S 5.88 Agreement regarding the exchange of data with third parties

Initiation responsibility: Agency/company management, IT Security Management

Implementation responsibility: Head of IT Section, IT Security Management

Data can be exchanged with other companies/agencies, for example, via the exchange of data media or by e-mail. As well as the security measures which need to be considered already where the exchange of data is sporadic, when data is exchanged regularly, agreements should be reached with fixed communication partners to ensure that everything goes as smoothly as possible.

Such an agreement should cover the following elements:

• Points of contact should be appointed for both organisational and also technical problems and especially for security-relevant events.

• The necessary technical information, i.e. definitions regarding

• what applications and data formats are supported

• what availability must be guaranteed, i.e. how often, for example, e-mail should be read and how rapidly it should be replied to

• What security measures need to be guaranteed during data exchange, e.g.

• that the data will be checked for computer viruses both before and after exchange

• how the data is to be protected against damage in transit and unauthorised access (locked containers, checksums, encryption)

• how key management will be controlled

• that the originator of the data may not delete it until the recipient has confirmed that it has arrived intact, where deletion is necessary

• A non-disclosure agreement, i.e. an agreement to the effect that information which one of the parties has acquired as a result of working with another party must not be disclosed to outsiders.

• Stipulation as to what data may be used for which purposes (e.g. as regards the reuse of the results of work)

• Obligation to comply with pertinent legislation, regulations and procedures, e.g. data privacy protection and copyright legislation and licence provisions.

Additional points which should be included in such an agreement are listed in S 2.45 Controlling the exchange of data media and S 2.119 Regulations concerning the use of e-mail services.

Additional controls:

• Where there are fixed communication partners, are there agreements regarding the underlying framework conditions?

• Are these agreements updated to accommodate changes in the underlying framework conditions?