S 5.88 Agreement regarding the exchange of data with third parties

Initiation responsibility: Top Management, IT Security Officer

Implementation responsibility: IT Security Officer, Head of IT

Data can be exchanged with other companies/government agencies, for example, via the exchange of data media or by e-mail. In addition to the security measures which already need to be considered where the exchange of data is sporadic, when data is exchanged regularly, agreements should be reached with fixed communication partners to ensure that everything goes as smoothly as possible.

Such an agreement should cover the following elements:

• appointing points of contact for both organisational and technical problems and especially for security-relevant events

• the necessary technical information, i.e. definitions regarding
  • what applications and data formats are supported
  • what availability must be guaranteed, i.e. how often, for example, e-mail should be read and how rapidly it should be replied to

• what security measures need to be guaranteed during data exchange, e.g.
  • that the data will be checked for computer viruses both before and after exchange
  • how the data is to be protected against damage in transit and unauthorised access (locked containers, checksums, encryption)
  • how key management will be controlled
  • that the originator of the data may not delete it until the recipient has confirmed that it has arrived intact, where deletion is necessary
• a non-disclosure agreement, i.e. an agreement to the effect that information which one of the parties has acquired as a result of working with another party must not be disclosed to outsiders

• a stipulation as to what data may be used for which purposes (e.g. as regards the reuse of the results of work)
• an obligation to comply with pertinent legislation, regulations and procedures, e.g. data privacy protection and copyright legislation and licence provisions.

Additional points which should be included in such an agreement are listed in S 2.45 Controlling the exchange of data media and S 2.455 Defining a security policy for Groupware.

Review questions:

• Have the required security measures been agreed upon for regular exchange of data with fixed communication partners?
• Have data formats and the secure form of the exchange of data been defined?
• Have points of contact been appointed both for organisational and technical problems and especially for security-related events when exchanging data with third parties?
• Have availabilities and response times when exchanging data with third parties been agreed upon?
• Has it been defined what exchanged data may be used for what purposes?