ISO/IEC 27001 Control 6.6: Confidentiality or non-disclosure agreements
Control
Confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information should be identified, documented, regularly reviewed and signed by personnel and other relevant interested parties.
Necessity of MidPoint
MidPoint is optional for implementation of this control.
Implementation of this control without midPoint is feasible. However, midPoint provides considerable advantages for implementation of this control, making the implementation more efficient and reliable.
Implementation Overview
Information classification and clearance mechanism can be used to enforce presence of appropriate agreements.
Implementation Details
Clearances can be used to represent appropriate confidentiality and non-disclosure agreements (NDA). Policy rules can be used to limit access to sensitive applications in such a way that a valid NDA is required to grant access to them. Reporting capabilities can be used to analyze and review state of the agreements granted as clearances. Audit trail and assignment meta-data can be used to review history of assignment of clearances.
Implementation Notes
-
Inducements in archetype can be used to denote implied clearances. E.g. all employees have implicit NDA clearance, as they have non-disclosure clause in their employment contracts. This can be modeled by inducing the NDA clearance in employee archetype.
Rationale
MidPoint cannot handle the contractual details of confidentiality and non-disclosure agreements, as required by the control. However, midPoint can enforce presence of appropriate agreement before access is granted to information that requires it.
Documentation
| Version | Title | Description |
|---|---|---|
| Development | Information Classification and Clearances | Using clearances to represent non-disclosure agreement |