Back

Establish, implement, and maintain nondisclosure agreements.


CONTROL ID
04536
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a Governance, Risk, and Compliance framework., CC ID: 01406

This Control has the following implementation support Control(s):
  • Disseminate and communicate nondisclosure agreements to interested personnel and affected parties., CC ID: 16191
  • Require interested personnel and affected parties to sign nondisclosure agreements., CC ID: 06667


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • When the disposal is outsourced to a third party, the organization should require the third party sign a confidentiality agreement. (O75.6, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • A person who has acquired personal information about another person and knows or should reasonably know that the person from whom the information was received was subject to an obligation of confidence is subject to a like obligation. (§ 92, Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • Data controller or processor employees, other persons processing personal data based on an agreement with the data controller or processor, and other persons who come into contact with personal data at the processor's or data controller's site, must maintain the confidentiality of the personal data … (Art 15(1), Czech Republic Personal Data Protection Act, April 4, 2000)
  • The non-disclosure or confidentiality agreements to be concluded with internal employees, external service providers and suppliers of the cloud provider are based on the requirements of the cloud provider in order to protect confidential data and business details. The requirements must be identified… (Section 5.9 KOS-08 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • If adjustments to the non-disclosure or confidentiality agreements result from the review, the internal and external employees of the cloud provider must be informed about this and new confirmations shall be obtained. (Section 5.9 KOS-08 Description of additional requirements (confidentiality) ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Data processing employees must not collect, process, or use personal data without authorization and confidentiality. They must sign an agreement to maintain their confidentiality, which will continue to be valid after they have terminated their activities. (§ 5, German Federal Data Protection Act, September 14, 1994)
  • A non-disclosure obligation is in effect. (2.1.2 Requirements (must) Bullet 1, Information Security Assessment, Version 5.1)
  • The non-disclosure requirements are determined and fulfilled. (6.1.2 Requirements (must) Bullet 1, Information Security Assessment, Version 5.1)
  • Non-disclosure agreement templates are available and checked for legal applicability. (6.1.2 Requirements (should) Bullet 1, Information Security Assessment, Version 5.1)
  • The requirements and procedures for the use of non-disclosure agreements and the handling of information requiring protection are reviewed at regular intervals. (6.1.2 Requirements (must) Bullet 4, Information Security Assessment, Version 5.1)
  • the persons/organizations involved, (6.1.2 Requirements (should) Bullet 2 Sub-Bullet 1, Information Security Assessment, Version 5.1)
  • the validity period of the agreement, (6.1.2 Requirements (should) Bullet 2 Sub-Bullet 4, Information Security Assessment, Version 5.1)
  • the subject of the agreement, (6.1.2 Requirements (should) Bullet 2 Sub-Bullet 3, Information Security Assessment, Version 5.1)
  • Non-disclosure agreements include provisions for the handling of sensitive information beyond the contractual relationship. (6.1.2 Requirements (should) Bullet 3, Information Security Assessment, Version 5.1)
  • A process for monitoring the validity period of temporary non-disclosure agreements and initiating their extension in due time is defined and implemented. (6.1.2 Requirements (should) Bullet 5, Information Security Assessment, Version 5.1)
  • The organization might consider having non-government employees who have access to information as part of their work sign a confidentiality agreement. (Part I ¶ 24, HMG BASELINE PERSONNEL SECURITY STANDARD, GUIDANCE ON THE PRE-EMPLOYMENT SCREENING OF CIVIL SERVANTS, MEMBERS OF THE ARMED FORCES, TEMPORARY STAFF AND GOVERNMENT CONTRACTORS, Version 3, February 2001)
  • The organization must assess if any of their employees or contractors are notifiable under section 1(1) of the official secrets act 1989. The employees must be notified in writing and the organization must renew the notices every 5 years; review the need for continuing notification; and keep under r… (Security Policy No. 2 ¶ 6, HMG Security Policy Framework, Version 6.0 May 2011)
  • App 1 ¶ 2: The contractor shall ensure all employees working in connection with the agreement have received notice that the Official Secrets Acts 1911 – 1989 applies to them and will continue to apply after the agreement is terminated or completed and, if directed by the security authority, have … (App 1 ¶ 2, App 1 Annex ¶ 2.b, The Contractual process, Version 5.0 October 2010)
  • Non-disclosure agreements between the auditing firm, the auditee, and the audit review committee will be implemented separately. (Disclosure and non-disclosure agreements, Conflict-Free Smelter (CFS) Program Audit Procedure for Tin, Tantalum, and Tungsten, 21 December 2012)
  • Audit review committee members are bound by a non-disclosure agreement with electronic industry citizenship coalition and global e-sustainability initiative when they have access to detailed information from an audit. (§ D ¶ Disclosure and Non-Disclosure Agreements:, EICC and GeSI Gold Supply Chain Transparency: Smelter Audit, Jule 12, 2012)
  • A non-disclosure agreement will be executed between the auditing firm, the refinery, and the audit review committee. (§ D ¶ Disclosure and Non-Disclosure Agreements:, EICC and GeSI Gold Supply Chain Transparency: Smelter Audit, Jule 12, 2012)
  • Evaluations of personnel security should include mandatory confidentiality agreements. A standard non-disclosure agreement is usually used for outsourcing arrangements. (§ 5.2 (Personnel Security), IIA Global Technology Audit Guide (GTAG) 7: Information Technology Outsourcing)
  • Employees who have access to sensitive information should be required to sign a nondisclosure agreement and patent and secrecy agreements. When employees are terminated, they should be required to participate in a debriefing and be given an explanation of the nondisclosure agreement. (Pg 15-I-9, Pg 15-I-18, Pg 15-V-6, Protection of Assets Manual, ASIS International)
  • Terms and Conditions of employment should include a non-disclosure / confidentiality clause. (CF.02.01.02d, The Standard of Good Practice for Information Security)
  • Non-disclosure agreement(s) / confidentiality clause(s) should be signed by external suppliers' IT staff and Information Security staff or incorporated into their employment contracts prior to being granted access to the organization's applications, systems, or networks. (CF.09.05.03, The Standard of Good Practice for Information Security)
  • Terms and Conditions of employment should include a non-disclosure / confidentiality clause. (CF.02.01.02d, The Standard of Good Practice for Information Security, 2013)
  • Non-disclosure agreement(s) / confidentiality clause(s) should be signed by external suppliers' IT staff and Information Security staff or incorporated into their employment contracts prior to being granted access to the organization's applications, systems, or networks. (CF.09.05.03, The Standard of Good Practice for Information Security, 2013)
  • Requirements for non-disclosure or confidentiality agreements reflecting the organization's needs for the protection of data and operational details shall be identified, documented, and reviewed at planned intervals. (HRS-07, Cloud Controls Matrix, v3.0)
  • Identify, document, and review, at planned intervals, requirements for non-disclosure/confidentiality agreements reflecting the organization's needs for the protection of data and operational details. (HRS-10, Cloud Controls Matrix, v4.0)
  • Requirements for non-disclosure or confidentiality agreements reflecting the organization's needs for the protection of data and operational details shall be identified, documented and reviewed at planned intervals. (LG-01, The Cloud Security Alliance Controls Matrix, Version 1.3)
  • Personnel. An organization should implement safeguards to reduce the security risks resulting from errors or intentional or unintentional breaking of security rules by personnel (permanent or contracted). Safeguards in this area are listed below. 1. Safeguards for Permanent and Temporary Staff All e… (¶ 8.1.4(1)(2)(4), ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
  • Requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information shall be identified, regularly reviewed and documented. (A.13.2.4 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • Confidentiality or non-disclosure agreements should identify the organization's need to protect its information and should be reviewed regularly. These agreements should contain the following: what information must be protected; how long the agreement lasts; actions to take when the agreement expire… (§ 6.1.5, ISO 27002 Code of practice for information security management, 2005)
  • In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall have a confidentiality agreement in place that specifies the confidential nature of this information. The agreement shall be applicable to all personnel accessing health informa… (§ 13.2.4 Health-specific control, ISO 27799:2016 Health informatics — Information security management in health using ISO/IEC 27002, Second Edition)
  • Requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information should be identified, regularly reviewed and documented. (§ 13.2.4 Control, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • Confidentiality or non-disclosure agreements reflecting the organization's needs for the protection of information should be identified, documented, regularly reviewed and signed by personnel and other relevant interested parties. (§ 6.6 Control, ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls, Third Edition)
  • Protective orders should be implemented to guard against the release of proprietary, personal, or confidential Electronically Stored Information that is accessible by the adversary or its expert. (Comment 10.b ¶ 1, The Sedona Principles Addressing Electronic Document Production)
  • A "quick peek" agreement requires stringent guidelines and restrictions in order to prevent the waiver of confidentiality and privilege. (Comment 10.d ¶ 2, The Sedona Principles Addressing Electronic Document Production)
  • Each Transmission Owner shall implement procedures, such as the use of non- disclosure agreements, for protecting sensitive or confidential information made available to the unaffiliated third party verifier and to protect or exempt sensitive or confidential information developed pursuant to this Re… (B. R2. 2.4., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Physical Security CIP-014-2, Version 2)
  • CSR 1.10.3(6): The organization must identify in the termination and transfer procedures the period that nondisclosure requirements remain effective. CSR 1.10.6: Before access is authorized, CMS business partner Medicare employees and their contractors who are assigned to work with sensitive informa… (CSR 1.10.3(6); CSR 1.10.6, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Have you examined the non-disclosure agreements to ensure that users are required to sign them before being granted access to the system? (PRNK-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • Employees must sign a classified information nondisclosure agreement (SF 312) before being granted access to classified information. If the employee does not sign the SF 312, the organization must deny the employee access to classified information. A copy of the SF 312 must be provided to the cogniz… (§ 3-105, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
  • The Records Officer shall obtain a signed copy of the Documentary Material Removal/Non-Removal Certification and Non-Disclosure Agreement form. (Ch 10 (Responsibilities).b, Department of Health and Human Services Records Management Procedures Manual, Version 1.0 Final Draft)
  • Non Federal persons that require access to to Chemical-terrorism Vulnerability Information may be required to sign a non-disclosure agreement before access is granted. (§ 27.400(e)(2)(iii), 6 CFR Part 27, Chemical Facility Anti-Terrorism Standards (CFATS), Department of Homeland Security)
  • The organization should require signed confidentiality and nondisclosure agreements before granting new employees, temporary employees, and contractors access to the organization's systems. (Pg 27, FFIEC IT Examination Handbook - Management)
  • Approve and manage the exchange of information between the system and other systems using [Selection (one or more): interconnection security agreements; information exchange security agreements; memoranda of understanding or agreement; service level agreements; user agreements; nondisclosure agreeme… (CA-3a., FedRAMP Security Controls High Baseline, Version 5)
  • Approve and manage the exchange of information between the system and other systems using [Selection (one or more): interconnection security agreements; information exchange security agreements; memoranda of understanding or agreement; service level agreements; user agreements; nondisclosure agreeme… (CA-3a., FedRAMP Security Controls Low Baseline, Version 5)
  • Approve and manage the exchange of information between the system and other systems using [Selection (one or more): interconnection security agreements; information exchange security agreements; memoranda of understanding or agreement; service level agreements; user agreements; nondisclosure agreeme… (CA-3a., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Approve and manage the exchange of information between the system and other systems using [Selection (one or more): interconnection security agreements; information exchange security agreements; memoranda of understanding or agreement; service level agreements; user agreements; nondisclosure agreeme… (CA-3a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Approve and manage the exchange of information between the system and other systems using [Selection (one or more): interconnection security agreements; information exchange security agreements; memoranda of understanding or agreement; service level agreements; user agreements; nondisclosure agreeme… (CA-3a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Approve and manage the exchange of information between the system and other systems using [Selection (one or more): interconnection security agreements; information exchange security agreements; memoranda of understanding or agreement; service level agreements; user agreements; nondisclosure agreeme… (CA-3a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Approve and manage the exchange of information between the system and other systems using [Selection (one or more): interconnection security agreements; information exchange security agreements; memoranda of understanding or agreement; service level agreements; user agreements; nondisclosure agreeme… (CA-3a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Approve and manage the exchange of information between the system and other systems using [Selection (one or more): interconnection security agreements; information exchange security agreements; memoranda of understanding or agreement; service level agreements; user agreements; nondisclosure agreeme… (CA-3a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Approve and manage the exchange of information between the system and other systems using [Selection (one or more): interconnection security agreements; information exchange security agreements; memoranda of understanding or agreement; service level agreements; user agreements; nondisclosure agreeme… (CA-3a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Organizational records and documents should be examined to ensure nondisclosure agreements are completed prior to access being granted to the system; the agreements are reviewed and modified on a regular basis; the agreements are signed and retained by the organization; and specific responsibilities… (PS-6, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • The organization must have access agreements (e.g., acceptable use agreements, nondisclosure agreements, conflict-of-interest agreements, and Rules of Behavior) with all parties, including third parties and contractors, before access is granted to the smart grid Information System. (SG.PS-6 Requirement 1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should grant access to classified information with special protection measures only to individuals who have read, understand, and signed a nondisclosure agreement. (App F § PS-6(2)(c), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization ensures that access to classified information requiring special protection is granted only to individuals who have read, understood, and signed a nondisclosure agreement. (PS-6(2)(c), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • Have read, understood, and signed a nondisclosure agreement. (PS-6(2)(c), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Approve and manage the exchange of information between the system and other systems using [Selection (one or more): interconnection security agreements; information exchange security agreements; memoranda of understanding or agreement; service level agreements; user agreements; nondisclosure agreeme… (CA-3a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Have read, understood, and signed a nondisclosure agreement. (PS-6(2) ¶ 1(c), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Approve and manage the exchange of information between the system and other systems using [Selection (one or more): interconnection security agreements; information exchange security agreements; memoranda of understanding or agreement; service level agreements; user agreements; nondisclosure agreeme… (CA-3a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Have read, understood, and signed a nondisclosure agreement. (PS-6(2) ¶ 1(c), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Employees should be regularly reminded of their responsibility for not disclosing confidential information and must not take advantage of any information they have obtained. (§ 202.01, NYSE Listed Company Manual)