Skip to contentCYBERINFO
|

Control 6.6 : Confidentiality or Non-Disclosure Agreements

Summary

Confidentiality or non-disclosure agreements (NDAs) reflecting the organization's needs for the protection of information should be identified, documented, regularly reviewed, and signed by personnel and other interested parties. This ensures that everyone with access to sensitive assets is legally bound to maintain secrecy.

Applicability

In-Scope: Mandatory for all personnel, contractors, and third-party partners who interact with proprietary data or client information. It is a foundational legal requirement for protecting intellectual property and complying with privacy mandates.

Out-of-Scope: Never out-of-scope.

Implementation Guidance

Microsoft 365 / Entra ID

  • Digital Signing: Use Microsoft Purview integrations or Adobe/DocuSign connectors within Microsoft Teams to facilitate the formal signing and tracking of NDAs during onboarding.

  • Access Gating: Implement Entra ID Conditional Access to ensure that external guests cannot access specific SharePoint sites until they have accepted the digital Terms of Use, which includes confidentiality clauses.

  • Record Management: Store executed NDAs in a restricted SharePoint library with retention labels that prevent unauthorized deletion for the duration of the legal requirement.

Evidence Checklist

  • NDA Templates: Current versions of confidentiality agreements tailored for employees, contractors, and vendors.

  • Signed Agreements: A complete repository of signed NDAs for all in-scope personnel and partners.

  • Review Logs: Evidence that NDAs are reviewed periodically to ensure they reflect current legal and business requirements.

Practical Audit Advice

Here are some questions the auditor might ask:

  • How do you ensure that an NDA is signed before a user is granted access to the production environment?

  • What is the process for managing NDAs with third-party vendors who may use their own standard legal templates?

  • Can you provide evidence of a signed confidentiality agreement for a recently hired contractor or guest user?

  • How does the organization handle the renewal of NDAs when a long-term contract or project extension occurs?