliers their roles and responsibilities in supply chain security. It must also be ensured that suppliers understand their security guidelines and any other security responsibilities under the agreements.
When involving subprocessors in processing personal data related to offered cloud services, the organization ensures that contracts clearly specify the minimum technical and organizational security measures required from subprocessors.
The organization lists the relevant government actors with whom it is important to actively contact and, if necessary, get in touch quickly. These authorities include national law enforcement and supervisory authorities.
A clear contact person should be defined for the relevant authorities to act as a contact point for the organization.
The organization should actively maintain contacts with cloud-related stakeholders and other relevant parties related to the organization's operations.
The organization shall identify
Data system providers and personal data processors are treated through separate tasks.
A responsible person has been appointed for the provider companies, who monitors the provider's activities, communications and compliance with the contract.
Responsible person must have sufficient skills to analyze cyber security requirements depending on the criticality of the provider. Responsible person also ensures that the provider appoints an own responsible person to ensure compliance with the contract and facilitate cooperation.
A designated responsible person actively monitors the supplier's activities and services to ensure compliance with the security terms of the contracts and the proper management of security incidents.
Monitoring includes the following:
Define participation conditions in information-sharing arrangements and notify competent authorities of participation.
When assessing risks related to ICT services supporting critical functions, financial entities should consider:
Regarding subcontracting:
The contractual agreements for critical ICT services should include:
External IT services are not used without explicit assessment and implementation of the information security requirements:
The external IT service must meet the needed requirements for data they will handle.
The organisation must review at regular intervals that only approved external IT services are used.
The organization coordinates how relations with the public are managed by implementing a structured public relations management process. The organization assigns a dedicated Public Relations Officer (PRO) to handle all media interactions, manage requests for interviews, triage phone calls and emails requests, and ensure that public-facing information aligns with organizational policies.
The organization should establish agreements with relevant third parties to provide consultation if needed during an incident.
These third parties could include, e.g., CERTs (Computer Emergency Response Teams), IT specialists in various fields, and equipment or software providers.
Organization establishes processes and means to handle and share vulnerability disclosures such as:
The organization must obtain confidentiality commitments:
Furthermore, privacy commitments must be obtained:
the organization must assess:
The organization shall actively maintain contacts with stakeholders relevant to the organization's operations and other relevant actors related to the organization's operations and security.
The goal is especially to:
Supplier and partner agreements should include requirements that directly limit changes affecting customer environments.
Changes should be explicitly approved and included in the scope of service level agreements.
The responsible person monitors significant changes in the supplier's operations that may affect the supplier relationship and service level, and thus require other measures. The following aspects are taken into account:
Data processing agreements bind the actions of a personal data processing partner.
It can be important for us to require an important partner to take care of e.g. ensuring the confidentiality requirements for its personnel and restricting the use of other processors of personal data in connection with our data.