Ensure third-party providers have established personnel security requirements.

UCF ID: 00790
Control Type: Process or Activity
Status: Live

Supporting and supported controls

This control directly supports:

    Establish and maintain a policy regarding management of third party services. [UCF Control ID 00789]

This control has the following supporting controls:

    Establish and maintain procedures for transaction authentication of third parties. [UCF Control ID 00791]

Authority documents complied with:

AICPA/CICA Privacy Framework, ID 7.2.2; FFIEC IT Examination Handbook – Audit, August 2003, Exam Tier I Obj 11.8; FFIEC IT Examination Handbook – Information Security, Pg 76, Pg 77; FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004, Exam Tier II Obj 6.1; FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006, § 3; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3, § 2.4, App F § PS-7, App F § SA-9; Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, PS-7; The Standard of Good Practice for Information Security, CB6.1.1; OECD / World Bank Technology Risk Checklist, Version 7.3, § II.42.c; Turnbull Guidance on Internal Control, UK FRC, October 2005, ¶ 43; ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008, § 5.6.6

Banking and Finance Guidance

[Exam Tier I Obj 11.8, FFIEC IT Examination Handbook – Audit, August 2003]

When selecting a service provider, the organization should consider references and experience; background checks and security experience of the personnel; nondisclosure agreements; assurances in the contract about security; the service provider's security incident response policy; and the organization's ability to conduct audits or receive reports from independent third parties. [Pg 76, Pg 77, FFIEC IT Examination Handbook – Information Security]

[Exam Tier II Obj 6.1, FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004]

US Federal Security Guidance

Personnel Security (PS): Organizations must: (i) ensure that individuals occupying positions of responsibility within organizations (including third-party service providers) are trustworthy and meet established security criteria for those positions; (ii) ensure that organizational information and information systems are protected during and after personnel actions such as terminations and transfers; and (iii) employ formal sanctions for personnel failing to comply with organizational security policies and procedures. [§ 3, FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006]

NIST Guidance

§ 2.4 An organization must ensure that third-party providers conform to and are in compliance with organizational information system security policies. The organization should document all services provided by third-party providers and obtain assurances, by contract or agreement, that security controls are implemented for an acceptable level of risk. All third-party information services must be approved by the organizational management authorizing official. The organization must implement additional security controls when external providers services do not comply with organizational security acceptable degree of risk.
App F § PS-7 The organization should establish and document personnel security requirements for third-party providers, including security roles and responsibilities, and monitor provider compliance.
App F § SA-9 An organization must ensure that third-party providers conform to and are in compliance with organizational information system security policies. The organization should document all government requirements and user roles and responsibilities when using outsourced information services, and continuously monitor security control compliance by third-party providers. [§ 2.4, App F § PS-7, App F § SA-9, Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3]

Organizational records and documents should be examined to ensure third-party providers have established personnel security requirements; third-party providers are monitored for security compliance; security requirements are listed in agreements in accordance with NIST Special Publication 800-35 and specific responsibilities and actions are defined for the implementation of the third-party personnel security control. Any problems discovered during the implementation of the third-party personnel security control should be documented and used to improve the controls.
Interviews should be conducted with personnel involved in third-party agreements and with personnel who monitor third-party providers to ensure they meet the personnel security requirements. [PS-7, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

ISO Guidance

Outsourced vendors should have formal procedures and policies in place for hiring staff for providing services. These procedures and policies should be included in contracts and include the required staff experience and qualifications; security clearances; policies and ethics, behavior, sexual, or racial harassment; and procedures and policies on performance monitoring and staff replacement. [§ 5.6.6, ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008]

General Guidance

The organization should not disclose personal information to any third party, unless an agreement exists stating that the third party will protect the personal information from loss, misuse, disclosure, unauthorized access, destruction, and alteration. [ID 7.2.2, AICPA/CICA Privacy Framework]

Third party access should be reviewed regularly to ensure the risks are still acceptable. The review should consider the sensitivity and criticality of the information, third party relationship, legal and regulatory requirements, third party security practices, type of connection, third party system vulnerabilities, lack of control over third party employees, type of data the third party is processing, and the effectiveness of the third party infrastructure. [CB6.1.1, The Standard of Good Practice for Information Security]

EU Guidance

[§ II.42.c, OECD / World Bank Technology Risk Checklist, Version 7.3]

UK and Canadian Guidance

[¶ 43, Turnbull Guidance on Internal Control, UK FRC, October 2005]

Metrics

The metrics associated with this control are as follows:

    Report on the percentage of critical information assets or functions for which access by third-party personnel is not allowed. [UCF Control ID 02045]
    Report on the percentage of third-party personnel who have current information access privileges. [UCF Control ID 02046]

Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.