|
Article 7
|
Safety Control of Information Service Supplier Agreements
- After an organization selects an information service supplier, the parties shall agree on and confirm the content of the agreement. The agreement shall incorporate the following:
- Basic contractual requirements
- term of the agreement
- scope of service
- delivery date of the service
- service standard
- provisions on the change of service
- standards for acceptance testing of the service
- procedures for handling an information and communication security event, including the requirement that the engaged contractor take the initiative to notify the principal promptly should such event occur
- clauses giving the organization rights to audit the information service supplier, including, within the scope of outsourcing,the information service supplier consents that a competent authority or the Central Bank may obtain relevant data or reports and conduct financial examinations or may order it to provide related data or reports within the prescribed time limit
- provisions on the assignment of the agreement or consent to subcontracting
- confidentiality clause
- penal provisions and damages clause
- dispute resolution procedures
- breach of contract clause
- provisions on termination, including material grounds for termination and clauses entitling a competent authority to give notice of termination or rescission in accordance with the contract
- consequences of termination
- warranty
- rights and responsibilities
- Requirements for the information service supplier’s products and services
- An organization shall specify expressly the intellectual property rights in the IT-outsourced service or product.
- An organization shall specify expressly whether subcontracting of the IT-outsourced service or product to other suppliers is permitted. If it is permitted, the information service supplier shall provide the subcontracting plan and obtain the organization’s approval before proceeding with the subcontracting.
- A type 1 organization shall specify expressly the requirement that security by design be incorporated into the service or product being procured during its inception. The security by design mechanism shall include, in respect of the service and product, the protection of classified information, authorization and authentication, security update, etc.
- A type 1 organization shall specify expressly the requirement that privacy by design be incorporated into the service or product being procured during its inception.
- Where the scope of service involves the development, maintenance, and monitoring of the information and communication system, an organization shall expressly require the information service supplier to comply with the Reference Guidelines on the Protection of the Information and Communication Systems of Service Enterprises in Securities and Futures Markets.
- Where the scope of service involves the use of the cloud computing service, an organization shall expressly require the information service supplier to comply with the Securities and Futures Market Related Association Emerging Technology Information Security Control Guidelines.
- Requirements for information security of the information service supplier
- An organization shall specify expressly the information security requirements, Personal Data Protection Act, other applicable laws and regulations, and confidentiality obligations with which the information service supplier shall comply.
- An organization shall specify expressly its role and responsibilities and those of the information service supplier in regard to information security within the scope of IT outsourcing.
- An organization shall specify expressly that the information service supplier shall provide certification of security testing such as mobile application security checks, source code analyses, vulnerability scans, etc. and shall ensure the system or program delivered is free of malicious programs and backdoors. Programs installed on the Internet shall pass code scanning or black box testing.
- An organization shall specify expressly that the information service supplier be required to present certification of the sources and licences of the components of third-party programs.
- An organization shall specify expressly that information on the scope of service outsourced by the organization as processed by the information service supplier be made available within the time limit prescribed by the organization.
- An organization shall specify expressly the procedures for an information service supplier to handle a change of service or information and communication security event.
- A type 1 organization shall specify expressly that, to the extent of IT outsourcing, information of the organization be clearly separated from data of an information service supplier and data of other organizations that are processed by an information service supplier and shall encrypt said information for protection.
- A type 1 organization shall specify expressly the permits and licenses concerning information security and quality that shall be obtained by an information service supplier.
- An organization shall ascertain the extent of completion of confidentiality undertakings by an information service supplier during the execution of the contract.
|