HRS-10: Non-Disclosure Agreements

Control Family:

Human Resources

CSF v1.1 References:

PF v1.0 References:

Previous Version:

Control Statement

Identify, document, and review, at planned intervals, requirements for non-disclosure/confidentiality agreements reflecting the organization's needs for the protection of data and operational details.

Implementation Guidance

The non-disclosure agreement should address requirements to protect confidential information using legally binding terms. Agreement terms should be based on the organization’s information security requirements. The type of information covered should define permissible access and information handling protocols. The agreement should include, but is not limited to:

  1. What information is protected.
  2. The length of the agreement.
  3. Interested parties to the agreement.
  4. The responsibilities of each party in the agreement.
  5. Terms for the destruction of data once the agreement has ended.
  6. Expected actions if a breach of agreement terms occurs.

Auditing Guidance

  1. Examine if the organization has identified its requirements for non-disclosure and confidentiality.
  2. Determine the planned interval for review.
  3. Verify that the requirements are reviewed at such planned intervals.

[ Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.