17.3.7 Outsourcing and Information Security

Where the operation or maintenance of a system or service is outsourced, the system owner shall be responsible for monitoring compliance with OIST information security requirements, reporting any discrepancies to the CISO.

In the case of information security incident or misuse of the system, the system owner or CISO may suspend the outsourced service. The procedure for the suspension of service, and correct allocation of authorizations to allow this shall be granted to the CISO by the system owner.

The system owner shall ensure that all information assets handed over to the outsourcer during the course of the contract are duly retrieved or destroyed at the appropriate point on or before termination of the contract.

Where the operation or maintenance of a system or service is outsourced, those matters stipulated in OIST Guidelines for Personal Information Protection [Link:] must be adhered to.