The organization shall map, document, authorize and when changes occur, update, all external services and the connections made with them.
Guidance
- Outsourcing of systems, software platforms and applications used within the organization is covered in ID.AM-1 & ID.AM-2
- External information systems are systems or components of systems for which organizations typically have no direct supervision and authority over the application of security requirements and controls, or the determination of the effectiveness of implemented controls on those systems i.e., services that
are run in cloud, SaaS, hosting or other external environments, API (Application Programming interface)…
- Mapping external services and the connections made to them and authorizing them in advance avoids wasting unnecessary resources investigating a supposedly non-authenticated connection to external systems.
The flow of information to/from external systems shall be mapped, documented, authorized, and update when changes occur.
Guidance
Consider requiring external service providers to identify and document the functions, ports, protocols, and services necessary for the connection services.
Organisation must maintain a listing of used data systems and their owners. Owner is responsible for completing the related documentation and possible other security actions directly related to the data system.
Data system documentation must include at least:
The organization shall maintain a list of data sets contained in the data stores it manages.
The documentation shall include at least the following information:
The organization maintains documentation of interfaces and other connections between data system and the data transmission methods used in the interfaces.
The documentation concerning the interfaces shall be reviewed regularly and after significant changes to data systems.