Establish information flow and software exchange agreements with all third parties.

UCF ID: 04543
Control Type: Process or Activity
Status: Live

Supporting and supported controls

This control directly supports:

    Establish and maintain a policy regarding management of third party services. [UCF Control ID 00789]

There are no supporting controls.

Authority documents complied with:

ISO/IEC 17799 Code of Practice for Information Security Management, 2005, § 10.8.2; ISO/IEC 27001 Information Security Management Systems - Requirements, 2005, Annex A.10.8.2; ISO/IEC 27002 Code of practice for information security management, 2005, § 10.8.2; Italy Personal Data Protection Code, § 54.1

ISO Guidance

An agreement should be reached between the organization and external parties for the exchange of information and software. The following should be in the exchange agreement: responsibilities for the transport, dispatch, and receipt; procedures for traceability; packaging standards; courier standards; a labeling system; copyright and ownership information; and any special controls that may be needed. [§ 10.8.2, ISO/IEC 17799 Code of Practice for Information Security Management, 2005]

If two or more organizations plan on exchanging information, a formal exchange agreement should be developed. [Annex A.10.8.2, ISO/IEC 27001 Information Security Management Systems - Requirements, 2005]

An agreement should be reached between the organization and external parties for the exchange of information and software. The following should be in the exchange agreement: responsibilities for the transport, dispatch, and receipt; procedures for traceability; packaging standards; courier standards; a labeling system; copyright and ownership information; and any special controls that may be needed. [§ 10.8.2, ISO/IEC 27002 Code of practice for information security management, 2005]

Other European and African Guidance

When the police or public security authorities acquire data, records, information, and documents from other entities, the acquisition may occur by electronic means. The concerned bodies may make agreements aimed at facilitating interrogation by the offices or bodies, by electronic communication networks, public registers, filing systems, lists, and data banks in order to implement the provisions and principles laid down in Sections 3 and 11. These agreements will be adopted by the Minister for Home Affairs after receiving a favorable opinion from the Guarantee and will set the arrangements for connections and selective access to only the data required to achieve the purposes of Section 53. [§ 54.1, Italy Personal Data Protection Code]

Metrics

The metrics associated with this control are as follows:

    Report on the percentage of systems with critical information assets or functions for which electronic connection by third-party systems is not allowed. [UCF Control ID 02047]

Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.