Management of third party services

Status: Live

The organization will develop, disseminate, and review: 1) a formal management of third party services policy that addresses purpose, scope, RACI info, and compliance; and 2) formal standards and procedures to facilitate implementing the policy. [UCF ID 00789]

Supporting and supported controls

This control directly supports:

This control has the following supporting controls:

Authority documents complied with:

AICPA Suitable Trust Services Principles and Criteria, ¶ .29 § 3.2; FFIEC IT Examination Handbook – Audit, August 2003, Pg 20, Exam Tier I Obj 11.9; FFIEC IT Examination Handbook – E-Banking, August 2003, Pg 23, Obj 1.4, Obj 3.3; FFIEC IT Examination Handbook – Information Security, Pg 76, Exam Tier I Obj 1.3, Exam Tier I Obj 2.1, Exam Tier I Obj 4.1; FFIEC IT Examination Handbook – Management, Pg 32, Exam Obj 1.3; FFIEC IT Examination Handbook – Operations, July 2004, Pg 29, Exam Tier I Obj 1.3; FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004, Pg 3, Exam Tier I Obj 1.3, Exam Tier I Obj 3.1, Exam Tier II Obj D.1; FFIEC IT Examination Handbook – Retail Payment Systems, March 2004, Exam Tier I Obj 1.3, Exam Tier I Obj 2.2; FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004, Pg 34, Exam Tier I Obj 1.3, Exam Tier I Obj 2.2; Standards for Safeguarding Customer Information; Final Rule, FTC 16 CFR 314, May 2002, § 314.4(d); Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2, § 12.8; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance No Electronic Storage, Processing, or Transmission of Cardholder Data, Version 1.2, § 12.8; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance Imprint Machines or Stand-alone Dial-out Terminals Only, no Electronic Cardholder Data Storage, Version 1.2, § 12.8; VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business, Pg 23, Pg 24, Pg 60; Protection of Assets Manual, ASIS International, Revised Volume 1 Pg 7-I-44 thru Revised Volume 1 Pg 7-I-47; NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006, § 7-101; FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006, § 3; US The International Traffic in Arms Regulations, April 1, 2008, § 124.14(e); IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, § 5.6.11, Exhibit 4 PS-7; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 2, PS-7; The Standard of Good Practice for Information Security, CB6.1.3(a), CB6.1.4(c), CB6.1.4(e), CB6.1.4(f), CB6.1.5, SM6.5.6; ISO 17799:2005 Code of Practice for Information Security Management, § 10.2.1; ISO 27001:2005, Information Security Management Systems - Requirements, Annex A.6.2; ISO/IEC 27002-2005 Code of practice for information security management, § 10.2.1; Canadian Marketing Association Code of Ethics and Standards of Practice, § E; BIS Sound Practices for the Management and Supervision of Operational Risk, ¶ 39; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Application Connected to Internet, No Electronic Cardholder Data Storage, Version 1.2, § 12.8; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2, § 12.8; Archer Control Table, ATCS-070, ATCS-531, ATCS-853; Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003, Final Rule, November 9, 2007, § 41.90(e)(4), § 222.90(e)(4), § 334.90(e)(4), § 571.90(e)(4), § 681.2(e)(4), § 717.90(e)(4), App J to Part 41.VI(c), App J to Part 222.VI(c), App J to Part 334.VI(c), App J to Part 571.VI(c), App A to Part 681.VI(c), App J to Part 717.VI(c); California OPP Recommended Practices on Notification of Security Breach, May 2008, Part I ¶ 8; UK Data Protection Act of 1998, § 56(2)

Sarbanes Oxley Guidance

The organization should have procedures in place to ensure third parties have a confidentiality policy and are in compliance with that policy. [¶ .29 § 3.2, AICPA Suitable Trust Services Principles and Criteria]

Banking and Finance Guidance

If an organization outsources the internal audit function, management should ensure there are no conflicts of interest and the use of the outsource provider does not compromise the independence of the auditing function. [Pg 20, Exam Tier I Obj 11.9, FFIEC IT Examination Handbook – Audit, August 2003]

The organization should periodically evaluate the third party arrangement to ensure it meets the current needs and the anticipated future needs. [Pg 23, Obj 1.4, Obj 3.3, FFIEC IT Examination Handbook – E-Banking, August 2003]

The organization should use due diligence when selecting a service provider, monitor service providers, and contractually require service providers to implement security controls. [Pg 76, Exam Tier I Obj 1.3, Exam Tier I Obj 2.1, Exam Tier I Obj 4.1, FFIEC IT Examination Handbook – Information Security]

The organization should develop policies and procedures for outsourcing. The policies and procedures should include the objectives of the program, how to select a provider, how to negotiate a contract, and how to monitor the relationship. The oversight of outsourcing agreements should be the responsibility of the Board of Directors and senior management. [Pg 32, Exam Obj 1.3, FFIEC IT Examination Handbook – Management]

The organization should receive performance, capacity, availability, and other metrics reports from the third party provider if the organization outsources the management of the telecommunications services. [Pg 29, Exam Tier I Obj 1.3, FFIEC IT Examination Handbook – Operations, July 2004]

Policies should exist for managing outsourcing agreements and should include establishing servicing requirements and strategies; selecting a service provider; negotiating a contract; and monitoring, changing, and discontinuing outsourced agreements. [Pg 3, Exam Tier I Obj 1.3, Exam Tier I Obj 3.1, Exam Tier II Obj D.1, FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004]

[Exam Tier I Obj 1.3, Exam Tier I Obj 2.2, FFIEC IT Examination Handbook – Retail Payment Systems, March 2004]

The organization should have appropriate monitoring procedures, contract provisions, and due diligence processes when dealing with third party providers. [Pg 34, Exam Tier I Obj 1.3, Exam Tier I Obj 2.2, FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004]

The organization should oversee all service providers. [§ 314.4(d), Standards for Safeguarding Customer Information; Final Rule, FTC 16 CFR 314, May 2002]

The Board of Directors and senior management should ensure the third party operates in a safe and sound manner and complies with all applicable laws. [¶ 39, BIS Sound Practices for the Management and Supervision of Operational Risk]

Payment Card Guidance

The organization must ensure the service provider policies and procedures includes a list of all service providers, how the organization will monitor the compliance of the service provider with the PCI DSS requirements, and due diligence.
Verify all third party service providers have policies and procedures in place requiring a list of all connected entities, performing due diligence prior to connecting the entities, verifying PCI DSS compliance, and for connecting and disconnecting entities. [§ 12.8, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2]

If cardholder data is shared with service providers, policies and procedures must be maintained and implemented to manage those providers. [§ 12.8, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance No Electronic Storage, Processing, or Transmission of Cardholder Data, Version 1.2]

If cardholder data is shared with service providers, policies and procedures must be maintained and implemented to manage those providers. [§ 12.8, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance Imprint Machines or Stand-alone Dial-out Terminals Only, no Electronic Cardholder Data Storage, Version 1.2]

When choosing an Acquirer to accept Visa cards, the services they offer should be reviewed for expertise in security measures, risk management tools, and solutions that meet the unique Internet business needs of the organization, and to ensure they support Visa's Cardholder Information Security Program requirements. When choosing a service provider, the organization should search for one that adheres to the Payment Card Industry (PCI) Data Security Standard, has experience in online authentication, offers fraud prevention options, follows the payment industry risk management best practices, and offers risk management support 24/7. [Pg 23, Pg 24, Pg 60, VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business]

If cardholder data is shared with service providers, policies and procedures must be maintained and implemented to manage those providers. [§ 12.8, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Application Connected to Internet, No Electronic Cardholder Data Storage, Version 1.2]

If cardholder data is shared with service providers, policies and procedures must be maintained and implemented to manage those providers. [§ 12.8, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2]

US Federal Security Guidance

If the organization is going to contract out the guard duties, it should develop a Request for Proposal (RFP). The RFP should detail exactly what is required. See the "Revised Protection of Assets Manual," Volume 1, Chapter 7, Part 1, Pages 7-I-44 through 7-I-46 for recommended RFP headings. [Revised Volume 1 Pg 7-I-44 thru Revised Volume 1 Pg 7-I-47, Protection of Assets Manual, ASIS International]

Prime contractors must determine the security requirements and clearance level for each of their subcontractors and allow sufficient time for the Facility Clearance process to be completed in order to release or disclose classified information to the subcontractor. [§ 7-101, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006]

Personnel Security (PS): Organizations must: (i) ensure that individuals occupying positions of responsibility within organizations (including third-party service providers) are trustworthy and meet established security criteria for those positions; (ii) ensure that organizational information and information systems are protected during and after personnel actions such as terminations and transfers; and (iii) employ formal sanctions for personnel failing to comply with organizational security policies and procedures. [§ 3, FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006]

A transmittal letter must be written to request approval of warehousing and distribution agreements. The letter must contain the applicant's Directorate of Defense Trade Controls registration number, the name of the foreign party, the defense articles that are being distributed, a statement that no classified technical data or defense articles are involved, a statement identifying any Government contracts that the articles may be under, and the required clauses as stated in § 124.14(f). [§ 124.14(e), US The International Traffic in Arms Regulations, April 1, 2008]

Financial institutions or creditors that are required to implement an Identity Theft Prevention Program must ensure effective and appropriate oversight is maintained over all service provider arrangements. The financial institution or creditor should also ensure the service provider conducts its activities in accordance with reasonable policies and procedures that are designed to detect, prevent, and mitigate identity theft risks. [§ 41.90(e)(4), § 222.90(e)(4), § 334.90(e)(4), § 571.90(e)(4), § 681.2(e)(4), § 717.90(e)(4), App J to Part 41.VI(c), App J to Part 222.VI(c), App J to Part 334.VI(c), App J to Part 571.VI(c), App A to Part 681.VI(c), App J to Part 717.VI(c), Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003, Final Rule, November 9, 2007]

US Internal Revenue Guidance

The organization must ensure personnel security requirements are developed for third-party providers. [§ 5.6.11, Exhibit 4 PS-7, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]

NIST Guidance

The organization ought to establish personnel security requirements for third-party providers (e.g., service bureaus, contractors, and other organizations providing information system development, information technology services, outsourced applications, network and security management) and monitor provider compliance to ensure adequate security. The organization must explicitly include personnel security requirements in acquisition-related documents. [PS-7, Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 2]

US State Laws and Protectorates Guidance

Require service providers and business partners who handle personal information on behalf of your organization to follow your security policies and procedures. [Part I ¶ 8, California OPP Recommended Practices on Notification of Security Breach, May 2008]

ISO Guidance

Third parties should ensure the services they implement, operate, and maintain include the security controls and levels included in the agreement. [§ 10.2.1, ISO 17799:2005 Code of Practice for Information Security Management]

The organization should ensure the security of all information accessed, processed, managed, or communicated to any third party. [Annex A.6.2, ISO 27001:2005, Information Security Management Systems - Requirements]

Third parties should ensure the services they implement, operate, and maintain include the security controls and levels included in the agreement. [§ 10.2.1, ISO/IEC 27002-2005 Code of practice for information security management]

General Guidance

Third party agreements should cover how information can be used, non-disclosure of information, and methods for the protection of information. A process should be in place to renegotiate and change third party agreements, if necessary. Personnel who manage third party access connections should have information about the associated risks, tools to support them in managing third party access, specialist advice and assistance, and procedures for secure connections. [CB6.1.3(a), CB6.1.4(c), CB6.1.4(e), CB6.1.4(f), CB6.1.5, SM6.5.6, The Standard of Good Practice for Information Security]

UK and Canadian Guidance

The organization should be responsible for the practices of its suppliers. [§ E, Canadian Marketing Association Code of Ethics and Standards of Practice]

A person who provides goods, services, or facilities to a section of the public or the public must not require the other person or third party to supply him/her with relevant records or produce relevant records for him/her as a condition for providing the goods, services, or facilities. Table 56(6) lists what are considered relevant records. [§ 56(2), UK Data Protection Act of 1998]

Metrics

The metrics associated with this control are as follows:

    Report on the percentage of known information security risks that are related to third-party relationships [UCF Control ID 02044]

Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.