17.3.6 Outsourcing of IT Services
Where contracting with an external party to provide a service or system that will store, transmit or receive OIST information assets, additional consideration must be given to the factors below. This is atop the procurement processes as detailed in PRP Chapter 28[link: 28], and the enterprise application review process [link: 17.3.5].
- A service level agreement (SLA) between OIST and the service provider.
- A non-disclosure agreement and other restrictions preventing the utilization of OIST Information assets for purposes other than those intended.
- The maturity of information security process within the service provider.Management structures within the service provider and its infrastructure which will protect OIST information assets from unintended changes by third parties, including subcontractors.
- OIST’s right to audit the service provider’s compliance with the contractual and security requirements.Regular monitoring and reporting to OIST on information security performance.
- Regular monitoring and reporting to OIST on information security performance.