Third-Party Qualifications

Status: Live

The organization will maintain a policy, standard, and procedure to select suppliers according to a fair and formal practice to ensure a viable best fit based on requirements. [UCF ID 00795]

Supporting and supported controls

This control directly supports:

Management of third party services [UCF Control ID 00789]

There are no supporting controls.

Authority documents complied with:

AICPA/CICA Privacy Framework, ID 4.2.3; ACH (Automated Clearing House) Operating Rules OCC Bulletin 2004-58, December 2004, Third-Party Senders; Safety and Soundness Standards, Appendix of OCC 12 CFR 30, App B § III.D.1; FFIEC IT Examination Handbook – E-Banking, August 2003, Pg A-2, Obj 3.1; FFIEC IT Examination Handbook – Information Security, Exam Tier I Obj 5.1, Exam Tier II Obj J.2, Exam Tier II Obj J.9; FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004, Pg 10, Pg 11, Exam Tier I Obj 3.3, Exam Tier II Obj B.2; Standards for Safeguarding Customer Information; Final Rule, FTC 16 CFR 314, May 2002, § 314.4(d)(1); VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business, Pg 60; Protection of Assets Manual, ASIS International, Pg 11-II-5; CobiT 4.1, AI5.3; The Standard of Good Practice for Information Security, SM6.7.5, CB6.1.3(g), CB6.1.3(i) thru CB6.1.3(k), CB6.1.4(d); ISO 17799:2005 Code of Practice for Information Security Management, § 6.2.2; ISO/IEC 27002-2005 Code of practice for information security management, § 6.2.2; OECD / World Bank Technology Risk Checklist, Version 7.3, § II.42.a; Archer Control Table, ATCS-386

Sarbanes Oxley Guidance

The organization should perform due diligence before it establishes a relationship with a third-party data provider. [ID 4.2.3, AICPA/CICA Privacy Framework]

Banking and Finance Guidance

The organization should have policies and procedures in place to perform due diligence on any third party. [Third-Party Senders, ACH (Automated Clearing House) Operating Rules OCC Bulletin 2004-58, December 2004]

The organization should use due diligence when selecting a service provider. [App B § III.D.1, Safety and Soundness Standards, Appendix of OCC 12 CFR 30]

The organization should use due diligence in selecting third party providers. [Pg A-2, Obj 3.1, FFIEC IT Examination Handbook – E-Banking, August 2003]

[Exam Tier I Obj 5.1, Exam Tier II Obj J.2, Exam Tier II Obj J.9, FFIEC IT Examination Handbook – Information Security]

The organization should develop a Request for Proposal (RFP) to solicit responses from service providers. The RFP should describe the organization's objectives; scope and nature of the work to be performed; expected levels of service; timelines for delivery of service; measurement requirements; control measures; and the organization's policies for security, continuity, and change control. The organization should analyze the RFP responses to ensure they meet the organization's needs. The following should be confirmed and assessed for service providers meeting the RFP requirements: corporate history; qualifications and backgrounds of principals; references; reputation; delivery capability; technology architectures; security history; legal and regulatory compliance; insurance coverage; and the ability to meet disaster recovery and business continuity requirements, and the service providers' financial statements should be reviewed. [Pg 10, Pg 11, Exam Tier I Obj 3.3, Exam Tier II Obj B.2, FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004]

The organization should select and retain service providers based on their capability to maintain safeguards for protecting customer information. [§ 314.4(d)(1), Standards for Safeguarding Customer Information; Final Rule, FTC 16 CFR 314, May 2002]

Payment Card Guidance

The contract between the organization and the service provider should specify Cardholder Information Security Program (CISP) compliance as a requirement for doing business together. [Pg 60, VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business]

US Federal Security Guidance

When the organization is using a lesser-known company for shipping, the organization should conduct a complete background investigation, including investigations of managers and their financial status. [Pg 11-II-5, Protection of Assets Manual, ASIS International]

ISO Guidance

Prior to giving customers access to the organization's data, the following security items should be addressed: Asset protection; product and service descriptions; requirements and benefits of customer access; access control policy; reporting, notification, and investigation of incidents; acceptable and unacceptable levels of service; and legal responsibilities. [§ 6.2.2, ISO 17799:2005 Code of Practice for Information Security Management]

Prior to giving customers access to the organization's data, the following security items should be addressed: Asset protection; product and service descriptions; requirements and benefits of customer access; access control policy; reporting, notification, and investigation of incidents; acceptable and unacceptable levels of service; and legal responsibilities. [§ 6.2.2, ISO/IEC 27002-2005 Code of practice for information security management]

General Guidance

The organization should select suppliers according to a fair and formal practice to ensure a viable best fit based on requirements that have been developed with input from the potential suppliers and agreed between the customer and the supplier(s). [AI5.3, CobiT 4.1]

All outsource agreements should require that only authorized staff have access to assets, personally identifiable information should be protected, quality and accuracy work standards are met, assets should be returned at the appropriate time, legal and regulatory requirements are met, the third party has a continuity plan, an information security incident plan is maintained by the third party, the organization has right to revoke user access, actions are taken in the event of a breach, and documentation is maintained. [SM6.7.5, CB6.1.3(g), CB6.1.3(i) thru CB6.1.3(k), CB6.1.4(d), The Standard of Good Practice for Information Security]

EU Guidance

[§ II.42.a, OECD / World Bank Technology Risk Checklist, Version 7.3]