Status: Live
The organization will establish personnel security requirements for third-party providers and monitors provider compliance to ensure adequate security. [UCF ID 00790]
Supporting and supported controls
This control directly supports:
- • Management of third party services [UCF Control ID 00789]
This control has the following supporting controls:
- • maintain transaction authentication with third parties [UCF Control ID 00791]
Authority documents complied with:
AICPA/CICA Privacy Framework, ID 7.2.2; FFIEC IT Examination Handbook – Audit, August 2003, Exam Tier I Obj 11.8; FFIEC IT Examination Handbook – Information Security, Pg 76, Pg 77; FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004, Exam Tier II Obj 6.1; FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006, § 3; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 2, PS-7; Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, PS-7; The Standard of Good Practice for Information Security, CB6.1.1; OECD / World Bank Technology Risk Checklist, Version 7.3, § II.42.c; Turnbull Guidance on Internal Control, UK FRC, October 2005, ¶ 43; Archer Control Table, ATCS-339, ATCS-359
Sarbanes Oxley Guidance
The organization should not disclose personal information to any third party, unless an agreement exists stating that the third party will protect the personal information from loss, misuse, disclosure, unauthorized access, destruction, and alteration. [ID 7.2.2, AICPA/CICA Privacy Framework]
Banking and Finance Guidance
[Exam Tier I Obj 11.8, FFIEC IT Examination Handbook – Audit, August 2003]
When selecting a service provider, the organization should consider references and experience; background checks and security experience of the personnel; nondisclosure agreements; assurances in the contract about security; the service provider's security incident response policy; and the organization's ability to conduct audits or receive reports from independent third parties. [Pg 76, Pg 77, FFIEC IT Examination Handbook – Information Security]
[Exam Tier II Obj 6.1, FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004]
US Federal Security Guidance
Personnel Security (PS): Organizations must: (i) ensure that individuals occupying positions of responsibility within organizations (including third-party service providers) are trustworthy and meet established security criteria for those positions; (ii) ensure that organizational information and information systems are protected during and after personnel actions such as terminations and transfers; and (iii) employ formal sanctions for personnel failing to comply with organizational security policies and procedures. [§ 3, FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006]
NIST Guidance
[PS-7, Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 2]
Organizational records and documents should be examined to ensure third-party providers have established personnel security requirements; third-party providers are monitored for security compliance; security requirements are listed in agreements in accordance with NIST Special Publication 800-35 and specific responsibilities and actions are defined for the implementation of the third-party personnel security control. Any problems discovered during the implementation of the third-party personnel security control should be documented and used to improve the controls.
Interviews should be conducted with personnel involved in third-party agreements and with personnel who monitor third-party providers to ensure they meet the personnel security requirements. [PS-7, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]
General Guidance
Third party access should be reviewed regularly to ensure the risks are still acceptable. The review should consider the sensitivity and criticality of the information, third party relationship, legal and regulatory requirements, third party security practices, type of connection, third party system vulnerabilities, lack of control over third party employees, type of data the third party is processing, and the effectiveness of the third party infrastructure. [CB6.1.1, The Standard of Good Practice for Information Security]
EU Guidance
[§ II.42.c, OECD / World Bank Technology Risk Checklist, Version 7.3]
UK and Canadian Guidance
[¶ 43, Turnbull Guidance on Internal Control, UK FRC, October 2005]
Metrics
The metrics associated with this control are as follows:
- • Report on the percentage of critical information assets or functions for which access by third-party personnel is not allowed [UCF Control ID 02045]
• Report on the percentage of third-party personnel with current information access privileges [UCF Control ID 02046]
Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.