Back

Specify asset ownership in outsourcing contracts.


CONTROL ID
13141
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain outsourcing contracts., CC ID: 13124

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • While AIs are expected to take into account the general guidance specified in SA-2 “Outsourcing” when managing technology outsourcing, they should also have regard to the following controls: - technology service providers should have sufficient resources and expertise to comply with the substanc… (7.1.1, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • contractual protection to ensure access to IT assets pertaining to the Australian-regulated operations. This includes defining ownership and jurisdiction of the IT assets. (Attachment B ¶ 17(c), APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • Contract(s) specifying equipment ownership and responsibility, if management of the operating center is outsourced. (App A Objective 14:1b, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)