Review the service provider’s security when outsourcing

A supplier agreement will be drawn up with all partners directly or indirectly involved in the processing of data. The aim is to ensure that there is no misunderstanding between the organization and the supplier of parties' obligations regarding to complying with security requirements.

The organization shall include in the supplier agreement, as appropriate:

• the data used by the supplier (and possible data classification) and staff receiving access to data
• rules on the acceptable use of data
• confidentiality requirements for data processing staff
• parties responsibilities in meeting regulatory requirements
• parties' concrete responsibilities in relation to data security (e.g. access control, monitoring)
• reporting and correcting incidents
• requirements for the use of subcontractors
• allowing auditing supplier processes and controls related to the contract (and committing to correcting non-conformities)
• a commitment to return or destroy data at the end of the contract
• the supplier's responsibility to comply with organization's security guidelines

A process for reporting incidents is maintained to help staff report incidents efficiently and consistently.

Things to report as an incident include e.g.:

• unauthorized access to data / premises
• action against security guidelines
• suspected security issue (e.g. phishing, malware infection)
• data system outage
• accidental or intentional destruction / alteration of data
• lost or stolen device
• compromised password
• lost physical identifier (e.g. keychain, smart card, smart sticker)
• suspected security weakness (e.g. on utilized data system or other procedures)

The personnel guidelines emphasize the obligation to report security incidents as soon as possible in accordance with the agreed process. The instructions also describe other operations in the event of an incident (e.g. recording seen error messages and other details).

A designated responsible person actively monitors the supplier's activities and services to ensure compliance with the security terms of the contracts and the proper management of security incidents.

Monitoring includes the following:

• monitoring the promised service level
• reviewing supplier reports and arranging follow-up meetings
• regular organization of independent audits
• follow-up of problems identified in audits
• more detailed investigation of security incidents and review of related documentation
• review of the supplier's future plans (related to maintaining the service level)

Management shall define responsibilities and establish procedures to ensure an effective and consistent response to security incidents.

Management must ensure e.g.:

• interference management has clear responsibilities
• there is a documented process for responding, handling and reporting incidents

The process must ensure e.g.:

• staff have a clear contact point / tool and instructions for reporting incidents
• the reported security breaches will be addressed by qualified personnel in a sufficiently comprehensive manner

The organization must clearly document all the digital services it provides to its customers according to the cloud service model.

The documentation for digital services must include the partners involved in the service supply chain. The partner listing must include supporting services (such as IaaS, such as AWS or MS Azure), other partners included in the main service provider's supply chain (such as outsourced development), and other services that complement the actual service (including IDaaS, CDN).

In the future, supply chain documentation can be used to review a more detailed division of safety responsibilities.

Organization must ensure in advance that the acquired data systems are secure. In order to ensure this, the supplier of the important data system to be acquired must be required to provide sufficient security-related clarifications already at the procurement stage.

The supplier must clarify at least the following:

• There is a system description of the service. Based on the description of the service provider, you must be able to assess the general suitability of the service in question for the customer's use case. The system description must show at least
• The service and implementation models of the service, as well as the related service level agreements (Service Level Agreements, SLAs).
• The principles of the life cycle (development, use, decommissioning) of service provision procedures and security measures, including control measures.
• Description of the infrastructure, network and system components used in the development, maintenance/management and use of the service.
• Principles and practices of change management, especially processes for handling changes affecting security.
• Processing processes for significant events deviating from normal use, for example operating procedures in case of significant system failures.
• Role and division of responsibilities related to the provision and use of the service between the customer and the service provider. The description must clearly show the actions that are the customer's responsibility in ensuring the safety of the service. The service provider's responsibilities must include the obligation to cooperate, especially in the investigation of abnormal situations.
• Functions transferred or outsourced to subcontractors.