STA-09: Primary Service and Contractual Agreement

CSF v1.1 References:

PF v1.0 References:

Info icon.

Control is new to this version of the control set and incorporates the following item from the previous version: STA-05: Supply Chain Agreements.

Control Statement

Service agreements between CSPs and CSCs (tenants) must incorporate at least the following mutually-agreed upon provisions and/or terms:

  • Scope, characteristics and location of business relationship and services offered
  • Information security requirements (including SSRM)
  • Change management process
  • Logging and monitoring capability
  • Incident management and communication procedures
  • Right to audit and third party assessment
  • Service termination
  • Interoperability and portability requirements
  • Data privacy

Implementation Guidance

Service agreement content should include, but is not limited to the following:

  1. Scope, characteristics and location of business relationship and services offered: (e.g., service level agreements, customer (tenant) data acquisition, exchange and usage -including data processing restrictions, feature sets and functionality-, personnel and infrastructure components and supporting services for service delivery and support, roles and responsibilities of provider and customer (tenant) and any subcontractor or outsourced business relationships, geographical location of hosted data, backups and services, and any known regulatory compliance considerations). Refer to STA-08 for CSP management of supply chain applicability (Relevant control domains include particularly DSP, BCR, HRS).
  2. Information security requirements (including SSRM): provider and customer (tenant) primary points of contact for the duration of the business relationship, and references to detailed supporting and relevant business processes, acceptable use policies and technical measures implemented to enable effectively governance, risk management, assurance and legal, statutory and regulatory compliance obligations by all impacted business relationships, including legal obligations of the CSP to allow government access to customer data. Relevant control domains include particularly DSP, GRM.
  3. Change management process: Notification and/or pre-authorization of any changes controlled by the provider with customer (tenant) impacts.
  4. Monitoring capabilities and controls implemented by the cloud service provider and made available to the cloud customer so as to monitor aspects of the cloud service for which the cloud customer is responsible.
  5. Incident management and communication procedures: Timely notification of a security incident (or confirmed breach) to all customers (tenants) and other business relationships impacted (i.e., up- and down-stream impacted supply chain) complying with SEF’s domain control requirements.
  6. Right to audit and third party assessment: Assessment and independent verification of compliance with agreement provisions and/or terms (e.g., industry-acceptable certification, attestation audit report, or equivalent forms of assurance) without posing an unacceptable business risk of exposure to the organization being assessed
  7. Service termination: Expiration of the business relationship and treatment of customer (tenant) data impacted
  8. Interoperability and portability requirements: Customer (tenant) service-to-service application (API) and data interoperability and portability requirements for application development and information exchange, usage, and integrity persistence
  9. Data Privacy (refer to DSP domain)

Auditing Guidance

  1. Examine the policy for inclusion of the Control in third party agreements.
  2. Examine the policy related to the review of third-party services to determine if the organization incorporates compliance by third parties.

[ Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.