Specifications include, but are not limited to: responsible to implement information security practices that provide protection of a customer’s data assets by implementing information security practices that meet applicable legislation and regulations as well as contractual obligations. ; The cloud service provider must ensure that employees and contractors are aware of and fulfill their information security responsibilities. 1. Management must require all employees and contractors to apply information security in accordance with the established policies and procedures of the organization. 2. All employees of the organization and where relevant, contractors, must receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function ; The cloud service provider must provide management direction and support for information security in accordance with business requirements and relevant laws and regulations.