|
Article 9
|
(Identification of Access Risk of an Information Service Supplier)
The project officer shall conduct a risk assessment taking the following into consideration where it is necessary for an information service supplier to access the information assets and trade secrets of an organization:
- Laws and regulations or competent authority regulations shall be complied with. Security control shall be designed in accordance with the principleofleastprivilege and minimum disclosure necessary for the outsourcing.
- Control measures for the acquisition, use, safekeeping, inquiry, revision, adjustment, and destruction of an organization’s information assets and trade secrets shall be taken into account in their control and management.
- An information service supplier’s responsibility for protection:
- An organization shall require that the access control measures of an information service supplier not be inferior to the terms of the agreement with the organization and Article 7, paragraphs 1 and 2 of the Trade Secrets Act.
- An organizationshall require an information service supplier to warrant that use of the information asset or trade secret concerned is limited to the scope of application.
|