Formalize all third party relationships with written contracts.

UCF ID: 00794

Control Type: Process or Activity

Status: Live

Supporting and supported controls

This control directly supports:

Establish and maintain a policy regarding management of third party services. [UCF Control ID 00789]

This control has the following supporting controls:

Ensure third parties acknowledge their responsibilities for data in their possession and control. [UCF Control ID 01364]

Ensure third party vendors have continuity plans in place. [UCF Control ID 01365]

Ensure third parties fully cooperate with the organization on all security audits and security incidents. [UCF Control ID 01366]

Ensure third party contracts include termination provisions. [UCF Control ID 01367]

Authority documents complied with:

AICPA/CICA Privacy Framework, ID 7.2.2; AICPA Suitable Trust Services Principles and Criteria, ¶ .29 § 3.2; ACH (Automated Clearing House) Operating Rules OCC Bulletin 2004-58, December 2004, Third-Party Senders; Safety and Soundness Standards, Appendix of OCC 12 CFR 30, App B § III.D.2; FFIEC IT Examination Handbook – Audit, August 2003, Exam Tier II Obj A.1, Exam Tier II Obj E.2; FFIEC IT Examination Handbook – E-Banking, August 2003, Pg 23, Pg 24, Obj 3.2; FFIEC IT Examination Handbook – Information Security, Pg 7, Pg 14, Pg 21, Exam Tier I Obj 5.2, Exam Tier II Obj J.1, Exam Tier II Obj J.8; FFIEC IT Examination Handbook – Management, Pg 37; FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004, Pg 13, Exam Tier I Obj 3.4; FFIEC IT Examination Handbook – Retail Payment Systems, March 2004, Pg 40, Exam Tier II Obj 1.1; FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004, Exam Tier II Obj 6.1; Standards for Safeguarding Customer Information; Final Rule, FTC 16 CFR 314, May 2002, § 314.4(d)(2); Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2.1, § 12.8.3; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance No Electronic Storage, Processing, or Transmission of Cardholder Data, Version 1.2, § 12.8.3; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance Imprint Machines or Stand-alone Dial-out Terminals Only, no Electronic Cardholder Data Storage, Version 1.2, § 12.8.3; VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business, Pg 17, Pg 24; Protection of Assets Manual, ASIS International, Pg 21-I-8, Pg 21-I-9; Customs-Trade Partnership Against Terrorism (C-TPAT) Importer Security Criteria, Business Partner Requirement; NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006, § 4-103; US The International Traffic in Arms Regulations, April 1, 2008, § 124.14; CobiT, Version 4.1, DS2.2; The Standard of Good Practice for Information Security, SM6.7.4; ISO/IEC 17799 Code of Practice for Information Security Management, 2005, § 6.2.3; ISO/IEC 27001 Information Security Management Systems - Requirements, 2005, Annex A.6.2.3; ISO/IEC 27002 Code of practice for information security management, 2005, § 6.2.3; Canadian Marketing Association Code of Ethics and Standards of Practice, § I14.1; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Application Connected to Internet, No Electronic Cardholder Data Storage, Version 1.2, § 12.8.3; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2, § 12.8.3; California OPP Recommended Practices on Notification of Security Breach, May 2008, Part I ¶ 8; Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), NIST SP 800-122, DRAFT, § 4.1.1; ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008, § 5.6.3, § 5.8.2, § 5.8.3, § 5.8.4, § 5.8.5; Leahy Personal Data Privacy and Security Act of 2009, Senate Bill 1490, 111th Congress, § 302(a)(4)(B)(vi), § 302(d)(1), § 401(c)(2)(C), § 403(b)(3)(B)(iii); Technology Risk Management Guide for Bank Examiners – OCC Bulletin 98-3, ¶ 40, ¶ 41; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3, § 2.4

Banking and Finance Guidance

Third-party senders should sign an agreement binding them by the NACHA rules. The agreement should state that entries that violate federal laws may not be initiated. [Third-Party Senders, ACH (Automated Clearing House) Operating Rules OCC Bulletin 2004-58, December 2004]

The organization should require, in the contract, all service providers to implement the appropriate security requirements. [App B § III.D.2, Safety and Soundness Standards, Appendix of OCC 12 CFR 30]

[Exam Tier II Obj A.1, Exam Tier II Obj E.2, FFIEC IT Examination Handbook – Audit, August 2003]

A formal contract should be developed that addresses the duties and responsibilities of all involved parties. The contract should be tailored for e-banking. Some e-banking contract issues are: requirements for security controls to protect data; restrictions on the use of nonpublic personal information that is stored or collected on the system; requirements for website performance standards; requirements to develop incident response plans and continuity plans; limits for the third party to subcontract services; and requirements for dispute resolution. [Pg 23, Pg 24, Obj 3.2, FFIEC IT Examination Handbook – E-Banking, August 2003]

The organization should clearly state the security responsibilities of the third party in a contract. The contract should have controls to allow the organization the ability to enforce the contractual requirements. The contract should state the standards the provider needs to meet and the reporting of meeting those requirements. [Pg 7, Pg 14, Pg 21, Exam Tier I Obj 5.2, Exam Tier II Obj J.1, Exam Tier II Obj J.8, FFIEC IT Examination Handbook – Information Security]

The organization should receive current financial information from third party providers at least annually. [Pg 37, FFIEC IT Examination Handbook – Management]

The service provider contract should clearly define the roles and responsibilities of both parties. The contract should prohibit the service provider from disclosing the organization's information, require the service provider to follow the privacy requirements if it gains access to nonpublic customer information, and require the service provider to fully disclose any security breaches. [Pg 13, Exam Tier I Obj 3.4, FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004]

Written agreements with third parties should define roles and responsibilities, detail-control procedures, and problem-resolution procedures. [Pg 40, Exam Tier II Obj 1.1, FFIEC IT Examination Handbook – Retail Payment Systems, March 2004]

[Exam Tier II Obj 6.1, FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004]

The organization should require service providers to sign a contract stating that they will implement and maintain safeguards to protect customer information. [§ 314.4(d)(2), Standards for Safeguarding Customer Information; Final Rule, FTC 16 CFR 314, May 2002]

Payment Card Guidance

Establish processes and procedures for engaging service providers, including proper due diligence prior to engagement. [§ 12.8.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2.1]

Establish processes and procedures for engaging service providers, including proper due diligence prior to engagement. [§ 12.8.3, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance No Electronic Storage, Processing, or Transmission of Cardholder Data, Version 1.2]

Establish processes and procedures for engaging service providers, including proper due diligence prior to engagement. [§ 12.8.3, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance Imprint Machines or Stand-alone Dial-out Terminals Only, no Electronic Cardholder Data Storage, Version 1.2]

Before signing a contract with a service provider, the organization should research the service provider to see if it can keep the cardholder data safe and minimize losses due to fraud and read and understand all contracts before signing. The contract should state who is liable for fraudulent transactions and losses due to compromised card data. [Pg 17, Pg 24, VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business]

Establish processes and procedures for engaging service providers, including proper due diligence prior to engagement. [§ 12.8.3, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Application Connected to Internet, No Electronic Cardholder Data Storage, Version 1.2]

Establish processes and procedures for engaging service providers, including proper due diligence prior to engagement. [§ 12.8.3, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2]

US Federal Security Guidance

Importers must have documented and verifiable processes for the selection of any business partners (manufacturers, vendors, and suppliers). [Business Partner Requirement, Customs-Trade Partnership Against Terrorism (C-TPAT) Importer Security Criteria]

The security requirements must be incorporated into classified contracts, request for proposals, and other solicitations. [§ 4-103, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006]

Warehousing and distribution agreements of unclassified defense articles between U.S. persons and foreign persons must be approved by the Directorate of Defense Trade Controls. The agreements must include a description of the defense articles, the duration of the agreement, the terms and conditions of how the defense articles will be distributed and exported, specific identification of the countries the defense articles will be exported to, and required statements, as listed in this section. [§ 124.14, US The International Traffic in Arms Regulations, April 1, 2008]

¶ 40 Bank management should ensure necessary controls are in place to manage risks associated with outsourcing and external alliances. Management should ensure that vendors have the necessary expertise, experience, and financial strength to fulfill their obligations. They also should ensure that the expectations and obligations of each party are clearly defined, understood and otherwise enforceable. For example, management should make certain that the bank has audit rights for vendors so that the bank can monitor performance under the vendor contract.
¶ 41 If a bank joins or forms alliances with other banks or companies, management should perform adequate due diligence to ensure that the joint-venture partners are competent and have the financial strength to fulfill their obligations. Adequate bank resources will be required to monitor and measure performance under the terms of any third-party agreement. [¶ 40, ¶ 41, Technology Risk Management Guide for Bank Examiners – OCC Bulletin 98-3]

US Federal Privacy Guidance

Measures appropriate for the sensitivity of the data and the size, scope, and complexity of the business entity's activities must be developed to ensure third parties or customers are not authorized to acquire or access sensitive personally identifiable information without the business entity performing sufficient due diligence to determine, with reasonable certainty, that the information will be used for a valid legal purpose. If a business entity subject to Subtitle A of Title III of this Act uses a service provider that is not subject to Subtitle A of Title III of this Act, it must use appropriate due diligence to select a service provider when hiring for responsibilities related to sensitive personally identifiable information and take reasonable steps to select and retain a service provider that can maintain security, integrity, and privacy safeguards for sensitive personally identifiable information. The Administrator of the General Services Administration, when awarding a contract with a data broker for services or products that are related to the use, access, processing, distribution, compilation, evaluation, or analyzation of personally identifiable information, must require the data broker that uses service providers not subject to Subtitle A of Title III of this Act for responsibilities that are related to sensitive personally identifiable information to require service providers, by contract, to implement and maintain measures to meet the objectives and requirements of Title III of this Act. Notwithstanding any provisions of law, a Federal agency may not enter into a contract with a data broker to access any fee-based database that consists primarily of personally identifiable information about United States persons (other than telephone directories or news reports), unless the head of the agency or department incorporated into contracts that total more than $500,000 provisions that require the data broker that uses service providers not subject to Subtitle A of Title III of this Act for responsibilities that are related to sensitive personally identifiable information to require those service providers, by contract, to implement and maintain measures to meet the objectives and requirements in Title III of this Act. [§ 302(a)(4)(B)(vi), § 302(d)(1), § 401(c)(2)(C), § 403(b)(3)(B)(iii), Leahy Personal Data Privacy and Security Act of 2009, Senate Bill 1490, 111th Congress]

NIST Guidance

If the organization is sharing Personally Identifiable Information (PII), an Interconnection Security Agreement stating the technical requirements for use of PII and requiring the other organization to abide by the applicable policies for handling, transmitting, sharing, retaining, disclosing, and using the PII should be developed. [§ 4.1.1, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), NIST SP 800-122, DRAFT]

An organization must ensure that third-party providers conform to and are in compliance with organizational information system security policies. The organization should document all services provided by third-party providers and obtain assurances, by contract or agreement, that security controls are implemented for an acceptable level of risk. All third-party information services must be approved by the organizational management authorizing official. The organization must implement additional security controls when external providers services do not comply with organizational security acceptable degree of risk. [§ 2.4, Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3]

US State Laws and Protectorates Guidance

Make privacy and security obligations of third parties enforceable by contract. [Part I ¶ 8, California OPP Recommended Practices on Notification of Security Breach, May 2008]

ISO Guidance

An agreement should be made with all third parties who access, manage, and/or process the organization's data. The agreement should be clear so that there are no misunderstandings between the two parties. To satisfy security requirements, the following should be included in the agreement: the information security policy; the asset protection controls; user awareness and training requirements; designations of who is responsible for hardware and software maintenance and installation; descriptions of acceptable clear reporting structure and format; the access control policy; description of the product or service being provided; requirements for reporting, notification, and investigation of security incidents; work performance criteria; acceptable and unacceptable levels of service; notification of the organization's right to audit; legal responsibilities of both parties; a plan for service continuity; an escalation process for problem resolution; liabilities of both parties; a designation of who owns intellectual property rights; a designation of who owns copyrights; disclosure of any involvement of the third party with subcontractors; and criteria for the renegotiation or termination of the agreement. [§ 6.2.3, ISO/IEC 17799 Code of Practice for Information Security Management, 2005]

Agreements should be made between the organization and any third party who will be accessing, processing, managing, or communicating the organization's data. This agreement should cover all relevant information security requirements. [Annex A.6.2.3, ISO/IEC 27001 Information Security Management Systems - Requirements, 2005]

An agreement should be made with all third parties who access, manage, and/or process the organization's data. The agreement should be clear so that there are no misunderstandings between the two parties. To satisfy security requirements, the following should be included in the agreement: the information security policy; the asset protection controls; user awareness and training requirements; designations of who is responsible for hardware and software maintenance and installation; descriptions of acceptable clear reporting structure and format; the access control policy; description of the product or service being provided; requirements for reporting, notification, and investigation of security incidents; work performance criteria; acceptable and unacceptable levels of service; notification of the organization's right to audit; legal responsibilities of both parties; a plan for service continuity; an escalation process for problem resolution; liabilities of both parties; a designation of who owns intellectual property rights; a designation of who owns copyrights; disclosure of any involvement of the third party with subcontractors; and criteria for the renegotiation or termination of the agreement. [§ 6.2.3, ISO/IEC 27002 Code of practice for information security management, 2005]

The responsibilities and liabilities for outsourced vendors, including their subcontractors, should be formally defined by the service provider in a contractual agreement. Prior agreements should be established between the service provider and organization, be documented, and communicated to all relevant personnel. The agreement should include a list of who can activate or deactivate the subscribed services; how the organization and service provider will communicate notifications, confirmations, activating, and deactivating subscribed services; the conditions under which the subscribed services can be activated and deactivated; procedures for notifying both parties of key personnel changes or departures; and a list of personnel who are authorized to access the ICT disaster recovery facility after the plan has been activated. The agreements also should include the following notification procedures: initial notification procedures; confirmation by the service provider; notification to service provider staff to be on stand by; notification to service provider external vendors or suppliers to be on stand by; and consultation on the following courses of action: continuing to stand by, standing down, and activating the subscribed services. The conditions and procedures to invoke and deactivate disaster recovery services should be established between service providers and organizations. The service agreements that are made with the organization should include the following procedures for activating subscribed services: informing the management of the service provider when disaster recovery plan is activated; collecting vital records from secure storage; activating the service provider's staff, external vendors, and/or suppliers that are directly involved in the subscribed services; preparing the subscribed services to hand it over to the organization's recovery staff; and handing over the subscribed services to the organization's recovery staff. These procedures should also include the required response times. Service providers and organizations should instruct staff on where they should go and what they should do when a plan is activated. Outsourced service providers should create the conditions and procedures to invoke and deactivate subscribed services with each organization. Agreements should include procedures for handing over the facilities and equipment in an orderly manner when the services are deactivated. [§ 5.6.3, § 5.8.2, § 5.8.3, § 5.8.4, § 5.8.5, ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008]

General Guidance

The organization should not disclose personal information to any third party, unless an agreement exists stating that the third party will protect the personal information from loss, misuse, disclosure, unauthorized access, destruction, and alteration. [ID 7.2.2, AICPA/CICA Privacy Framework]

The organization should ensure the confidentiality requirements of the third party are included in all service contracts. [¶ .29 § 3.2, AICPA Suitable Trust Services Principles and Criteria]

Dealings with other organizations should not be conducted in vague and unclear methods. Agreements between companies should be in writing whenever possible, and oral agreements should be avoided; it should be noted in writing that written agreements cannot be changed by oral statements; and the content of the oral or written contract should be legal. [Pg 21-I-8, Pg 21-I-9, Protection of Assets Manual, ASIS International]

The organization should formalize the supplier relationship management process for each supplier. The relationship owners must liaise on customer and supplier issues and ensure the quality of the relationship based on trust and transparency (e.g., through service level agreements). [DS2.2, CobiT, Version 4.1]

Outsourcing contracts should require that good information practices are adhered to, information about security incidents will be provided to the organization, and the integrity, availability, and confidentiality of information will be maintained. [SM6.7.4, The Standard of Good Practice for Information Security]

UK and Canadian Guidance

The organization should ensure that a consumer or business is fully informed before entering into an agreement. The agreement should include what services or product is being offered, the total price for the product or service, the payment terms, the third parties' commitment and obligation in continuing with the agreement, and how the service or product is being delivered. The following also should be included, if necessary: late payment penalties, product substitution policies, warranties and guarantees, organizational contact information, and return and cancellation policies and procedures. [§ I14.1, Canadian Marketing Association Code of Ethics and Standards of Practice]

Metrics

The metrics associated with this control are as follows:

Report on the percentage of third-party relationships that have been reviewed for compliance with information security requirements. [UCF Control ID 02050]