Management of third party services

The organization will develop, disseminate, and review: 1) a formal management of third party services policy that addresses purpose, scope, RACI info, and compliance; and 2) formal standards and procedures to facilitate implementing the policy. [UCF ID 00789]

Supporting and supported controls

This control directly supports:

• Human resources management for the IS staff [UCF Control ID 00763]

This control has the following supporting controls:

• Counterparty trust [UCF Control ID 00790]
• Supplier Interfaces [UCF Control ID 00792]
• Formalize third party relationships [UCF Control ID 00794]
• Third-Party Qualifications [UCF Control ID 00795]
• Outsourcing Contracts [UCF Control ID 00796]
• Ensure the continuity of third party services [UCF Control ID 00797]
• Audit the security and regulatory requirements of third parties [UCF Control ID 00798]
• Monitor third party service delivery of services [UCF Control ID 00799]
• Establish information flow and software exchange agreements with all third parties [UCF Control ID 04543]

Authority documents complied with:

BIS Sound Practices for the Management and Supervision of Operational Risk 39; Gramm-Leach-Bliley Act (GLB) 16 CFR § 314.4(d); Standards for Safeguarding Customer Information, FTC 16 CFR 314 314.4(d); Safety and Soundness Standards, Appendix of OCC 12 CFR 30 III.D; FFIEC IT Examination Handbook – Information Security Pg 76, Exam Tier I Obj 1.3, Exam Tier I Obj 2.1, Exam Tier I Obj 4.1; FFIEC IT Examination Handbook – Audit Pg 20, Exam Tier I Obj 11.9; FFIEC IT Examination Handbook – Management Pg 32, Exam Obj 1.3; FFIEC IT Examination Handbook – Operations Pg 29, Exam Tier I Obj 1.3; FFIEC IT Examination Handbook – Outsourcing Technology Services Pg 3, Exam Tier I Obj 1.3, Exam Tier I Obj 3.1, Exam Tier II Obj D.1; FFIEC IT Examination Handbook – Wholesale Payment Systems Pg 34, Exam Tier I Obj 1.3, Exam Tier I Obj 2.2; FFIEC IT Examination Handbook – Retail Payment Systems Exam Tier I Obj 1.3, Exam Tier I Obj 2.2; FFIEC IT Examination Handbook – E-Banking Pg 23, Obj 1.4, Obj 3.3; The Standard of Good Practice for Information Security CB6.1.3(a), CB6.1.4(c ), CB6.1.4(e), CB6.1.4(f), CB6.1.5, SM6.5.6; ISO 17799:2005 Code of Practice for Information Security Management § 10.2.1; ISO 27001:2005, Information Security Management Systems - Requirements § A.6.2; ISO/IEC 27002-2005 Code of practice for information security management § 10.2.1; Recommended Security Controls for Federal Information Systems, NIST SP 800-53 PS-7; Payment Card Industry Self-Assessment Questionnaire D 12.10, 12.10.1, 12.10.2, 12.10.3, 12.10.4; VISA E-Commerce Merchants Guide to Risk Management Pg. 23, Pg. 24, Pg. 60; Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures Version 1.2 § 12.8; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance No Electronic Storage, Processing, or Transmission of Cardholder Data Version 1.2 October 2008 § 12.8; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance Imprint Machines or Stand-alone Dial-out Terminals Only, no Electronic Cardholder Data Storage Version 1.2 October 2008 § 12.8; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Application Connected to Internet, No Electronic Cardholder Data Storage Version 1.2 October 2008 § 12.8; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers Version 1.2 October 2008 § 12.8; AICPA Suitable Trust Services Criteria ¶ .29 § 3.2; Canadian Marketing Association Code of Ethics and Standards of Practice ¶ E

Sarbanes Oxley Guidance

¶ .29 § 3.2 of AICPA Suitable Trust Services Criteria states that the organization should have procedures in place to ensure third parties have a confidentiality policy and are in compliance with that policy.

Banking and Finance Guidance

The FFIEC IT Examination Handbook – Management Pg 32, Exam Obj 1.3 states that the organization should develop policies and procedures for outsourcing. The policies and procedures should include the objectives of the program, how to select a provider, how to negotiate a contract, and how to monitor the relationship. The oversight of outsourcing agreements should be the responsibility of the Board of Directors and senior management.

The FFIEC IT Examination Handbook – E-Banking Pg 23, Obj 1.4, Obj 3.3 states that the organization should periodically evaluate the third party arrangement to ensure it meets the current needs and the anticipated future needs.

NASD and NYSE Guidance

SEC Rule 240.17ad-7 calls for third party escrow arrangements for electronically stored records.

Credit Card Guidance

The Payment Card Industry Self-Assessment Questionnaire D § 12.10, 12.10.1, 12.10.2, 12.10.3, 12.10.4 states that policies and procedures should be implemented by service providers and processors for the management of connected entities. These policies and procedures should include a list of the connected entities, a statement that the entities are PCI DSS compliant, and a statement that the entities are connected and disconnected according to the policies, and before connecting an entity, proper due diligence is conducted.

§ 12.8.1, 12.8.3, 12.8.4 of Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures Version 1.2 states that the organization must ensure the service provider policies and procedures includes a list of all service providers, how the organization will monitor the compliance of the service provider with the PCI DSS requirements, and due diligence.

§ 12.8 of Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance No Electronic Storage, Processing, or Transmission of Cardholder Data Version 1.2 October 2008 states that if cardholder data is shared with service providers, policies and procedures must be maintained and implemented to manage those providers.

§ 12.8 of Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance Imprint Machines or Stand-alone Dial-out Terminals Only, no Electronic Cardholder Data Storage Version 1.2 October 2008 states that if cardholder data is shared with service providers, policies and procedures must be maintained and implemented to manage those providers.

§ 12.8 of Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Application Connected to Internet, No Electronic Cardholder Data Storage Version 1.2 October 2008 states that if cardholder data is shared with service providers, policies and procedures must be maintained and implemented to manage those providers.

§ 12.8 of Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers Version 1.2 October 2008 states that if cardholder data is shared with service providers, policies and procedures must be maintained and implemented to manage those providers.

US Federal Security Guidance

FIPS Publication 200, § 3 Specifications for Minimum Security Requirements calls for Personnel Security (PS): Organizations must: (i) ensure that individuals occupying positions of responsibility within organizations (including third-party service providers) are trustworthy and meet established security criteria for those positions; (ii) ensure that organizational information and information systems are protected during and after personnel actions such as terminations and transfers; and (iii) employ formal sanctions for personnel failing to comply with organizational security policies and procedures.

NIST Guidance

NIST 800-53, PS-7, calls for the organization to establish personnel security requirements for third-party providers (e.g., service bureaus, contractors, and other organizations providing information system development, information technology services, outsourced applications, network and security management) and monitor provider compliance to ensure adequate security. The organization must explicitly include personnel security requirements in acquisition-related documents.

§ 12.8 of Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers Version 1.2 October 2008 states that if cardholder data is shared with service providers, policies and procedures must be maintained and implemented to manage those providers.

International Standards Organization Guidance

ISO 17799 addresses all concerns for third party contracts, including non-disclosure agreements.

The ISO/IEC 27002-2005 Code of practice for information security management § 10.2.1 states that third parties should ensure the services they implement, operate, and maintain include the security controls and levels included in the agreement.

The ISO 27001:2005 Information Security Management Systems - Requirements § A.6.2 states that the organization should ensure the security of all information accessed, processed, managed, or communicated to any third party.

The ISO 17799:2005 Code of Practice for Information Security Management § 10.2.1 states that third parties should ensure the services they implement, operate, and maintain include the security controls and levels included in the agreement.

IT Infrastructure Library Guidance

ITIL Best Practice for Security Management 4.2.3.2 requires organizations to take appropriate security measures when exchanging information across a network. The measures should be laid down in an Interchange Agreement.

IT Infrastructure Library Guidance

European Union Guidance

The OECD Risk Checklist requires assurance reviews of third party security (SAS 70). It also requires consideration of third party service continuity and call for the ongoing monitoring of third parties to ensure their adherence to contractual agreements.

UK and Canadian Guidance

¶ E of Canadian Marketing Association Code of Ethics and Standards of Practice states that the organization should be responsible for the practices of its suppliers.

Metrics

The metrics associated with this control are as follows:

• Metric Reporting Standard 02044.doc