Implement policies requiring all CSPs throughout the supply chain to comply with information security, confidentiality, access control, privacy, audit, personnel policy and service level requirements and standards.
Contracts throughout the supply chain should include requirements for all third- and fourth-party service providers and personnel with access to CSP and/or CSC systems and information. Personnel policies should include employment agreements inclusive of information security requirements, security awareness training, and insider risk management.
- Examine the policy for incorporation of requirements into contractual documents throughout the CSP’s supply chain.
- Determine if requirements have been incorporated in contracts.
- Evaluate if the right to audit is protected, where required.
[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]
Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.