Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Version

1.12

Owner

Head of EngineeringCTO

Last Updated On

27 2023

Last Updated by

Bruno Belizario

Approved by

Sean Oldfield

Last Review

Purpose

Ensure the protection of the organization's data and assets that are shared with, access to, or managed by suppliers, including external parties or third-party organizations such as service providers, vendors, and customers, and to maintain an agreed level of information security and service delivery in line with supplier agreements.

...

ecoPortal shall not share or transmit Confidential data to a third party without first performing a third-party risk assessment and fully executing a written contract, statement of work, or service agreement that describes expected service levels and any specific information security requirements.

Information security for the use of cloud services

This section outlines the fundamental parameters for managing and mitigating risks related to cloud service usage.

Responsibilities and Risk Management:

Security Requirements and Control:

  • The company shall be responsible for all customer controls as defined in cloud service providers’ responsibility matrices.

Service Selection and Usage Scope:

  • Reviews of cloud service agreements for inherently high risk providers shall be performed annually to ensure they align with company requirements.

Incident Management:

  • Information security incidents related to cloud services managed in accordance with the Incident Response Plan.

Service Review and Exit Strategy:

  • Risks related to exit and vendor lock-in should be evaluated prior to the acquisition as part of the vendor security assessment.

Provider and Customer Agreement:

  • Agreements with cloud service providers will specify protections for ecoPortal’s data and service availability, even though they might be predefined and non-negotiable.

  • Where possible, ecoPortal will seek advance notification from providers concerning substantive changes in service delivery, including changes in technical infrastructure, data storage location, or usage of sub-contractors.

Ongoing Management and Assurance:

  • Information regarding how to obtain and utilise information security capabilities provided by the cloud service provider should be assessed as part of the vendor review at the time of acquisition.

Third-Party Security Standards

All third parties must maintain reasonable organizational organisational and technical controls as assessed by ecoPortal.

...