An organisation’s systems, applications and data are not accessed or administered by a service provider unless a contractual arrangement exists between the organisation and the service provider to do so.
Topic
Access to systems, applications and data by service providers
Applicable to
all
History
Priority
should not
Jun 2024
An organisation’s systems, applications and data are not accessed or administered by a service provider unless a contractual arrangement exists between the organisation and the service provider to do so.
The existing control recommending that an organisation’s systems and data not be accessed or administered by a service provider, unless a contractual arrangement exists between the organisation and the service provider to do so, was amended to include applications.
Jul 2020
An organisation’s systems and information are not accessed or administered by a service provider unless a contractual arrangement exists between the organisation and the service provider to do so.
Security control 1073 was amended to removethe caveat that it only appliedwhen service provider access occurredfrom outside of Australian borders.
Jun 2020
An organisation’s systems and information are not accessed or administered by a service provider from outside Australian borders unless a contractual arrangement exists between the organisation and the service provider to do so.
2015
Agency data and computing environments must not be accessed, configured or administeredfrom outside Australian borders by a service provider unless a contractual arrangement existsbetween the service provider and customer to do so.
2010
Service providers should not allow information to leave Australian borders unless approved by thesponsoring agency.