The organization will identify all supplier services and categorize them according to supplier type, significance and criticality. [UCF ID 00792]
Supporting and supported controls
This control directly supports:
• Management of third party services [UCF Control ID 00789]
This control has the following supporting controls:
There are no supporting controls.
Authority documents complied with:
FFIEC IT Examination Handbook – Outsourcing Technology Services Pg 15, Pg 16, Exam Tier II Obj D.4; CobiT 4.1 DS2.1; The Standard of Good Practice for Information Security SM4.3.2(d), SM6.7.1, SM6.7.2, CI2.5.3(d); ISO 27001:2005, Information Security Management Systems - Requirements § A.6.2.2; Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures Version 1.2 § 12.8.1; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance No Electronic Storage, Processing, or Transmission of Cardholder Data Version 1.2 October 2008 § 12.8.1; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance Imprint Machines or Stand-alone Dial-out Terminals Only, no Electronic Cardholder Data Storage Version 1.2 October 2008 § 12.8.1; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Application Connected to Internet, No Electronic Cardholder Data Storage Version 1.2 October 2008 § 12.8.1; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers Version 1.2 October 2008 § 12.8.1; IT Service Management Standard - Code of Practice, BS 15000-2 § 7.2
Banking and Finance Guidance
The FFIEC IT Examination Handbook – Outsourcing Technology Services Pg 15, Pg 16, Exam Tier II Obj D.4 states that the organization should be aware of and approve all third party service providers and should prohibit the assignment of contracts with third parties without the organization's consent. The organization should be notified if the service provider makes any subcontractor changes. The service provider contract should state the service provider is still responsible for the contracted services, even if performed by a subcontractor.
Credit Card Guidance
§ 12.8.1 of Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures Version 1.2 states that the organization should maintain a list of service providers
§ 12.8.1 of Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance No Electronic Storage, Processing, or Transmission of Cardholder Data Version 1.2 October 2008 states that the organization should maintain a list of service providers.
§ 12.8.1 of Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance Imprint Machines or Stand-alone Dial-out Terminals Only, no Electronic Cardholder Data Storage Version 1.2 October 2008 states that the organization should maintain a list of service providers
§ 12.8.1 of Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Application Connected to Internet, No Electronic Cardholder Data Storage Version 1.2 October 2008 states that the organization should maintain a list of service providers
§ 12.8.1 of Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers Version 1.2 October 2008 states that the organization should maintain a list of service providers
NIST Guidance
§ 12.8.1 of Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers Version 1.2 October 2008 states that the organization should maintain a list of service providers
International Standards Organization Guidance
The ISO 27001:2005 Information Security Management Systems - Requirements § A.6.2.2 states that before a customer can gain access to the organization's information, the security requirements should be identified and addressed by all involved parties.