Supplier Interfaces

Status: Live

The organization will identify all supplier services and categorize them according to supplier type, significance and criticality. [UCF ID 00792]

Supporting and supported controls

This control directly supports:

Management of third party services [UCF Control ID 00789]

There are no supporting controls.

Authority documents complied with:

FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004, Pg 15, Pg 16, Exam Tier II Obj D.4; Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2, § 12.8.1; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance No Electronic Storage, Processing, or Transmission of Cardholder Data, Version 1.2, § 12.8.1; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance Imprint Machines or Stand-alone Dial-out Terminals Only, no Electronic Cardholder Data Storage, Version 1.2, § 12.8.1; Customs-Trade Partnership Against Terrorism (C-TPAT) Importer Security Criteria, Point of Origin; CobiT 4.1, DS2.1; The Standard of Good Practice for Information Security, SM4.3.2(d), SM6.7.1, SM6.7.2, CI2.5.3(d); ISO 27001:2005, Information Security Management Systems - Requirements, Annex A.6.2.2; IT Service Management Standard - Code of Practice, BS ISO/IEC 20000-2:2005, § 7.2; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Application Connected to Internet, No Electronic Cardholder Data Storage, Version 1.2, § 12.8.1; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2, § 12.8.1; Archer Control Table, ATCS-348

Banking and Finance Guidance

The organization should be aware of and approve all third party service providers and should prohibit the assignment of contracts with third parties without the organization's consent. The organization should be notified if the service provider makes any subcontractor changes. The service provider contract should state the service provider is still responsible for the contracted services, even if performed by a subcontractor. [Pg 15, Pg 16, Exam Tier II Obj D.4, FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004]

Payment Card Guidance

Maintain a list of service providers
The testing procedures from Appendix A of this document should be performed to ensure the hosting providers are protecting the environment and cardholder data. [§ 12.8.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2]

Maintain a list of service providers. [§ 12.8.1, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance No Electronic Storage, Processing, or Transmission of Cardholder Data, Version 1.2]

Maintain a list of service providers [§ 12.8.1, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance Imprint Machines or Stand-alone Dial-out Terminals Only, no Electronic Cardholder Data Storage, Version 1.2]

Maintain a list of service providers [§ 12.8.1, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Application Connected to Internet, No Electronic Cardholder Data Storage, Version 1.2]

Maintain a list of service providers [§ 12.8.1, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2]

US Federal Security Guidance

Importers must ensure its business partners have developed security procedures to ensure the integrity of all shipments at the point of origin. Periodic reviews by importers of partners' facilities and processes should be conducted to ensure partners are maintaining the security requirements of the importer. [Point of Origin, Customs-Trade Partnership Against Terrorism (C-TPAT) Importer Security Criteria]

ISO Guidance

Before a customer can gain access to the organization's information, the security requirements should be identified and addressed by all involved parties. [Annex A.6.2.2, ISO 27001:2005, Information Security Management Systems - Requirements]

General Guidance

The organization should identify all supplier services and categorize them according to supplier type, significance and criticality. Maintain formal documentation of technical and organizational relationships covering the roles and responsibilities, goals, expected deliverables and credentials of representatives of these suppliers. [DS2.1, CobiT 4.1]

The process for choosing outsourcing providers and transferring control to them should be documented. Outsourcing requirements should include assessing the providers security practices, identifying critical environments, evaluating risks of outsourcing, determining any interdependencies between the outsourced functions and in-house functions, and exit strategies. [SM4.3.2(d), SM6.7.1, SM6.7.2, CI2.5.3(d), The Standard of Good Practice for Information Security]

UK and Canadian Guidance

[§ 7.2, IT Service Management Standard - Code of Practice, BS ISO/IEC 20000-2:2005]