Content library
Data system procurement
Data processing agreement analysis for most important system providers

Other tasks from the same security theme

Task name
Priority
Status
Theme
Policy
Other requirements
General rules for the procurement of data systems
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Data system procurement
15
requirements

Examples of other requirements this task affects

14.1.1: Information security requirements analysis and specification
ISO27 Full
13 §: Tietoaineistojen ja tietojärjestelmien tietoturvallisuus
TiHL
HAL-16: Hankintojen turvallisuus
Julkri
5.23: Information security for use of cloud services
ISO27k1 Full
52: Tietoturva- ja tietousojavaatimukset hankintavaatimuksissa
Sec overview
See all related requirements and other information from tasks own page.
Go to >
General rules for the procurement of data systems
1. Task description

Whenever new data systems are acquired, a pre-defined procurement process and rules are followed. The rules ensure that the supplier is able to guarantee an adequate level of security, taking into account the priority of the system.

Comprehensiveness of contractual terms for cloud service provisioning
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Data system procurement
5
requirements

Examples of other requirements this task affects

5.23: Information security for use of cloud services
ISO27k1 Full
21.2.e: Secure system acquisition and development
NIS2
See all related requirements and other information from tasks own page.
Go to >
Comprehensiveness of contractual terms for cloud service provisioning
1. Task description

Agreement between a cloud service provider and the organization must include requirements for protecting the organization's data and the availability of services, e.g. in the following ways:

  • providing a solution based on generally accepted architecture and infrastructure standards in the industry
  • managing access rights to meet organizational requirements
  • implementing malware control and protection solutions
  • processing and storage of the organization's sensitive data in approved locations (e.g. a certain country or legislative area)
  • providing support in the event of a data security breach
  • ensuring that the organization's data security requirements are met also in subcontracting chains
  • li>providing support in the collection of digital evidence
  • providing sufficient support when the organization wants to terminate the use of the service
  • required backup and secure management of backups, where applicable
  • information owned by the organization (possibly, e.g. source code, data filled/created for the service) restored upon request or when the service ends
  • notification requirement in relation to significant changes (such as infrastructure, important features, information location or use by subcontractors)
Hankitun järjestelmän koodin tarkistettavuus (ST III-II)
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Data system procurement
1
requirements

Examples of other requirements this task affects

I13: Ohjelmistoilla toteutettavat pääsynhallintatoteutukset
Katakri
See all related requirements and other information from tasks own page.
Go to >
Hankitun järjestelmän koodin tarkistettavuus (ST III-II)
1. Task description

Kaikki hankitun palvelun/sovelluksen/järjestelmän turvallisuuteen oleellisesti vaikuttava koodi on tarkastettavissa (esim. mahdolliset takaportit, turvattomat toteutukset).

Security rules for the development and acquisition of data systems
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Data system procurement
24
requirements

Examples of other requirements this task affects

14.1.1: Information security requirements analysis and specification
ISO27 Full
14.1.2: Securing application services on public networks
ISO27 Full
14.2.5: Secure system engineering principles
ISO27 Full
13 §: Tietoaineistojen ja tietojärjestelmien tietoturvallisuus
TiHL
I13: Ohjelmistoilla toteutettavat pääsynhallintatoteutukset
Katakri
See all related requirements and other information from tasks own page.
Go to >
Security rules for the development and acquisition of data systems
1. Task description

Whenever new data systems are acquired or developed, pre-defined security rules are followed, taking into account the priority of the system. The rules ensure that adequate measures are taken to ensure the security of the data and data processing in the system.

Criteria for suppliers of high priority data systems
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Data system procurement
19
requirements

Examples of other requirements this task affects

14.1.1: Information security requirements analysis and specification
ISO27 Full
15.1.1: Information security policy for supplier relationships
ISO27 Full
15.2.1: Monitoring and review of supplier services
ISO27 Full
ID.SC-1: Cyber supply chain
NIST
ID.SC-4: Audit suppliers and third-party partners
NIST
See all related requirements and other information from tasks own page.
Go to >
Criteria for suppliers of high priority data systems
1. Task description

The organization has defined the certifications or standards required of key partners. Commonly recognized standards related to cyber security include:

  • ISO 27001 (information security management system)
  • SOC2 (general security, also called SSAE 16)
  • ISO 27701 (data protection management system)
  • ISO 27017 (cyber security in cloud services) or ISO 27018 (data protection in cloud services)
  • other popular e.g. NIST (general), CSA (cloud software), PCI DSS (card payments and data)

Certifications required from partners can make organization's own partner management more efficient and provide good evidence of a particular level of security or privacy of the partner.

General rules for the acquisition of IoT devices
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Data system procurement
1
requirements

Examples of other requirements this task affects

2.3.10: Reduce the risk posed by IoT devices
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
General rules for the acquisition of IoT devices
1. Task description

Only acquire IoT devices that have built-in security functions and will receive security updates.

It is also important to make sure that it is possible to change all standard passwords and the IoT devices can be forced to only use networks that the organisation has control over.

Requiring a system description from suppliers of important information systems to be acquired
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Data system procurement
7
requirements

Examples of other requirements this task affects

HAL-16: Hankintojen turvallisuus
Julkri
21.2.e: Secure system acquisition and development
NIS2
2.1.1: Include security in the organisation’s procurement process
NSM ICT-SP
2.1.10: Review the service provider’s security when outsourcing
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Requiring a system description from suppliers of important information systems to be acquired
1. Task description

Organization must ensure in advance that the acquired data systems are secure. In order to ensure this, the supplier of the important data system to be acquired must be required to provide sufficient security-related clarifications already at the procurement stage.

The supplier must clarify at least the following:

  • There is a system description of the service. Based on the description of the service provider, you must be able to assess the general suitability of the service in question for the customer's use case. The system description must show at least
  • The service and implementation models of the service, as well as the related service level agreements (Service Level Agreements, SLAs).
  • The principles of the life cycle (development, use, decommissioning) of service provision procedures and security measures, including control measures.
  • Description of the infrastructure, network and system components used in the development, maintenance/management and use of the service.
  • Principles and practices of change management, especially processes for handling changes affecting security.
  • Processing processes for significant events deviating from normal use, for example operating procedures in case of significant system failures.
  • Role and division of responsibilities related to the provision and use of the service between the customer and the service provider. The description must clearly show the actions that are the customer's responsibility in ensuring the safety of the service. The service provider's responsibilities must include the obligation to cooperate, especially in the investigation of abnormal situations.
  • Functions transferred or outsourced to subcontractors.
System portfolio management and proactive design of portfolio
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Data system procurement
2
requirements

Examples of other requirements this task affects

14.1.1: Information security requirements analysis and specification
ISO27 Full
CC8.1: Change management procedures
SOC 2
See all related requirements and other information from tasks own page.
Go to >
System portfolio management and proactive design of portfolio
1. Task description

Determined system portfolio management means a clear picture of the organization's system as a whole, the benefits of different systems and future needs.

The aim of system portfolio management is to achieve e.g.:

  • efficiency benefits by understanding the whole and e.g. the possibilities of integrations
  • eliminate duplication
  • save on unnecessary licensing costs
  • control the number of suppliers
  • facilitate staff guidance
Data processing agreement analysis for most important system providers
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Data system procurement
15
requirements

Examples of other requirements this task affects

28. Data processor
GDPR
14.1.1: Information security requirements analysis and specification
ISO27 Full
15.1.2: Addressing security within supplier agreements
ISO27 Full
HAL-16.1: Hankintojen turvallisuus - sopimukset
Julkri
TSU-04.1: Henkilötietojen käsittelijä - Sopimukset
Julkri
See all related requirements and other information from tasks own page.
Go to >
Data processing agreement analysis for most important system providers
1. Task description

The processing agreement binds the actions of the data processor (such as the system vendor).

It can be important for us to ensure an important partner takes responsibility of e.g. access control (logging) and data recovery at the end of the contract according to our preferred policies.

Universal cyber compliance language model: Comply with confidence and least effort

In Cyberday, all frameworks’ requirements are mapped into universal tasks, so you achieve multi-framework compliance effortlessly.

Security frameworks tend to share the common core. All frameworks cover basic topics like risk management, backup, malware, personnel awareness or access management in their respective sections.
Cyberday’s universal cyber security language technology creates you a single security plan and ensures you implement the common parts of frameworks just once. You focus on implementing your plan, we automate the compliance part - for current and upcoming frameworks.
Start your free trial
Get to know Cyberday
Start your free trial
Cyberday is your all-in-one solution for building a secure and compliant organization. Whether you're setting up a cyber security plan, evaluating policies, implementing tasks, or generating automated reports, Cyberday simplifies the entire process.
With AI-driven insights and a user-friendly interface, it's easier than ever to stay ahead of compliance requirements and focus on continuous improvement.
Clear framework compliance plans
Activate relevant frameworks and turn them into actionable policies tailored to your needs.
Credible reports to proof your compliance
Use guided tasks to ensure secure implementations and create professional reports with just a few clicks.
AI-powered improvement suggestions
Focus on the most impactful improvements in your compliance with help from Cyberday AI.