Version | 1.12 |
Owner | Head of EngineeringCTO |
Last Updated On | 27 2023 |
Last Updated by | |
Approved by | |
Last Review |
Purpose
Ensure the protection of the organization's data and assets that are shared with, access to, or managed by suppliers, including external parties or third-party organizations such as service providers, vendors, and customers, and to maintain an agreed level of information security and service delivery in line with supplier agreements.
...
ecoPortal shall not share or transmit Confidential data to a third party without first performing a third-party risk assessment and fully executing a written contract, statement of work, or service agreement that describes expected service levels and any specific information security requirements.
Information security for the use of cloud services
This section outlines the fundamental parameters for managing and mitigating risks related to cloud service usage.
Responsibilities and Risk Management:
Roles and responsibilities related to the use and management of cloud services can be found in the Information Security Roles and Responsibilities Policy.
Information security risks associated with cloud services use shall be managed in accordance with this policy and the /wiki/spaces/EP/pages/883753045.
Security Requirements and Control:
The company shall be responsible for all customer controls as defined in cloud service providers’ responsibility matrices.
Service Selection and Usage Scope:
Reviews of cloud service agreements for inherently high risk providers shall be performed annually to ensure they align with company requirements.
Incident Management:
Information security incidents related to cloud services managed in accordance with the Incident Response Plan.
Service Review and Exit Strategy:
Risks related to exit and vendor lock-in should be evaluated prior to the acquisition as part of the vendor security assessment.
Provider and Customer Agreement:
Agreements with cloud service providers will specify protections for ecoPortal’s data and service availability, even though they might be predefined and non-negotiable.
Where possible, ecoPortal will seek advance notification from providers concerning substantive changes in service delivery, including changes in technical infrastructure, data storage location, or usage of sub-contractors.
Ongoing Management and Assurance:
Information regarding how to obtain and utilise information security capabilities provided by the cloud service provider should be assessed as part of the vendor review at the time of acquisition.
Third-Party Security Standards
All third parties must maintain reasonable organizational organisational and technical controls as assessed by ecoPortal.
...