Whenever new data systems are acquired, a pre-defined procurement process and rules are followed. The rules ensure that the supplier is able to guarantee an adequate level of security, taking into account the priority of the system.
Agreement between a cloud service provider and the organization must include requirements for protecting the organization's data and the availability of services, e.g. in the following ways:
Kaikki hankitun palvelun/sovelluksen/järjestelmän turvallisuuteen oleellisesti vaikuttava koodi on tarkastettavissa (esim. mahdolliset takaportit, turvattomat toteutukset).
Whenever new data systems are acquired or developed, pre-defined security rules are followed, taking into account the priority of the system. The rules ensure that adequate measures are taken to ensure the security of the data and data processing in the system.
The organization has defined the certifications or standards required of key partners. Commonly recognized standards related to cyber security include:
Certifications required from partners can make organization's own partner management more efficient and provide good evidence of a particular level of security or privacy of the partner.
Organization must ensure in advance that the acquired data systems are secure. In order to ensure this, the supplier of the important data system to be acquired must be required to provide sufficient security-related clarifications already at the procurement stage.
The supplier must clarify at least the following:
Determined system portfolio management means a clear picture of the organization's system as a whole, the benefits of different systems and future needs.
The aim of system portfolio management is to achieve e.g.:
The processing agreement binds the actions of the data processor (such as the system vendor).
It can be important for us to ensure an important partner takes responsibility of e.g. access control (logging) and data recovery at the end of the contract according to our preferred policies.