Maintain security responsibility during outsourcing

A supplier agreement will be drawn up with all partners directly or indirectly involved in the processing of data. The aim is to ensure that there is no misunderstanding between the organization and the supplier of parties' obligations regarding to complying with security requirements.

The organization shall include in the supplier agreement, as appropriate:

• the data used by the supplier (and possible data classification) and staff receiving access to data
• rules on the acceptable use of data
• confidentiality requirements for data processing staff
• parties responsibilities in meeting regulatory requirements
• parties' concrete responsibilities in relation to data security (e.g. access control, monitoring)
• reporting and correcting incidents
• requirements for the use of subcontractors
• allowing auditing supplier processes and controls related to the contract (and committing to correcting non-conformities)
• a commitment to return or destroy data at the end of the contract
• the supplier's responsibility to comply with organization's security guidelines

The organization has included the service level requirements necessary for the continuity of operations as part of procurement requirements and contracts.

In particular, it is important to agree on the parts of the data processing environment that are necessary for critical functions (e.g. the information systems and partners that support these functions) in a way that guarantees sufficient availability of services. Contracts can include requirements, e.g. general service level (SLA) and recovery from problem situations (RPO, RTO).

The organization agrees upon and implements a common information security risk management procedure and processes with stakeholders.

The organization should seek to integrate third-party risk management into its overall information security risk management. This should involve:

• Evaluating interdependencies
• Assessing risks related to contracts provided by third parties
• Addressing the scalability of risk management based on the organization's size and needs

Even when development is outsourced, we remain responsible for complying with appropriate laws and verifying the effectiveness of security controls.

We have defined the procedures that we monitor and follow throughout the outsourcing chain.Practices may include e.g. the following things:

• policies for reviewing and approving generated code
• evidence of testing activities performed by the partner
• communication practices
• contractual rights to audit the development process and management tools
• documentation requirements for code generation

When assessing risks related to ICT services supporting critical functions, financial entities should consider:

• Whether contracting with a non-substitutable ICT service provider is involved.
• The implications of multiple contracts with the same or closely connected ICT service providers.
• Evaluating alternative solutions like using different service providers, aligning with business needs and digital resilience strategy.

Regarding subcontracting:

• Financial entities should assess benefits and risks of subcontracting, especially when subcontractors are based in third countries.
• Consideration of insolvency law provisions in case of the service provider's bankruptcy and constraints on data recovery.
• Compliance with Union data protection rules and law enforcement in third countries.
• Assessment of potential impacts of complex subcontracting chains on monitoring and supervisory abilities.