Formalize third party relationships

Status: Live

The organization will contractually require all third parties with access to confidential information to adhere to all pertinent regulations, guidelines, and SLAs. [UCF ID 00794]

Supporting and supported controls

This control directly supports:

This control has the following supporting controls:

Authority documents complied with:

AICPA/CICA Privacy Framework, ID 7.2.2; AICPA Suitable Trust Services Principles and Criteria, ¶ .29 § 3.2; ACH (Automated Clearing House) Operating Rules OCC Bulletin 2004-58, December 2004, Third-Party Senders; Safety and Soundness Standards, Appendix of OCC 12 CFR 30, App B § III.D.2; FFIEC IT Examination Handbook – Audit, August 2003, Exam Tier II Obj A.1, Exam Tier II Obj E.2; FFIEC IT Examination Handbook – E-Banking, August 2003, Pg 23, Pg 24, Obj 3.2; FFIEC IT Examination Handbook – Information Security, Pg 7, Pg 14, Pg 21, Exam Tier I Obj 5.2, Exam Tier II Obj J.1, Exam Tier II Obj J.8; FFIEC IT Examination Handbook – Management, Pg 37; FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004, Pg 13, Exam Tier I Obj 3.4; FFIEC IT Examination Handbook – Retail Payment Systems, March 2004, Pg 40, Exam Tier II Obj 1.1; FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004, Exam Tier II Obj 6.1; Standards for Safeguarding Customer Information; Final Rule, FTC 16 CFR 314, May 2002, § 314.4(d)(2); Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2, § 12.8.3; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance No Electronic Storage, Processing, or Transmission of Cardholder Data, Version 1.2, § 12.8.3; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance Imprint Machines or Stand-alone Dial-out Terminals Only, no Electronic Cardholder Data Storage, Version 1.2, § 12.8.3; VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business, Pg 17, Pg 24; Protection of Assets Manual, ASIS International, Pg 21-I-8, Pg 21-I-9; Customs-Trade Partnership Against Terrorism (C-TPAT) Importer Security Criteria, Business Partner Requirement; NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006, § 4-103; US The International Traffic in Arms Regulations, April 1, 2008, § 124.14; CobiT 4.1, DS2.2; The Standard of Good Practice for Information Security, SM6.7.4; ISO 17799:2005 Code of Practice for Information Security Management, § 6.2.3; ISO 27001:2005, Information Security Management Systems - Requirements, Annex A.6.2.3; ISO/IEC 27002-2005 Code of practice for information security management, § 6.2.3; Canadian Marketing Association Code of Ethics and Standards of Practice, § I14.1; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Application Connected to Internet, No Electronic Cardholder Data Storage, Version 1.2, § 12.8.3; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2, § 12.8.3; Archer Control Table, ATCS-007, ATCS-389, ATCS-390, ATCS-391, ATCS-611, ATCS-739; California OPP Recommended Practices on Notification of Security Breach, May 2008, Part I ¶ 8; Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), NIST SP 800-122, DRAFT, § 4.1.1

Sarbanes Oxley Guidance

The organization should not disclose personal information to any third party, unless an agreement exists stating that the third party will protect the personal information from loss, misuse, disclosure, unauthorized access, destruction, and alteration. [ID 7.2.2, AICPA/CICA Privacy Framework]

The organization should ensure the confidentiality requirements of the third party are included in all service contracts. [¶ .29 § 3.2, AICPA Suitable Trust Services Principles and Criteria]

Banking and Finance Guidance

Third-party senders should sign an agreement binding them by the NACHA rules. The agreement should state that entries that violate federal laws may not be initiated. [Third-Party Senders, ACH (Automated Clearing House) Operating Rules OCC Bulletin 2004-58, December 2004]

The organization should require, in the contract, all service providers to implement the appropriate security requirements. [App B § III.D.2, Safety and Soundness Standards, Appendix of OCC 12 CFR 30]

[Exam Tier II Obj A.1, Exam Tier II Obj E.2, FFIEC IT Examination Handbook – Audit, August 2003]

A formal contract should be developed that addresses the duties and responsibilities of all involved parties. The contract should be tailored for e-banking. Some e-banking contract issues are: requirements for security controls to protect data; restrictions on the use of nonpublic personal information that is stored or collected on the system; requirements for website performance standards; requirements to develop incident response plans and continuity plans; limits for the third party to subcontract services; and requirements for dispute resolution. [Pg 23, Pg 24, Obj 3.2, FFIEC IT Examination Handbook – E-Banking, August 2003]

The organization should clearly state the security responsibilities of the third party in a contract. The contract should have controls to allow the organization the ability to enforce the contractual requirements. The contract should state the standards the provider needs to meet and the reporting of meeting those requirements. [Pg 7, Pg 14, Pg 21, Exam Tier I Obj 5.2, Exam Tier II Obj J.1, Exam Tier II Obj J.8, FFIEC IT Examination Handbook – Information Security]

The organization should receive current financial information from third party providers at least annually. [Pg 37, FFIEC IT Examination Handbook – Management]

The service provider contract should clearly define the roles and responsibilities of both parties. The contract should prohibit the service provider from disclosing the organization's information, require the service provider to follow the privacy requirements if it gains access to nonpublic customer information, and require the service provider to fully disclose any security breaches. [Pg 13, Exam Tier I Obj 3.4, FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004]

Written agreements with third parties should define roles and responsibilities, detail-control procedures, and problem-resolution procedures. [Pg 40, Exam Tier II Obj 1.1, FFIEC IT Examination Handbook – Retail Payment Systems, March 2004]

[Exam Tier II Obj 6.1, FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004]

The organization should require service providers to sign a contract stating that they will implement and maintain safeguards to protect customer information. [§ 314.4(d)(2), Standards for Safeguarding Customer Information; Final Rule, FTC 16 CFR 314, May 2002]

Payment Card Guidance

Establish processes and procedures for engaging service providers, including proper due diligence prior to engagement. [§ 12.8.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2]

Establish processes and procedures for engaging service providers, including proper due diligence prior to engagement. [§ 12.8.3, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance No Electronic Storage, Processing, or Transmission of Cardholder Data, Version 1.2]

Establish processes and procedures for engaging service providers, including proper due diligence prior to engagement. [§ 12.8.3, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance Imprint Machines or Stand-alone Dial-out Terminals Only, no Electronic Cardholder Data Storage, Version 1.2]

Before signing a contract with a service provider, the organization should research the service provider to see if it can keep the cardholder data safe and minimize losses due to fraud and read and understand all contracts before signing. The contract should state who is liable for fraudulent transactions and losses due to compromised card data. [Pg 17, Pg 24, VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business]

Establish processes and procedures for engaging service providers, including proper due diligence prior to engagement. [§ 12.8.3, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Application Connected to Internet, No Electronic Cardholder Data Storage, Version 1.2]

Establish processes and procedures for engaging service providers, including proper due diligence prior to engagement. [§ 12.8.3, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2]

US Federal Security Guidance

Dealings with other organizations should not be conducted in vague and unclear methods. Agreements between companies should be in writing whenever possible, and oral agreements should be avoided; it should be noted in writing that written agreements cannot be changed by oral statements; and the content of the oral or written contract should be legal. [Pg 21-I-8, Pg 21-I-9, Protection of Assets Manual, ASIS International]

Importers must have documented and verifiable processes for the selection of any business partners (manufacturers, vendors, and suppliers). [Business Partner Requirement, Customs-Trade Partnership Against Terrorism (C-TPAT) Importer Security Criteria]

The security requirements must be incorporated into classified contracts, request for proposals, and other solicitations. [§ 4-103, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006]

Warehousing and distribution agreements of unclassified defense articles between U.S. persons and foreign persons must be approved by the Directorate of Defense Trade Controls. The agreements must include a description of the defense articles, the duration of the agreement, the terms and conditions of how the defense articles will be distributed and exported, specific identification of the countries the defense articles will be exported to, and required statements, as listed in this section. [§ 124.14, US The International Traffic in Arms Regulations, April 1, 2008]

NIST Guidance

If the organization is sharing Personally Identifiable Information (PII), an Interconnection Security Agreement stating the technical requirements for use of PII and requiring the other organization to abide by the applicable policies for handling, transmitting, sharing, retaining, disclosing, and using the PII should be developed. [§ 4.1.1, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), NIST SP 800-122, DRAFT]

US State Laws and Protectorates Guidance

Make privacy and security obligations of third parties enforceable by contract. [Part I ¶ 8, California OPP Recommended Practices on Notification of Security Breach, May 2008]

ISO Guidance

An agreement should be made with all third parties who access, manage, and/or process the organization's data. The agreement should be clear so that there are no misunderstandings between the two parties. To satisfy security requirements, the following should be included in the agreement: the information security policy; the asset protection controls; user awareness and training requirements; designations of who is responsible for hardware and software maintenance and installation; descriptions of acceptable clear reporting structure and format; the access control policy; description of the product or service being provided; requirements for reporting, notification, and investigation of security incidents; work performance criteria; acceptable and unacceptable levels of service; notification of the organization's right to audit; legal responsibilities of both parties; a plan for service continuity; an escalation process for problem resolution; liabilities of both parties; a designation of who owns intellectual property rights; a designation of who owns copyrights; disclosure of any involvement of the third party with subcontractors; and criteria for the renegotiation or termination of the agreement. [§ 6.2.3, ISO 17799:2005 Code of Practice for Information Security Management]

Agreements should be made between the organization and any third party who will be accessing, processing, managing, or communicating the organization's data. This agreement should cover all relevant information security requirements. [Annex A.6.2.3, ISO 27001:2005, Information Security Management Systems - Requirements]

An agreement should be made with all third parties who access, manage, and/or process the organization's data. The agreement should be clear so that there are no misunderstandings between the two parties. To satisfy security requirements, the following should be included in the agreement: the information security policy; the asset protection controls; user awareness and training requirements; designations of who is responsible for hardware and software maintenance and installation; descriptions of acceptable clear reporting structure and format; the access control policy; description of the product or service being provided; requirements for reporting, notification, and investigation of security incidents; work performance criteria; acceptable and unacceptable levels of service; notification of the organization's right to audit; legal responsibilities of both parties; a plan for service continuity; an escalation process for problem resolution; liabilities of both parties; a designation of who owns intellectual property rights; a designation of who owns copyrights; disclosure of any involvement of the third party with subcontractors; and criteria for the renegotiation or termination of the agreement. [§ 6.2.3, ISO/IEC 27002-2005 Code of practice for information security management]

General Guidance

The organization should formalize the supplier relationship management process for each supplier. The relationship owners must liaise on customer and supplier issues and ensure the quality of the relationship based on trust and transparency (e.g., through service level agreements). [DS2.2, CobiT 4.1]

Outsourcing contracts should require that good information practices are adhered to, information about security incidents will be provided to the organization, and the integrity, availability, and confidentiality of information will be maintained. [SM6.7.4, The Standard of Good Practice for Information Security]

UK and Canadian Guidance

The organization should ensure that a consumer or business is fully informed before entering into an agreement. The agreement should include what services or product is being offered, the total price for the product or service, the payment terms, the third parties' commitment and obligation in continuing with the agreement, and how the service or product is being delivered. The following also should be included, if necessary: late payment penalties, product substitution policies, warranties and guarantees, organizational contact information, and return and cancellation policies and procedures. [§ I14.1, Canadian Marketing Association Code of Ethics and Standards of Practice]

Metrics

The metrics associated with this control are as follows:

    Report on the percentage of third-party relationships that have been reviewed for compliance with information security requirements [UCF Control ID 02050]

Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.