UCF ID: 00795 |
Control Type: Process or Activity |
Status: Live |
Supporting and supported controls
This control directly supports:
- • Establish and maintain a policy regarding management of third party services. [UCF Control ID 00789]
There are no supporting controls.
Authority documents complied with:
AICPA/CICA Privacy Framework, ID 4.2.3; ACH (Automated Clearing House) Operating Rules OCC Bulletin 2004-58, December 2004, Third-Party Senders; Safety and Soundness Standards, Appendix of OCC 12 CFR 30, App B § III.D.1; FFIEC IT Examination Handbook – E-Banking, August 2003, Pg A-2, Obj 3.1; FFIEC IT Examination Handbook – Information Security, Exam Tier I Obj 5.1, Exam Tier II Obj J.2, Exam Tier II Obj J.9; FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004, Pg 10, Pg 11, Exam Tier I Obj 3.3, Exam Tier II Obj B.2; Standards for Safeguarding Customer Information; Final Rule, FTC 16 CFR 314, May 2002, § 314.4(d)(1); VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business, Pg 60; Protection of Assets Manual, ASIS International, Pg 11-II-5; CobiT, Version 4.1, AI5.3; The Standard of Good Practice for Information Security, SM6.7.5, CB6.1.3(g), CB6.1.3(i) thru CB6.1.3(k), CB6.1.4(d); ISO/IEC 17799 Code of Practice for Information Security Management, 2005, § 6.2.2; ISO/IEC 27002 Code of practice for information security management, 2005, § 6.2.2; OECD / World Bank Technology Risk Checklist, Version 7.3, § II.42.a; ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008, § 5.6.5, § 7.4, § 7.9; Leahy Personal Data Privacy and Security Act of 2009, Senate Bill 1490, 111th Congress, § 302(a)(4)(B)(vi), § 401(c)(2), § 403(b)(3)(B)
Banking and Finance Guidance
The organization should have policies and procedures in place to perform due diligence on any third party. [Third-Party Senders, ACH (Automated Clearing House) Operating Rules OCC Bulletin 2004-58, December 2004]
The organization should use due diligence when selecting a service provider. [App B § III.D.1, Safety and Soundness Standards, Appendix of OCC 12 CFR 30]
The organization should use due diligence in selecting third party providers. [Pg A-2, Obj 3.1, FFIEC IT Examination Handbook – E-Banking, August 2003]
[Exam Tier I Obj 5.1, Exam Tier II Obj J.2, Exam Tier II Obj J.9, FFIEC IT Examination Handbook – Information Security]
The organization should develop a Request for Proposal (RFP) to solicit responses from service providers. The RFP should describe the organization's objectives; scope and nature of the work to be performed; expected levels of service; timelines for delivery of service; measurement requirements; control measures; and the organization's policies for security, continuity, and change control. The organization should analyze the RFP responses to ensure they meet the organization's needs. The following should be confirmed and assessed for service providers meeting the RFP requirements: corporate history; qualifications and backgrounds of principals; references; reputation; delivery capability; technology architectures; security history; legal and regulatory compliance; insurance coverage; and the ability to meet disaster recovery and business continuity requirements, and the service providers' financial statements should be reviewed. [Pg 10, Pg 11, Exam Tier I Obj 3.3, Exam Tier II Obj B.2, FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004]
The organization should select and retain service providers based on their capability to maintain safeguards for protecting customer information. [§ 314.4(d)(1), Standards for Safeguarding Customer Information; Final Rule, FTC 16 CFR 314, May 2002]
Payment Card Guidance
The contract between the organization and the service provider should specify Cardholder Information Security Program (CISP) compliance as a requirement for doing business together. [Pg 60, VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business]
US Federal Privacy Guidance
Measures appropriate for the sensitivity of the data and the size, scope, and complexity of the business entity's activities must be developed to ensure third parties or customers are not authorized to acquire or access sensitive personally identifiable information without the business entity performing sufficient due diligence to determine, with reasonable certainty, that the information will be used for a valid legal purpose. The Administrator of the General Services Administration, when awarding a contract to a data broker for services or products that are related to the use, access, processing, distribution, compilation, evaluation, or analyzation of personally identifiable information, must require the data broker that uses service providers that are not subject to Subtitle A of Title III of this Act for responsibilities that are related to sensitive personally identifiable information to exercise due diligence when selecting these service providers; to take reasonable steps for selecting and retaining service providers that are capable of maintaining safeguards for the privacy, security, and integrity of personally identifiable information; and to require by contract that service providers implement and maintain measures to meet the objectives and requirements of Title III of this Act. Notwithstanding other provisions of law, Federal agencies may not enter into a contract with a data broker in order to access any fee-based database that consists primarily of personally identifiable information about United States persons (other than telephone directories or news reports), unless the head of the agency or department includes in contracts that total more than $500,000 provisions that require the data broker that uses service providers not subject to Subtitle A of Title III of this Act for responsibilities that are related to sensitive personally identifiable information to exercise due diligence when selecting these service providers; to take reasonable steps for selecting and retaining service providers capable of maintaining safeguards for the privacy, security, and integrity of personally identifiable information; and to require service providers, by contract, to implement and maintain measures to meet the objectives and requirements of Title III of this Act. [§ 302(a)(4)(B)(vi), § 401(c)(2), § 403(b)(3)(B), Leahy Personal Data Privacy and Security Act of 2009, Senate Bill 1490, 111th Congress]
ISO Guidance
Prior to giving customers access to the organization's data, the following security items should be addressed: Asset protection; product and service descriptions; requirements and benefits of customer access; access control policy; reporting, notification, and investigation of incidents; acceptable and unacceptable levels of service; and legal responsibilities. [§ 6.2.2, ISO/IEC 17799 Code of Practice for Information Security Management, 2005]
Prior to giving customers access to the organization's data, the following security items should be addressed: Asset protection; product and service descriptions; requirements and benefits of customer access; access control policy; reporting, notification, and investigation of incidents; acceptable and unacceptable levels of service; and legal responsibilities. [§ 6.2.2, ISO/IEC 27002 Code of practice for information security management, 2005]
Service providers should ensure all parties that are involved in outsourcing arrangements have the same level of implemented logical, physical, and other security controls in order to restrict, limit, and protect access to the outsourced functions and should involve all associated equipment, computer software and hardware, and facilities. The service providers should regularly audit the security controls that are implemented by the outsourced parties. Outsourced service providers should ensure they have summary lists of their ICT disaster recovery project team expertise they can provide to organizations. This summary list should cover planning (the experience of the staff who conduct planning); operations (the experience of the staff who support recovery operations); track record (capacity and capability details including the diversity and number of organizations supported in the past and present and the duration, costs, and resources deployed and indicators of track records, such as diversity and experience, types of services offered, and regional experience); and extent of involvement (provide summary descriptions of their involvement and expertise in project management; risk management; business recovery requirements determination; disaster recovery strategy formulation and selection; disaster recovery plan development; disaster recovery awareness and training; disaster recovery plan testing; actual recovery using disaster recovery plans; and disaster plan maintenance). A "system" should be developed to capture details and maintain a knowledge base of past and present ICT disaster recovery projects and the organizations the services were provided to and the "system" should include human resource backup and succession plans for key personnel; in-house knowledge sharing; recovery effort information about past projects; and the knowledge base should preferably be software based and fully automated. A "system" should be developed for managing directly involved staff members that includes formal designations that identify appointments, roles, accountability, responsibility, and authority of all operations staff that are directly involved in the recovery services; making operations staff aware of their designations and recovery tasks; back-up and succession plans for key personnel; training back-up personnel to be competent to fulfill related roles if the main designated personnel or unavailable or unable to fulfill their roles; pre-designating ICT disaster recovery coordinators for overseeing and coordinating support for each organization and the ICT disaster recovery coordinator should have the appropriate training, experience, and competency, oversees and coordinates only one actual recovery at one time, and a deputy ICT disaster recovery coordinator who is competent; providing each organization a list of key operations staff who will be involved in the recovery with their designations, tasks, and qualifications; and all staff who are directly involved in supporting the recovery will preferably dedicated staff members employed specifically for ICT disaster recovery activities. Outsourced service providers should be able to provide cold sites, warm sites, hot sites, physical work areas for recovery to organizations that are appropriately furnished, be able to support more than one organization simultaneously, and access to key information services/information feed providers and transactional services providers. [§ 5.6.5, § 7.4, § 7.9, ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008]
General Guidance
The organization should perform due diligence before it establishes a relationship with a third-party data provider. [ID 4.2.3, AICPA/CICA Privacy Framework]
When the organization is using a lesser-known company for shipping, the organization should conduct a complete background investigation, including investigations of managers and their financial status. [Pg 11-II-5, Protection of Assets Manual, ASIS International]
The organization should select suppliers according to a fair and formal practice to ensure a viable best fit based on requirements that have been developed with input from the potential suppliers and agreed between the customer and the supplier(s). [AI5.3, CobiT, Version 4.1]
All outsource agreements should require that only authorized staff have access to assets, personally identifiable information should be protected, quality and accuracy work standards are met, assets should be returned at the appropriate time, legal and regulatory requirements are met, the third party has a continuity plan, an information security incident plan is maintained by the third party, the organization has right to revoke user access, actions are taken in the event of a breach, and documentation is maintained. [SM6.7.5, CB6.1.3(g), CB6.1.3(i) thru CB6.1.3(k), CB6.1.4(d), The Standard of Good Practice for Information Security]
EU Guidance
[§ II.42.a, OECD / World Bank Technology Risk Checklist, Version 7.3]
Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.